;; -*- mode: scheme; -*-
;; This is an operating system configuration template
;; for a "desktop" setup with GNOME and Xfce where the
;; root partition is encrypted with LUKS, and a swap file.
(define-module (config))
(use-modules
(nongnu packages linux)
(nongnu system linux-initrd)
(gnu)
(gnu system privilege)
(gnu packages admin)
(gnu system nss)
(guix utils)
(ruther bootloader grub))
(use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups)
(use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance)
(operating-system
(kernel linux-6.11)
(initrd microcode-initrd)
(firmware (cons* linux-firmware
%base-firmware))
(host-name "laptop-ruther")
(timezone "Europe/Prague")
(locale "en_US.utf8")
;; Choose US English keyboard layout. The "altgr-intl"
;; variant provides dead keys for accented characters.
(keyboard-layout (keyboard-layout "us" "altgr-intl"))
;; Use the UEFI variant of GRUB with the EFI System
;; Partition mounted on /boot/efi.
(bootloader (bootloader-configuration
(bootloader grub-efi-copy-bootloader)
(targets '("/boot"))
(keyboard-layout keyboard-layout)))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "55787ccb-decb-46b6-a190-6597dff68c68"))
(target "cryptedguix")
(type luks-device-mapping))))
(file-systems (append
(list (file-system
(device (file-system-label "guix-root"))
;; (device "/dev/mapper/cryptedguix")
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
(file-system
(device (file-system-label "BOOT"))
(mount-point "/boot")
(type "vfat")))
%base-file-systems))
;; Create user `bob' with `alice' as its initial password.
(users (cons (user-account
(name "ruther")
(comment "Rutherther")
(group "users")
(supplementary-groups '("wheel" "netdev"
"audio" "video"
"libvirt" "dialout"
"kvm"))
(shell (file-append zsh "/bin/zsh")))
%base-user-accounts))
;; Add the `students' group
(groups %base-groups)
;; This is where we specify system-wide packages.
(packages (append (list
;; for user mounts
gvfs
zip unzip
wget curl
vim
nix)
%base-packages))
(services
(append (list (service bluetooth-service-type)
(udev-rules-service
'brightness brightnessctl
#:groups '("video"))
(service nix-service-type
(nix-configuration
(extra-config
'("experimental-features = nix-command flakes\n"
"extra-platforms = aarch64-linux"))))
(service power-profiles-daemon-service-type)
(service screen-locker-service-type
(screen-locker-configuration
(name "swaylock")
(program (file-append swaylock "/bin/swaylock"))
(using-pam? #t)
(using-setuid? #f)))
(service cups-service-type
(cups-configuration
(web-interface? #t)))
(service pam-limits-service-type
(list
(pam-limits-entry "@wheel" 'hard 'nofile '50000)
(pam-limits-entry "@wheel" 'soft 'nofile '10000)
(pam-limits-entry "@wheel" 'both 'core 'unlimited)))
(udev-rules-service
'quartus-usbblaster
(file->udev-rule "51-usbblaster.rules" (local-file "udev/51-usbblaster.rules")))
(udev-rules-service 'trezord-udev
(file->udev-rule "51-trezor.rules" (file-append trezord-udev-rules "/lib/udev/rules.d/51-trezor.rules")))
(udev-rules-service 'openocd-udev
(file->udev-rule "60-openocd.rules" (file-append openocd "/lib/udev/rules.d/60-openocd.rules")))
;; For starting blueman mechanism.
;; It needs privileges, so cannot be started from a user dbus session.
(simple-service 'dbus-extras
dbus-root-service-type
(list blueman))
(service libvirt-service-type)
(service qemu-binfmt-service-type
(qemu-binfmt-configuration
(platforms (lookup-qemu-platforms "arm" "aarch64"))))
(service wireguard-service-type
(wireguard-configuration
(private-key "/etc/wireguard/private.key")
(addresses '("192.168.32.25/32"))
(peers
(list
(wireguard-peer
(name "server")
(endpoint "78.46.201.50:51820")
(keep-alive 25)
(public-key "ZOVjmgUak67kLhNVgZwyb0bro3Yi4vCJbGArv+35IWQ=")
(allowed-ips '("192.168.32.0/24"))))))))
(modify-services
%desktop-services
(delete gdm-service-type)
(delete screen-locker-service-type)
(mingetty-service-type config => (if (string=? (mingetty-configuration-tty config) "tty1")
(mingetty-configuration
(inherit config)
(auto-login "ruther")
(login-pause? #t))
config))
(elogind-service-type config => (elogind-configuration
(handle-lid-switch-external-power 'ignore)))
(pulseaudio-service-type config => (pulseaudio-configuration
(inherit config)
(client-conf
(append
(pulseaudio-configuration-client-conf config)
'((autospawn . no))))))
(guix-service-type config => (guix-configuration
(inherit config)
(substitute-urls
(append (list "https://substitutes.nonguix.org")
%default-substitute-urls))
(authorized-keys
(append (list (local-file "keys/nonguix-signing-key.pub"))
%default-authorized-guix-keys)))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss))
;; TODO syncthing
;; udev rules, could nix fpga stuff work?