guix-config

Configuration files for Guix

git clone https://git.8pit.net/guix-config.git

  1(use-modules (gnu)
  2             (gnu packages shells)
  3             (gnu services dbus)
  4             (gnu services desktop)
  5             (gnu services dns)
  6             (gnu services linux)
  7             (gnu services networking)
  8             (gnu services mcron)
  9             (gnu services ssh)
 10             (gnu services sysctl)
 11             (gnu system locale)
 12             (gnu system pam)
 13
 14             (gnu services dns)
 15
 16             (nmeum packages misc)
 17             (nmeum packages desktop)
 18             ((nongnu packages linux) #:select (linux linux-firmware)))
 19
 20;; The signing key for the nonguix substitutes embedded as plain text.
 21;;
 22;; See: https://gitlab.com/nonguix/nonguix
 23(define nonguix-signkey
 24  "(public-key
 25     (ecc
 26       (curve Ed25519)
 27       (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")
 28
 29;; Guix configuration which enables nonguix substitutes.
 30;;
 31;; See https://guix.gnu.org/en/manual/devel/en/guix.html#index-guix_002dconfiguration
 32(define (nonguix-config config)
 33  (guix-configuration
 34    (inherit config)
 35    ;; Run guix-daemon in non-privileged mode. This may become the default in the future.
 36    ;;
 37    ;; See https://codeberg.org/guix/guix-mirror/commit/ba53ff9cc403c7f0388e2dc932cb46e665e81be7
 38    (privileged? #f)
 39    (substitute-urls
 40      (append (list "https://substitutes.nonguix.org")
 41              %default-substitute-urls))
 42    (authorized-keys
 43      (append (list (plain-file "non-guix.pub" nonguix-signkey))
 44              %default-authorized-guix-keys))))
 45
 46(operating-system
 47  (kernel linux)
 48  (firmware (list linux-firmware))
 49
 50  (locale "en_US.utf8")
 51  (locale-definitions
 52    (list (locale-definition
 53            (name "en_US.utf8") (source "en_US"))))
 54
 55  (timezone "Europe/Berlin")
 56  (keyboard-layout (keyboard-layout "de" "neo"))
 57  (host-name "hassium")
 58
 59  ;; The list of user accounts ('root' is implicit).
 60  (users (cons* (user-account
 61                  (name "soeren")
 62                  (comment "Sören Tempel")
 63                  (group "users")
 64                  (shell (file-append loksh-bracketed "/bin/ksh"))
 65                  (home-directory "/home/soeren")
 66                  ;; Note: Without elogind, it is neccessary to also be in both
 67                  ;; the audio and the video group as seatd doesn't mediated access
 68                  ;; to audio/video devices.
 69                  (supplementary-groups '("wheel" "netdev")))
 70                %base-user-accounts))
 71
 72  ;; Allow sudo use without password authentication.
 73  ;;
 74  ;; XXX: A bit ugly since there is no declarative API for this yet.
 75  (sudoers-file
 76    (plain-file "sudoers" "root ALL=(ALL) ALL\n%wheel ALL=(ALL) NOPASSWD: ALL\n"))
 77
 78  ;; Below is the list of system services.  To search for available
 79  ;; services, run 'guix system search KEYWORD' in a terminal.
 80  (services
 81    (append (list
 82              (service elogind-service-type)
 83              (service dbus-root-service-type)
 84              (service fstrim-service-type)
 85
 86              ;; TODO: btrfs snapshots (see comment regarding subvolumes below).
 87              ;;
 88              ;; XXX: mcron has not been designed to run anachronistically.
 89              ;; See: https://www.gnu.org/software/mcron/manual/mcron.html#Behaviour-on-laptops
 90              (let ((guix-gc #~(job '(next-hour '(12)) "guix gc -F 100G")))
 91                (simple-service 'guix-gc-cron
 92                                mcron-service-type
 93                                (list guix-gc)))
 94
 95              (service unbound-service-type
 96                       (unbound-configuration
 97                         (forward-zone
 98                           (list
 99                             (unbound-zone
100                               (name ".")
101                               (forward-addr '("149.112.112.112#dns.quad9.net"
102                                               "2620:fe::9#dns.quad9.net"))
103                               (forward-tls-upstream #t))))))
104
105              (service openssh-service-type
106                       (openssh-configuration
107                         (allow-agent-forwarding? #f)
108                         (password-authentication? #f)))
109
110              (service openntpd-service-type
111                       (openntpd-configuration
112                         (servers '("europe.pool.ntp.org"))
113                         (constraint-from
114                           '(;; Quad9 DNS (IPv4)
115                             "9.9.9.9"
116                             ;; Quad9 DNS (IPv6)
