zilti/guixconfig
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
guixconfig/config.org
Daniel Ziltener 7557f2f221
.
2024-03-13 22:32:06 +01:00

459 lines
12 KiB
Org Mode
Raw Blame History

#+TITLE: GUIX System Configuration
#+AUTHOR: Daniel Ziltener
#+PROPERTY: scheme-implementation guile
#+PROPERTY: header-args:scheme :comments none :session *guile*
#+begin_src emacs-lisp :results none
(org-babel-lob-ingest "./library.org")
#+end_src
* Makefile
#+begin_src makefile :tangle Makefile
reconfigure:
mkdir -p ~/.config/guix
cp channels.scm ~/.config/guix/channels.scm
guix archive --authorize < signing-key.pub
guix system reconfigure ./config.scm --substitute-urls='https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org'
make -C /home/zilti/.guix-home/profile/lib/browserpass hosts-firefox-user
flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
#+end_src
* System Installation Script
This is to be run after setting up the partitions.
#+begin_src sh :tangle sysinst.sh
#!/bin/sh
set euxo -pipefail
mount /dev/disk/by-label/guix /mnt
mkdir -p /mnt/boot/efi
mount /dev/disk/by-label/EFI /mnt/boot/efi
herd start cow-store /mnt
guix pull -C./channels.scm
GUIX_PROFILE="/root/.config/guix/current"
. "$GUIX_PROFILE/etc/profile"
hash guix
guix system -L. init config.scm /mnt --substitute-urls="https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org"
#+end_src
* Modules
#+NAME: module-list
- gnu
- gnu image
- gnu services admin
- gnu services authentication
- gnu services base
- gnu services configuration
- gnu services dbus
- gnu services desktop
- gnu services docker
- gnu services linux
- gnu services networking
- gnu services pm
- gnu services sound
- gnu services virtualization
- gnu services xorg
- gnu system nss
- zilti packages hyprland
- nongnu packages firmware
- nongnu packages linux
- nongnu system linux-initrd
#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
<<list-to-use(use-call="use-modules",entries=module-list,all-parens=1)>>
#+end_src
#+RESULTS:
** Service Modules
#+NAME: service-module-list
- desktop
- xorg
#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
<<list-to-use(use-call="use-service-modules",entries=service-module-list)>>
#+end_src
** Package Modules
#+NAME: package-module-list
- bootloaders
- certs
- containers
- emacs
- emacs-xyz
- fonts
- gl
- gnome
- linux
- pciutils
- readline
- terminals
- version-control
- wm
- xdisorg
- xorg
#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
<<list-to-use(use-call="use-package-modules",entries=package-module-list)>>
#+end_src
* Configuration Definitions
** File System
#+NAME: config-filesystems
#+begin_src scheme :noweb yes
(file-systems (append (list
(file-system
(device (file-system-label "EFI"))
(mount-point "/boot/efi")
(type "vfat"))
(file-system
(device (file-system-label "guix"))
(mount-point "/")
(type "xfs")))
%base-file-systems))
#+end_src
#+NAME: config-swap
#+begin_src scheme :noweb yes
(swap-devices
(list (swap-space (target (file-system-label "swap")))))
#+end_src
** Channels
This adds the Nonguix channel.
#+NAME: root-channels
#+begin_src scheme :tangle channels.scm
(cons* (channel
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix")
;; Enable signature verification:
(introduction
(make-channel-introduction
"897c1a470da759236cc11798f4e0a5f7d4d59fbc"
(openpgp-fingerprint
"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))
(channel
(name 'emacs-melpa)
(url "https://github.com/babariviere/guix-emacs")
(introduction
(make-channel-introduction
"72ca4ef5b572fea10a4589c37264fa35d4564783"
(openpgp-fingerprint
"261C A284 3452 FB01 F6DF 6CF4 F9B7 864F 2AB4 6F18"))))
(channel
(name 'ziltis-channel)
(url "https://gitea.lyrion.ch/zilti/guixchannel"))
%default-channels)
#+end_src
** Packages
#+NAME: root-packages
- bluez-firmware
- egl-wayland
- eglexternalplatform
- emacs
- emacs-desktop-environment
- font-terminus
- fwupd-nonfree
- git
- glu
- hwdata
- i915-firmware
- libdrm
- mesa
- nss-certs
- network-manager
- podman
- readline
- tuxedo-keyboard
- xf86-video-amdgpu
- xf86-video-intel
- amdgpu-firmware
- amd-microcode
- intel-microcode
#+NAME: root-package-block
#+begin_src scheme :noweb no-export
(packages
(append
<<org-to-scheme-sym-list(input=root-packages)>>
%base-packages))
#+end_src
#+RESULTS: root-package-block
** Services
#+NAME: root-services-block
#+begin_src scheme :noweb yes :exports none :results code
(services
(append
<<root-modified-desktop-services>>
<<root-simple-service-block>>
(list polkit-wheel-service)
(list
<<greeter-service>>)
(list
<<screen-lock-service>>)
(list
<<hosts-file-service>>)
(list
<<unattended-upgrade>>)
))
#+end_src
*** Simple Services
These services are unmodified, or have just few settings.
