guix-config

Configuration files for Guix

git clone https://git.8pit.net/guix-config.git

  1(use-modules (gnu)
  2             (gnu packages shells)
  3             (gnu services dbus)
  4             (gnu services desktop)
  5             (gnu services dns)
  6             (gnu services linux)
  7             (gnu services networking)
  8             (gnu services mcron)
  9             (gnu services ssh)
 10             (gnu services sysctl)
 11             (gnu system locale)
 12             (gnu system pam)
 13
 14             (gnu services dns)
 15
 16             (nmeum packages misc)
 17             (nmeum packages desktop)
 18             ((nongnu packages linux) #:select (linux linux-firmware)))
 19
 20;; The signing key for the nonguix substitutes embedded as plain text.
 21;;
 22;; See: https://gitlab.com/nonguix/nonguix
 23(define nonguix-signkey
 24  "(public-key
 25     (ecc
 26       (curve Ed25519)
 27       (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")
 28
 29;; Guix configuration which enables nonguix substitutes.
 30;;
 31;; See https://guix.gnu.org/en/manual/devel/en/guix.html#index-guix_002dconfiguration
 32(define (nonguix-config config)
 33  (guix-configuration
 34    (inherit config)
 35    ;; Run guix-daemon in non-privileged mode. This may become the default in the future.
 36    ;;
 37    ;; See https://codeberg.org/guix/guix-mirror/commit/ba53ff9cc403c7f0388e2dc932cb46e665e81be7
 38    (privileged? #f)
 39    (substitute-urls
 40      (append (list "https://substitutes.nonguix.org")
 41              %default-substitute-urls))
 42    (authorized-keys
 43      (append (list (plain-file "non-guix.pub" nonguix-signkey))
 44              %default-authorized-guix-keys))))
 45
 46(operating-system
 47  (kernel linux)
 48  (firmware (list linux-firmware))
 49
 50  (locale "en_US.utf8")
 51  (locale-definitions
 52    (list (locale-definition
 53            (name "en_US.utf8") (source "en_US"))))
 54
 55  (timezone "Europe/Berlin")
 56  (keyboard-layout (keyboard-layout "de" "neo"))
 57  (host-name "hassium")
 58
 59  ;; The list of user accounts ('root' is implicit).
 60  (users (cons* (user-account
 61                  (name "soeren")
 62                  (comment "Sören Tempel")
 63                  (group "users")
 64                  (shell (file-append loksh-bracketed "/bin/ksh"))
 65                  (home-directory "/home/soeren")
 66                  ;; Note: Without elogind, it is neccessary to also be in both
 67                  ;; the audio and the video group as seatd doesn't mediated access
 68                  ;; to audio/video devices.
 69                  (supplementary-groups '("wheel" "netdev")))
 70                %base-user-accounts))
 71
 72  ;; Allow sudo use without password authentication.
 73  ;;
 74  ;; XXX: A bit ugly since there is no declarative API for this yet.
 75  (sudoers-file
 76    (plain-file "sudoers" "root ALL=(ALL) ALL\n%wheel ALL=(ALL) NOPASSWD: ALL\n"))
 77
 78  ;; Below is the list of system services.  To search for available
 79  ;; services, run 'guix system search KEYWORD' in a terminal.
 80  (services
 81    (append (list
 82              (service elogind-service-type)
 83              (service dbus-root-service-type)
 84              (service fstrim-service-type)
 85
 86              ;; TODO: btrfs snapshots (see comment regarding subvolumes below).
 87              ;;
 88              ;; XXX: mcron has not been designed to run anachronistically.
 89              ;; See: https://www.gnu.org/software/mcron/manual/mcron.html#Behaviour-on-laptops
 90              (let ((guix-gc #~(job '(next-hour '(12)) "guix gc -F 100G")))
 91                (simple-service 'guix-gc-cron
 92                                mcron-service-type
 93                                (list guix-gc)))
 94
 95              (service unbound-service-type
 96                       (unbound-configuration
 97                         (forward-zone
 98                           (list
 99                             (unbound-zone
100                               (name ".")
101                               (forward-addr '("149.112.112.112#dns.quad9.net"
102                                               "2620:fe::9#dns.quad9.net"))
103                               (forward-tls-upstream #t))))))
104
105              (service openssh-service-type
106                       (openssh-configuration
107                         (allow-agent-forwarding? #f)
108                         (password-authentication? #f)))
109
110              (service openntpd-service-type
111                       (openntpd-configuration
112                         (servers '("europe.pool.ntp.org"))
113                         (constraint-from
114                           '(;; Quad9 DNS (IPv4)
115                             "9.9.9.9"
116                             ;; Quad9 DNS (IPv6)
117                             "2620:fe::fe"
