diff options
-rw-r--r-- | tw/home.scm | 54 | ||||
-rw-r--r-- | tw/home/cern.scm | 55 | ||||
-rw-r--r-- | tw/home/files/aerc/accounts.work.conf | 20 | ||||
-rw-r--r-- | tw/home/files/aerc/aerc.conf | 2 | ||||
-rw-r--r-- | tw/home/files/gitconfig | 7 | ||||
-rw-r--r-- | tw/home/files/zshrc | 3 | ||||
-rw-r--r-- | tw/home/lap.scm | 43 | ||||
-rw-r--r-- | tw/packages/ci.scm | 25 | ||||
-rw-r--r-- | tw/system/cern.scm | 276 | ||||
-rw-r--r-- | tw/system/files/timo-cern.pub | 1 |
10 files changed, 431 insertions, 55 deletions
diff --git a/tw/home.scm b/tw/home.scm index 12a4d226..a0fa14df 100644 --- a/tw/home.scm +++ b/tw/home.scm @@ -91,12 +91,17 @@ auto-expand-secmem ,@(map make-own-ssh-host (map (compose wireguardify car) %ssh-ports) (map cdr %ssh-ports)) ,(openssh-host (name "*.fritz.box") (proxy-command "ssh -W '[%h]:%p' lud.twilken.net")) ;; Git hosts - ,@(map (lambda (host) (openssh-host (name host) (user "git"))) - '("github.com" "ssh.github.com" "bitbucket.org")) - ,(openssh-host (name "gitlab.cern.ch") (port 7999) (user "git") (proxy-command "none")) + ,(openssh-host (name "github.com") (user "git")) + ,(openssh-host (name "ssh.github.com") (user "git")) + ,(openssh-host + (name "gitlab.cern.ch") + (user "git") + (port 7999) + (proxy-command "none")) ;; BitBucket apparently only supports ssh-rsa. ,(openssh-host (name "bitbucket.org") + (user "git") (host-key-algorithms '("+ssh-rsa")) (accepted-key-types '("+ssh-rsa"))) ;; CERN stuff @@ -107,16 +112,12 @@ auto-expand-secmem (name "lxplus.cern.ch") (proxy-command "none") ; no jump needed (extra-content "GSSAPIDelegateCredentials yes")) ; needed for EOS home mount - ,(openssh-host - (name "aiadm.cern.ch") - (extra-content "GSSAPIDelegateCredentials yes")) ; needed for EOS home mount - ,(openssh-host - (name "cvmfs-alice.cern.ch") - (extra-content "GSSAPIDelegateCredentials yes")) ; needed for EOS home mount - ,(openssh-host - (name "tw-mailproc.cern.ch") - (user "root") - (identity-file "~/.local/share/ssh-keys/openstack_personal_id_rsa")) + ;; Needed for EOS home mount. + ,@(map (lambda (host) + (openssh-host + (name host) + (extra-content "GSSAPIDelegateCredentials yes"))) + '("aiadm.cern.ch" "cvmfs-alice.cern.ch")) ,(openssh-host (name "twilkendesktop.cern.ch") (port 22022) @@ -272,32 +273,6 @@ auto-expand-secmem ("_JAVA_OPTIONS" . "$_JAVA_OPTIONS${_JAVA_OPTIONS:+ }-Djava.util.prefs.userRoot=$XDG_CONFIG_HOME/java"))))) -(define-public %pim-packages - (list newsboat vdirsyncer khal khard aerc lynx)) ; lynx for HTML mail - -(define-public %pim-services - (list - (simple-service 'pim-config home-xdg-configuration-files-service-type - `(("khal/config" ,(local-file "home/files/khal.conf")) - ("khard/khard.conf" ,(local-file "home/files/khard.conf")) - ("aerc" ,(local-file "home/files/aerc" #:recursive? #t)) - ("newsboat/config" ,(local-file "home/files/newsboat.conf")) - ("newsboat/config.catppuccin" ,catppuccin-newsboat) - ("vdirsyncer/config" ,(local-file "home/files/vdirsyncer.conf")))) - - ;; These cron jobs are annoying because they pop up a password prompt every time they run. - ;; (simple-service 'pim-cronjobs home-mcron-service-type - ;; (list #~(job "15 */4 * * *" ; every four hours at HH:15 - ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " metasync")) - ;; #~(job "0,30 * * * *" ; every half