guix-config

Configuration files for Guix

git clone https://git.8pit.net/guix-config.git

  1(use-modules (gnu)
  2             (gnu packages shells)
  3             (gnu services dbus)
  4             (gnu services desktop)
  5             (gnu services dns)
  6             (gnu services networking)
  7             (gnu services ssh)
  8             (gnu services sysctl)
  9             (gnu system locale)
 10             (gnu system pam)
 11
 12             (gnu services dns)
 13
 14             (nmeum packages misc)
 15             (nmeum packages desktop)
 16             (nmeum services networking)
 17             (nmeum services system)
 18             ((nongnu packages linux) #:select (linux linux-firmware)))
 19
 20;; The signing key for the nonguix substitutes embedded as plain text.
 21;;
 22;; See: https://gitlab.com/nonguix/nonguix
 23(define nonguix-signkey
 24  "(public-key
 25     (ecc
 26       (curve Ed25519)
 27       (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")
 28
 29;; Guix configuration which enables nonguix substitutes.
 30;;
 31;; See https://guix.gnu.org/en/manual/devel/en/guix.html#index-guix_002dconfiguration
 32(define (nonguix-config config)
 33  (guix-configuration
 34    (inherit config)
 35    (substitute-urls
 36      (append (list "https://substitutes.nonguix.org")
 37              %default-substitute-urls))
 38    (authorized-keys
 39      (append (list (plain-file "non-guix.pub" nonguix-signkey))
 40              %default-authorized-guix-keys))))
 41
 42(operating-system
 43  (kernel linux)
 44  (firmware (list linux-firmware))
 45
 46  (locale "en_US.utf8")
 47  (locale-definitions
 48    (list (locale-definition
 49            (name "en_US.utf8") (source "en_US"))))
 50
 51  (timezone "Europe/Berlin")
 52  (keyboard-layout (keyboard-layout "de" "neo"))
 53  (host-name "hassium")
 54
 55  ;; The list of user accounts ('root' is implicit).
 56  (users (cons* (user-account
 57                  (name "soeren")
 58                  (comment "Sören Tempel")
 59                  (group "users")
 60                  (shell (file-append loksh-bracketed "/bin/ksh"))
 61                  (home-directory "/home/soeren")
 62                  ;; Note: Without elogind, it is neccessary to also be in both
 63                  ;; the audio and the video group as seatd doesn't mediated access
 64                  ;; to audio/video devices.
 65                  (supplementary-groups '("wheel" "netdev")))
 66                %base-user-accounts))
 67
 68  ;; Allow sudo use without password authentication.
 69  ;;
 70  ;; XXX: A bit ugly since there is no declarative API for this yet.
 71  (sudoers-file
 72    (plain-file "sudoers" "root ALL=(ALL) ALL\n%wheel ALL=(ALL) NOPASSWD: ALL\n"))
 73
 74  ;; Below is the list of system services.  To search for available
 75  ;; services, run 'guix system search KEYWORD' in a terminal.
 76  (services
 77    (append (list
 78              (service elogind-service-type)
 79              (service dbus-root-service-type)
 80
 81              (service unbound-service-type
 82                       (unbound-configuration
 83                         (forward-zone
 84                           (list
 85                             (unbound-zone
 86                               (name ".")
 87                               (forward-addr '("149.112.112.112#dns.quad9.net"
 88                                               "2620:fe::9#dns.quad9.net"))
 89                               (forward-tls-upstream #t))))))
 90
 91              (service openssh-service-type
 92                       (openssh-configuration
 93                         (allow-agent-forwarding? #f)
 94                         (password-authentication? #f)))
 95
 96              (service openntpd-service-type
 97                       (openntpd-configuration
 98                         (servers '("europe.pool.ntp.org"))
 99                         (constraint-from
100                           '(;; Quad9 DNS (IPv4)
101                             "9.9.9.9"
102                             ;; Quad9 DNS (IPv6)
103                             "2620:fe::fe"
104                             ;; Google LLC (DNS)
105                             "www.google.com"))))
106
107              (service dhcpcd-service-type
108                       (dhcpcd-configuration
109                         (vendorclassid "MSFT")
110                         (option '("rapid_commit" "interface_mtu"))
111                         (nooption '("nd_rdnss"
112                                     "dhcp6_name_servers"
113                                     "domain_name_servers"
114                                     "domain_name"
115                                     "domain_search"))
116                         (static '("domain_name_servers=127.0.0.1"))
117                         (nohook '("hostname")))))
118
119            (modify-services %base-services
120                             ;; Enable substitutes for nonguix.
121                             (guix-service-type config => (nonguix-config config))
122
123                             ;; Enable additional sysctls.
124                             (sysctl-service-type config =>
125                               (sysctl-configuration
126                                 (inherit config)
127                                 (settings
128                                   (append %default-sysctl-settings
129                                           '(("kernel.dmesg_restrict" . "1")
130                                             ("kernel.kptr_restrict" . "1")))))))))
131
132  (bootloader (bootloader-configuration
133                ;; Use a removable bootloader configuration here to prevent
134                ;; Grub from updating UEFI boot entries, thereby making Guix
135                ;; (instead of Alpine) the default entry.
136                ;;
137                ;; See the --removable and --no-nvram option of grub-install.
138                (bootloader grub-efi-removable-bootloader)
139                (targets (list "/boot/efi"))
140                (keyboard-layout keyboard-layout)
141                (extra-initrd "/key-file.cpio")))
142
143  (mapped-devices (list (mapped-device
144                          (source (uuid "d9bd4aa0-bd68-4fef-b6a5-0657bd69daef"))
145                          (target "cryptroot")
146                          (type (luks-device-mapping-with-options
147                                  #:key-file "/key-file.bin")))))
148
149  ;; The list of file systems that get "mounted".  The unique
150  ;; file system identifiers there ("UUIDs") can be obtained
151  ;; by running 'blkid' in a terminal.
152  (file-systems (cons* (file-system
153                         (check? #f)
154                         (mount-point "/tmp")
155                         (device "none")
156                         (type "tmpfs"))
157
158                       (file-system
159                         (mount-point "/")
160                         (device "/dev/mapper/cryptroot")
161                         (type "btrfs")
162                         (dependencies mapped-devices))
163                       (file-system
164                         (mount-point "/boot/efi")
165                         (device (uuid "04FA-08B2" 'fat32))
166                         (type "vfat")) %base-file-systems)))