117                             "2620:fe::fe"
118                             ;; Google LLC (DNS)
119                             "www.google.com"))))
120
121              (service dhcpcd-service-type
122                       (dhcpcd-configuration
123                         (vendor-class-id "MSFT")
124                         (option '("rapid_commit" "interface_mtu"))
125                         (no-option '("nd_rdnss"
126                                      "dhcp6_name_servers"
127                                      "domain_name_servers"
128                                      "domain_name"
129                                      "domain_search"))
130                         (static '("domain_name_servers=127.0.0.1"))
131                         (no-hook '("hostname")))))
132
133            (modify-services %base-services
134                             ;; Enable substitutes for nonguix.
135                             (guix-service-type config => (nonguix-config config))
136
137                             ;; Set a custom console font.
138                             (console-font-service-type config =>
139                               (map (lambda (tty)
140                                      (cons tty
141                                            #~(string-append
142                                                #+font-terminus-patched
143                                                "/share/consolefonts/ter-v16n.psf.gz")))
144                                    '("tty1" "tty2" "tty3" "tty4" "tty5" "tty6")))
145
146                             ;; Enable additional sysctls.
147                             (sysctl-service-type config =>
148                               (sysctl-configuration
149                                 (inherit config)
150                                 (settings
151                                   (append %default-sysctl-settings
152                                           '(("kernel.dmesg_restrict" . "1")
153                                             ("kernel.kptr_restrict" . "1")))))))))
154
155  (bootloader (bootloader-configuration
156                ;; Use a removable bootloader configuration here to prevent
157                ;; Grub from updating UEFI boot entries, thereby making Guix
158                ;; (instead of Alpine) the default entry.
159                ;;
160                ;; See the --removable and --no-nvram option of grub-install.
161                (bootloader grub-efi-removable-bootloader)
162                (targets (list "/boot/efi"))
163                (keyboard-layout keyboard-layout)
164                (extra-initrd "/key-file.cpio")))
165
166  (mapped-devices (list (mapped-device
167                          (source (uuid "d9bd4aa0-bd68-4fef-b6a5-0657bd69daef"))
168                          (target "cryptroot")
169                          (type (luks-device-mapping-with-options
170                                  #:allow-discards? #t
171                                  #:key-file "/key-file.bin")))))
172
173  ;; The list of file systems that get "mounted".  The unique
174  ;; file system identifiers there ("UUIDs") can be obtained
175  ;; by running 'blkid' in a terminal.
176  (file-systems
177    (let ((btrfs-subvol (lambda (mnt flags opts)
178                          (file-system
179                            (mount-point mnt)
180                            (device "/dev/mapper/cryptroot")
181                            (type "btrfs")
182                            (flags flags)
183                            (options (alist->file-system-options
184                                       (cons (cons "subvol" mnt) opts)))
185                            (dependencies mapped-devices)))))
186      (cons* (file-system
187               (check? #f)
188               (mount-point "/tmp")
189               (device "none")
190               (type "tmpfs"))
191
192             ;; TODO: Subvolumes for /home, /var, /var/log, /var/tmp, …
193             ;;
194             ;; Note: Btrfs does presently not support filesystem-specific
195             ;; mount options on subvolume-granularity, generic ones work.
196             ;;
197             ;; See https://btrfs.readthedocs.io/en/stable/btrfs-subvolume.html#mount-options
198             (btrfs-subvol "/"
199                           '(no-atime)
200                           '("rw"
201                             "ssd"
202                             ("compress" . "lzo")
203                             ("space_cache" . "v2")))
204             ;; TODO: Consider using a tmpfs for /var/tmp
205             (btrfs-subvol "/var/tmp"
206                           '(no-atime no-suid no-dev no-exec)
207                           '())
208
209             (file-system
210               (mount-point "/boot/efi")
211               (device (uuid "04FA-08B2" 'fat32))
212               (type "vfat")) %base-file-systems))))