;; -*- mode: scheme; -*- ;; This is an operating system configuration template ;; for a "desktop" setup with GNOME and Xfce where the ;; root partition is encrypted with LUKS, and a swap file. (define-module (config)) (use-modules (nongnu packages linux) (nongnu system linux-initrd) (gnu) (gnu system privilege) (gnu packages admin) (gnu system nss) (guix utils) (ruther bootloader grub)) (use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker) (use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance) (operating-system (kernel linux-6.11) (initrd microcode-initrd) (firmware (cons* linux-firmware %base-firmware)) (host-name "laptop-ruther") (timezone "Europe/Prague") (locale "en_US.utf8") ;; Choose US English keyboard layout. The "altgr-intl" ;; variant provides dead keys for accented characters. (keyboard-layout (keyboard-layout "us" "altgr-intl")) ;; Use the UEFI variant of GRUB with the EFI System ;; Partition mounted on /boot/efi. (bootloader (bootloader-configuration (bootloader grub-efi-copy-bootloader) (targets '("/boot")) (keyboard-layout keyboard-layout))) ;; Specify a mapped device for the encrypted root partition. ;; The UUID is that returned by 'cryptsetup luksUUID'. (mapped-devices (list (mapped-device (source (uuid "55787ccb-decb-46b6-a190-6597dff68c68")) (target "cryptedguix") (type luks-device-mapping)))) (file-systems (append (list (file-system (device (file-system-label "guix-root")) ;; (device "/dev/mapper/cryptedguix") (mount-point "/") (type "ext4") (dependencies mapped-devices)) (file-system (device (file-system-label "BOOT")) (mount-point "/boot") (type "vfat"))) %base-file-systems)) ;; Create user `bob' with `alice' as its initial password. (users (cons (user-account (name "ruther") (comment "Rutherther") (group "users") (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt" "dialout" "kvm")) (shell (file-append zsh "/bin/zsh"))) %base-user-accounts)) ;; Add the `students' group (groups %base-groups) ;; This is where we specify system-wide packages. (packages (append (list ;; for user mounts gvfs zip unzip wget curl vim nix) %base-packages)) (services (append (list (service bluetooth-service-type) (udev-rules-service 'brightness brightnessctl #:groups '("video")) (service nix-service-type (nix-configuration (extra-config '("experimental-features = nix-command flakes\n" "extra-platforms = aarch64-linux")))) (service power-profiles-daemon-service-type) (service screen-locker-service-type (screen-locker-configuration (name "swaylock") (program (file-append swaylock "/bin/swaylock")) (using-pam? #t) (using-setuid? #f))) (service cups-service-type (cups-configuration (web-interface? #t))) (service pam-limits-service-type (list (pam-limits-entry "@wheel" 'hard 'nofile '50000) (pam-limits-entry "@wheel" 'soft 'nofile '10000) (pam-limits-entry "@wheel" 'both 'core 'unlimited))) (udev-rules-service 'quartus-usbblaster (file->udev-rule "51-usbblaster.rules" (local-file "udev/51-usbblaster.rules"))) (udev-rules-service 'trezord-udev (file->udev-rule "51-trezor.rules" (file-append trezord-udev-rules "/lib/udev/rules.d/51-trezor.rules"))) (udev-rules-service 'openocd-udev (file->udev-rule "60-openocd.rules" (file-append openocd "/lib/udev/rules.d/60-openocd.rules"))) ;; For starting blueman mechanism. ;; It needs privileges, so cannot be started from a user dbus session. (simple-service 'dbus-extras dbus-root-service-type (list blueman)) (service libvirt-service-type) (service qemu-binfmt-service-type (qemu-binfmt-configuration (platforms (lookup-qemu-platforms "arm" "aarch64")))) (service wireguard-service-type (wireguard-configuration (private-key "/etc/wireguard/private.key") (addresses '("192.168.32.25/32")) (peers (list (wireguard-peer (name "server") (endpoint "78.46.201.50:51820") (keep-alive 25) (public-key "ZOVjmgUak67kLhNVgZwyb0bro3Yi4vCJbGArv+35IWQ=") (allowed-ips '("192.168.32.0/24"))))))) (service containerd-service-type) (service docker-service-type)) (modify-services %desktop-services (delete gdm-service-type) (delete screen-locker-service-type) (mingetty-service-type config => (if (string=? (mingetty-configuration-tty config) "tty1") (mingetty-configuration (inherit config) (auto-login "ruther") (login-pause? #t)) config)) (elogind-service-type config => (elogind-configuration (handle-lid-switch-external-power 'ignore))) (pulseaudio-service-type config => (pulseaudio-configuration (inherit config) (client-conf (append (pulseaudio-configuration-client-conf config) '((autospawn . no)))))) (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (local-file "keys/nonguix-signing-key.pub")) %default-authorized-guix-keys))))))) ;; Allow resolution of '.local' host names with mDNS. (name-service-switch %mdns-host-lookup-nss)) ;; TODO syncthing ;; udev rules, could nix fpga stuff work?