118                             ;; Google LLC (DNS)
119                             "www.google.com"))))
120
121              (service dhcpcd-service-type
122                       (dhcpcd-configuration
123                         (vendor-class-id "MSFT")
124                         (option '("rapid_commit" "interface_mtu"))
125                         (no-option '("nd_rdnss"
126                                      "dhcp6_name_servers"
127                                      "domain_name_servers"
128                                      "domain_name"
129                                      "domain_search"))
130                         (static '("domain_name_servers=127.0.0.1"))
131                         (no-hook '("hostname")))))
132
133            (modify-services %base-services
134                             ;; Enable substitutes for nonguix.
135                             (guix-service-type config => (nonguix-config config))
136
137                             ;; Set a custom console font.
138                             (console-font-service-type config =>
139                               (map (lambda (tty)
140                                      (cons tty
141                                            #~(string-append
142                                                #+font-terminus-patched
143                                                "/share/consolefonts/ter-v16n.psf.gz")))
144                                    '("tty1" "tty2" "tty3" "tty4" "tty5" "tty6")))
145
146                             ;; Enable additional sysctls.
147                             (sysctl-service-type config =>
148                               (sysctl-configuration
149                                 (inherit config)
150                                 (settings
151                                   (append %default-sysctl-settings
152                                           '(("kernel.dmesg_restrict" . "1")
153                                             ("kernel.kptr_restrict" . "1")))))))))
154
155  (bootloader (bootloader-configuration
156                ;; Use a removable bootloader configuration here to prevent
157                ;; Grub from updating UEFI boot entries, thereby making Guix
158                ;; (instead of Alpine) the default entry.
159                ;;
160                ;; See the --removable and --no-nvram option of grub-install.
161                (bootloader grub-efi-removable-bootloader)
162                (targets (list "/boot/efi"))
163                (keyboard-layout keyboard-layout)
164                (extra-initrd "/key-file.cpio")))
165
166  (mapped-devices (list (mapped-device
167                          (source (uuid "d9bd4aa0-bd68-4fef-b6a5-0657bd69daef"))
168                          (target "cryptroot")
169                          (type luks-device-mapping)
170                          (arguments
171                            '(#:allow-discards? #t
172                              #:key-file "/key-file.bin")))))
173
174  ;; The list of file systems that get "mounted".  The unique
175  ;; file system identifiers there ("UUIDs") can be obtained
176  ;; by running 'blkid' in a terminal.
177  (file-systems
178    (let ((btrfs-subvol (lambda (mnt flags opts)
179                          (file-system
180                            (mount-point mnt)
181                            (device "/dev/mapper/cryptroot")
182                            (type "btrfs")
183                            (flags flags)
184                            (options (alist->file-system-options
185                                       (cons (cons "subvol" mnt) opts)))
186                            (dependencies mapped-devices)))))
187      (cons* (file-system
188               (check? #f)
189               (mount-point "/tmp")
190               (device "none")
191               (type "tmpfs"))
192
193             ;; TODO: Subvolumes for /home, /var, /var/log, /var/tmp, …
194             ;;
195             ;; Note: Btrfs does presently not support filesystem-specific
196             ;; mount options on subvolume-granularity, generic ones work.
197             ;;
198             ;; See https://btrfs.readthedocs.io/en/stable/btrfs-subvolume.html#mount-options
199             (btrfs-subvol "/"
200                           '(no-atime)
201                           '("rw"
202                             "ssd"
203                             ("compress" . "lzo")
204                             ("space_cache" . "v2")))
205             ;; TODO: Consider using a tmpfs for /var/tmp
206             (btrfs-subvol "/var/tmp"
207                           '(no-atime no-suid no-dev no-exec)
208                           '())
209
210             (file-system
211               (mount-point "/boot/efi")
212               (device (uuid "04FA-08B2" 'fat32))
213               (type "vfat")) %base-file-systems))))