#+NAME: root-simple-services
| Service | Options |
|-------------+------------------------------------------------------|
| tlp | () |
| thermald | ((adaptive? #t)) |
| bluetooth | () |
| docker | () |
| earlyoom | ((minimum-available-memory 5) (minimum-free-swap 5)) |
| inputattach | () |
| libvirt | ((unix-sock-group "libvirt")) |
| fstrim | () |
| fprintd | () |
| seatd | () |
#+NAME: root-simple-service-block
#+begin_src scheme :noweb yes :exports none :results output
<<service-converter(input=root-simple-services)>>
#+end_src
*** Unattended Upgrade Service
#+NAME: unattended-upgrade
#+begin_src scheme :noweb no-export
(service unattended-upgrade-service-type
(unattended-upgrade-configuration
(schedule "5 12 * * 1")
#;(channels
<<root-channels>>)))
#+end_src
*** Hosts File
#+NAME: hosts-file-service
#+begin_src scheme :noweb no-export
(simple-service 'add-extra-hosts
hosts-service-type
(list (host "127.0.0.1" "l.redsky.io" '("ld.redsky.io"))
(host "::1" "l.redsky.io" '("ld.redsky.io"))))
#+end_src
*** Modified Desktop Services
#+NAME: nonguix-pubkey
#+begin_src scheme :tangle keys/non-guix.pub :mkdirp yes
(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
)
)
#+end_src
#+NAME: guix-ci-pubkey
#+begin_src scheme :tangle keys/guix-ci.pub :mkdirp yes
(public-key
(ecc
(curve Ed25519)
(q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#)
)
)
#+end_src
#+NAME: guix-bordeaux-pubkey
#+begin_src scheme :tangle keys/guix-bordeaux.pub :mkdirp yes
(public-key
(ecc
(curve Ed25519)
(q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
)
)
#+end_src
#+NAME: root-modified-desktop-services
#+begin_src scheme :exports none :results code :noweb no-export
(modify-services
%desktop-services
(delete gdm-service-type)
(delete screen-locker-service-type)
(delete login-service-type)
(delete mingetty-service-type)
(delete console-font-service-type)
(delete elogind-service-type)
(delete pulseaudio-service-type)
(guix-service-type config => (guix-configuration
(inherit config)
(substitute-urls
(append (list "https://substitutes.nonguix.org")
%default-substitute-urls))
(authorized-keys
(append (list (local-file "./keys/non-guix.pub"))
%default-authorized-guix-keys)))))
#+end_src
*** Greeter Service
=greetd= is a broken mess, yet here we are.
#+NAME: greeter-service
#+begin_src scheme
(service greetd-service-type
(greetd-configuration
(greeter-supplementary-groups
(list "video" "input"))
(terminals
(list
(greetd-terminal-configuration
(terminal-vt "1"))
(greetd-terminal-configuration
(terminal-vt "2"))
(greetd-terminal-configuration
(terminal-vt "3"))
(greetd-terminal-configuration
(terminal-vt "4"))
#;(greetd-terminal-configuration
(terminal-vt "7")
(terminal-switch #t)
(default-session-command
(greetd-wlgreet-session
(command
(file-append swayfx "/bin/sway")))))
(greetd-terminal-configuration
(terminal-vt "8"))))))
#+end_src
*** Screen Locker Service
For some reason, this service runs on root level for Guix.
#+NAME: screen-lock-service
#+begin_src scheme
(service screen-locker-service-type
(screen-locker-configuration
(name "swaylock")
(program
(file-append swaylock-effects "/bin/swaylock"))
(using-setuid? #f)))
#+end_src
* Operating System
This is the full operating system specification.
#+begin_src scheme :noweb no-export :results code :tangle config.scm
(operating-system
(host-name "ziltis-machine")
(timezone "Europe/Berlin")
(locale "de_DE.utf8")
(keyboard-layout
(keyboard-layout "de" #:options '("caps:swapescape")))
(kernel linux)
(initrd microcode-initrd)
(firmware (list linux-firmware))
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets
'("/boot/efi"))
(keyboard-layout keyboard-layout)))
#;(file-systems %local-filesystem)
#;(swap-devices %local-swap)
<<config-filesystems>>
<<config-swap>>
(users
(cons*
(user-account
(name "zilti")
(group "users")
(supplementary-groups
'("avahi" "docker" "users" "wheel" "netdev" "audio" "cdrom" "video" "libvirt" "seat")))
%base-user-accounts))
<<root-package-block>>
<<root-services-block>>
(name-service-switch %mdns-host-lookup-nss))
#+end_src
* Other Components
** Podman
Podman needs the files =/etc/subuid= and =/etc/subgid=.
#+begin_src fundamental :tangle etc/subuid :mkdirp yes
zilti:1001:65536
#+end_src
#+begin_src fundamental :tangle etc/subgid :mkdirp yes
zilti:1000:1000
#+end_src
Then, there is the =policy.json=:
#+begin_src json :tangle podman/policy.json :mkdirp yes
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"docker.io": [
{
"type": "insecureAcceptAnything"
}
],
"docker.io/library": [
{
"type": "insecureAcceptAnything"
}
],
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
#+end_src
And finally the registries.
#+begin_src conf :tangle podman/registries.conf :mkdirp yes
[registries.search]
registries = ["docker.io", "registry.access.redhat.com", "quay.io"]
#+end_src
Reference in a new issue View git blame Copy permalink