From 9b2faa1275fd781304dba757e894215bf1a7a4b4 Mon Sep 17 00:00:00 2001 From: Rutherther Date: Tue, 25 Mar 2025 20:41:47 +0100 Subject: [PATCH] chore: organize operating system config --- config.scm | 393 +++++++++++++++++++++++++++-------------------------- 1 file changed, 200 insertions(+), 193 deletions(-) diff --git a/config.scm b/config.scm index 41193a4..ca0f652 100644 --- a/config.scm +++ b/config.scm @@ -11,11 +11,14 @@ (gnu system privilege) (gnu packages admin) (gnu system nss) + (guix derivations) + (guix store) + (guix monads) (guix utils) (guix packages) (guix build-system gnu) (ruther bootloader grub)) -(use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker) +(use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker security-token) (use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance python-xyz freedesktop @@ -39,195 +42,199 @@ (string-append #$output "/bin/.dumpcap-real") (string-append #$output "/bin/dumpcap")))))))))) -(operating-system - (kernel linux-6.13) - (initrd microcode-initrd) - (firmware (cons* linux-firmware - %base-firmware)) - (host-name "laptop-ruther") - (timezone "Europe/Prague") - (locale "en_US.utf8") - - ;; Choose US English keyboard layout. The "altgr-intl" - ;; variant provides dead keys for accented characters. - (keyboard-layout (keyboard-layout "us" "altgr-intl")) - - ;; Use the UEFI variant of GRUB with the EFI System - ;; Partition mounted on /boot/efi. - (bootloader (bootloader-configuration - (bootloader grub-efi-copy-bootloader) - (targets '("/boot")) - (keyboard-layout keyboard-layout))) - - ;; Specify a mapped device for the encrypted root partition. - ;; The UUID is that returned by 'cryptsetup luksUUID'. - (mapped-devices - (list (mapped-device - (source (uuid "55787ccb-decb-46b6-a190-6597dff68c68")) - (target "cryptedguix") - (type luks-device-mapping)))) - - (file-systems (append - (list (file-system - (device (file-system-label "guix-root")) - ;; (device "/dev/mapper/cryptedguix") - (mount-point "/") - (type "ext4") - (dependencies mapped-devices)) - (file-system - (device (file-system-label "BOOT")) - (mount-point "/boot") - (type "vfat"))) - %base-file-systems)) - - ;; Create user `bob' with `alice' as its initial password. - (users (cons (user-account - (name "ruther") - (comment "Rutherther") - (group "users") - (supplementary-groups '("wheel" "netdev" - "audio" "video" - "libvirt" "dialout" - "kvm")) - (shell (file-append zsh "/bin/zsh"))) - %base-user-accounts)) - - ;; Add the `students' group - (groups %base-groups) - - (privileged-programs - (cons* - (privileged-program - (program - (file-append wireshark-patched "/bin/dumpcap")) - ;; (program - ;; (file-append - ;; (computed-file - ;; "dumpcap" - ;; (with-imported-modules '((guix build utils)) - ;; #~(begin - ;; (use-modules (guix build utils)) - ;; (mkdir-p (string-append #$output "/bin")) - ;; (copy-file - ;; #$(file-append wireshark-patched "/bin/.dumpcap-real") - ;; (string-append #$output "/bin/dumpcap"))))) - ;; "/bin/dumpcap")) - ;; (setuid? #t) - (capabilities "cap_net_raw,cap_net_admin=eip")) - %default-privileged-programs)) - - ;; This is where we specify system-wide packages. - (packages (append (list - ;; for user mounts - gvfs - zip unzip - wget curl - vim - nix - wireshark-patched) - %base-packages)) - - (services - (append (list (service bluetooth-service-type) - (udev-rules-service - 'brightness brightnessctl - #:groups '("video")) - (service nix-service-type - (nix-configuration - (extra-config - '("experimental-features = nix-command flakes\n" - "extra-platforms = aarch64-linux")))) - (service power-profiles-daemon-service-type) - - (service screen-locker-service-type - (screen-locker-configuration - (name "swaylock") - (program (file-append swaylock "/bin/swaylock")) - (using-pam? #t) - (using-setuid? #f))) - - (service cups-service-type - (cups-configuration - (web-interface? #t))) - - (service pam-limits-service-type - (list - (pam-limits-entry "@wheel" 'hard 'nofile '50000) - (pam-limits-entry "@wheel" 'soft 'nofile '10000) - (pam-limits-entry "@wheel" 'both 'core 'unlimited))) - - (udev-rules-service - 'kmonad - (file->udev-rule "70-kmonad.rules" (file-append kmonad "/lib/udev/rules.d/70-kmonad.rules"))) - (udev-rules-service - 'quartus-usbblaster - (file->udev-rule "51-usbblaster.rules" (local-file "udev/51-usbblaster.rules"))) - (udev-rules-service - 'ftdi - (file->udev-rule "51-ftdi.rules" (local-file "udev/51-ftdi.rules"))) - - (udev-rules-service 'trezord-udev - (file->udev-rule "51-trezor.rules" (file-append trezord-udev-rules "/lib/udev/rules.d/51-trezor.rules"))) - (udev-rules-service 'openocd-udev - (file->udev-rule "60-openocd.rules" (file-append openocd "/lib/udev/rules.d/60-openocd.rules"))) - - ;; For starting blueman mechanism. - ;; It needs privileges, so cannot be started from a user dbus session. - (simple-service 'dbus-extras - dbus-root-service-type - (list blueman)) - - (service libvirt-service-type) - - (service qemu-binfmt-service-type - (qemu-binfmt-configuration - (platforms (lookup-qemu-platforms "arm" "aarch64")))) - - (service wireguard-service-type - (wireguard-configuration - (private-key "/etc/wireguard/private.key") - (addresses '("192.168.32.25/32")) - (peers - (list - (wireguard-peer - (name "server") - (endpoint "78.46.201.50:51820") - (keep-alive 25) - (public-key "ZOVjmgUak67kLhNVgZwyb0bro3Yi4vCJbGArv+35IWQ=") - (allowed-ips '("192.168.32.0/24"))))))) - (service containerd-service-type) - (service docker-service-type)) - - (modify-services - %desktop-services - (delete gdm-service-type) - (delete screen-locker-service-type) - (mingetty-service-type config => (if (string=? (mingetty-configuration-tty config) "tty1") - (mingetty-configuration - (inherit config) - (auto-login "ruther") - (login-pause? #t)) - config)) - (elogind-service-type config => (elogind-configuration - (handle-lid-switch-external-power 'ignore))) - (pulseaudio-service-type config => (pulseaudio-configuration - (inherit config) - (client-conf - (append - (pulseaudio-configuration-client-conf config) - '((autospawn . no)))))) - (guix-service-type config => (guix-configuration - (inherit config) - (substitute-urls - (append (list "https://substitutes.nonguix.org") - %default-substitute-urls)) - (authorized-keys - (append (list (local-file "keys/nonguix-signing-key.pub")) - %default-authorized-guix-keys))))))) - - - ;; Allow resolution of '.local' host names with mDNS. - (name-service-switch %mdns-host-lookup-nss)) - -;; TODO syncthing -;; udev rules, could nix fpga stuff work? +(define %ruther/user + (user-account + (name "ruther") + (comment "Rutherther") + (group "users") + (supplementary-groups '("wheel" "netdev" + "audio" "video" + "libvirt" "dialout" + "kvm")) + (shell (file-append zsh "/bin/zsh")))) + +;; Obsolete, only useful if just part of package's udev rules is desirable +;; (define (ruther/udev-rules-service name package rules-file) +;; (udev-rules-service +;; name +;; (file->udev-rule rules-file +;; (file-append package "/lib/udev/rules.d/" rules-file)))) + +(define %ruther/udev-services + (list + (udev-rules-service 'kmonad kmonad) + (udev-rules-service 'trezord trezord-udev-rules) + (udev-rules-service 'openocd openocd) + (udev-rules-service + 'brightness brightnessctl + #:groups '("video")) + + (udev-rules-service + 'quartus-usbblaster + (file->udev-rule "51-usbblaster.rules" (local-file "udev/51-usbblaster.rules"))) + (udev-rules-service + 'ftdi + (file->udev-rule "51-ftdi.rules" (local-file "udev/51-ftdi.rules"))))) + +(define %ruther/container-virt-services + (list + (service containerd-service-type) + (service docker-service-type) + (service libvirt-service-type) + (service qemu-binfmt-service-type + (qemu-binfmt-configuration + (platforms (lookup-qemu-platforms "arm" "aarch64")))))) + +(define %ruther/network-services + (list + (service wireguard-service-type + (wireguard-configuration + (private-key "/etc/wireguard/private.key") + (addresses '("192.168.32.25/32")) + (peers + (list + (wireguard-peer + (name "server") + (endpoint "78.46.201.50:51820") + (keep-alive 25) + (public-key "ZOVjmgUak67kLhNVgZwyb0bro3Yi4vCJbGArv+35IWQ=") + (allowed-ips '("192.168.32.0/24"))))))))) + +(define %ruther/laptop-gui-essential-services + (list + (service bluetooth-service-type) + (service cups-service-type + (cups-configuration + (web-interface? #t))) + (service power-profiles-daemon-service-type) + + (service screen-locker-service-type + (screen-locker-configuration + (name "swaylock") + (program (file-append swaylock "/bin/swaylock")) + (using-pam? #t) + (using-setuid? #f))) + ;; For starting blueman mechanism. + ;; It needs privileges, so cannot be started from a user dbus session. + (simple-service 'dbus-extras + dbus-root-service-type + (list blueman)))) + +(define %ruther/base-laptop-os + (operating-system + (kernel linux) + (initrd microcode-initrd) + (firmware (cons* linux-firmware + %base-firmware)) + (host-name "laptop-ruther") + (timezone "Europe/Prague") + (locale "en_US.utf8") + + ;; Choose US English keyboard layout. The "altgr-intl" + ;; variant provides dead keys for accented characters. + (keyboard-layout (keyboard-layout "us" "altgr-intl")) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader (bootloader-configuration + (bootloader grub-efi-copy-bootloader) + (targets '("/boot")) + (keyboard-layout keyboard-layout))) + + ;; Specify a mapped device for the encrypted root partition. + ;; The UUID is that returned by 'cryptsetup luksUUID'. + (mapped-devices + (list (mapped-device + (source (uuid "55787ccb-decb-46b6-a190-6597dff68c68")) + (target "cryptedguix") + (type luks-device-mapping)))) + + (file-systems (append + (list (file-system + (device (file-system-label "guix-root")) + ;; (device "/dev/mapper/cryptedguix") + (mount-point "/") + (type "ext4") + (dependencies mapped-devices)) + (file-system + (device (file-system-label "BOOT")) + (mount-point "/boot") + (type "vfat"))) + %base-file-systems)) + + ;; Create user `bob' with `alice' as its initial password. + (users (cons* %ruther/user + %base-user-accounts)) + + ;; Add the `students' group + (groups %base-groups) + + (privileged-programs + (cons* + (privileged-program + (program + (file-append wireshark-patched "/bin/dumpcap")) + (capabilities "cap_net_raw,cap_net_admin=eip")) + %default-privileged-programs)) + + ;; This is where we specify system-wide packages. + (packages (append (list + ;; for user mounts + gvfs + zip unzip + wget curl + vim + nix + wireshark-patched) + %base-packages)) + + (services + (append (list + (service nix-service-type + (nix-configuration + (extra-config + '("experimental-features = nix-command flakes\n" + "extra-platforms = aarch64-linux")))) + + ;; Vivado or Matlab can crash because they open too many files + (service pam-limits-service-type + (list + (pam-limits-entry "@wheel" 'hard 'nofile '50000) + (pam-limits-entry "@wheel" 'soft 'nofile '10000) + (pam-limits-entry "@wheel" 'both 'core 'unlimited))) + (service pcscd-service-type) + + (simple-service 'nonguix-substitute + guix-service-type + (guix-extension + (authorized-keys (list (local-file "keys/nonguix-signing-key.pub"))) + (substitute-urls '("https://substitutes.nonguix.org"))))) + + %ruther/udev-services + %ruther/container-virt-services + %ruther/network-services + %ruther/laptop-gui-essential-services + + (modify-services %desktop-services + (delete gdm-service-type) + (delete screen-locker-service-type) + (mingetty-service-type config => (if (string=? (mingetty-configuration-tty config) "tty1") + (mingetty-configuration + (inherit config) + (auto-login "ruther") + (login-pause? #t)) + config)) + (elogind-service-type config => (elogind-configuration + (handle-lid-switch-external-power 'ignore))) + (pulseaudio-service-type config => (pulseaudio-configuration + (inherit config) + (client-conf + (append + (pulseaudio-configuration-client-conf config) + '((autospawn . no))))))))) + + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) + +%ruther/base-laptop-os -- 2.48.1