hour - ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " sync")))) - - (simple-service 'mail-files home-files-service-type - `(;; The file from git main is newer than the one bundled with the - ;; packaged neomutt version and contains a few fixes. - (".local/bin/mutt_oauth2.py" - ,(local-file "home/files/neomutt/contrib/oauth2/mutt_oauth2.py" #:recursive? #t)))))) - (define polybar-wrapper (program-file "polybar-wrapper" @@ -339,6 +314,7 @@ auto-expand-secmem s3cmd python-alibuild python-alidistlint hashicorp-levant-bin hashicorp-nomad-bin hashicorp-consul-bin hashicorp-vault-bin hashicorp-packer-bin + vinagre gnome-screenshot ;; i3 and Xorg. i3 itself must be installed system-wide for gdm to pick it up. ;; acpilight is a drop-in xbacklight replacement, as xbacklight doesn't work on my system. diff --git a/tw/home/cern.scm b/tw/home/cern.scm index 837098d5..dc3042c1 100644 --- a/tw/home/cern.scm +++ b/tw/home/cern.scm @@ -8,23 +8,65 @@ ;; https://github.com/alezost/shepherd-config/blob/master/init.scm (define-module (tw home cern) + #:use-module ((gnu) + #:select (use-package-modules)) #:use-module (gnu home) + #:use-module (gnu home services) #:use-module (gnu home services desktop) #:use-module (gnu home services guix) + #:use-module (gnu home services mcron) + #:use-module (gnu home services pm) #:use-module (gnu home services shepherd) - #:use-module (gnu packages xdisorg) - #:use-module (gnu packages xorg) + #:use-module (gnu packages) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (guix channels) #:use-module (guix gexp) - #:use-module (tw home)) + #:use-module ((nongnu packages messaging) + #:select (zoom)) + #:use-module (tw home) + #:use-module (tw packages alice) + #:use-module (tw packages ci) + #:use-module (tw packages catppuccin) + #:use-module (tw packages xorg) + #:use-module (tw gexp) + #:use-module (tw theme)) + +(use-package-modules calendar dav mail web-browsers xdisorg xorg) + +(define pim-packages + (list vdirsyncer khal khard aerc lynx)) ; lynx for HTML mail + +(define pim-services + (list + (simple-service 'pim-config home-xdg-configuration-files-service-type + `(("khal/config" ,(local-file "files/khal.conf")) + ("khard/khard.conf" ,(local-file "files/khard.conf")) + ("aerc/accounts.conf" ,(local-file "files/aerc/accounts.work.conf")) + ("aerc/aerc.conf" ,(local-file "files/aerc/aerc.conf")) + ("aerc/binds.conf" ,(local-file "files/aerc/binds.conf")) + ("aerc/filters" ,(local-file "files/aerc/filters" #:recursive? #t)) + ("aerc/stylesets" ,(local-file "files/aerc/stylesets" #:recursive? #t)) + ("vdirsyncer/config" ,(local-file "files/vdirsyncer.conf")))) + + ;; These cron jobs are annoying because they pop up a password prompt every time they run. + ;; (simple-service 'pim-cronjobs home-mcron-service-type + ;; (list #~(job "15 */4 * * *" ; every four hours at HH:15 + ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " metasync")) + ;; #~(job "0,30 * * * *" ; every half hour + ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " sync")))) + + (simple-service 'mail-files home-files-service-type + `(;; The file from git main is newer than the one bundled with the + ;; packaged neomutt version and contains a few fixes. + (".local/bin/mutt_oauth2.py" + ,(local-file "files/neomutt/contrib/oauth2/mutt_oauth2.py" #:recursive? #t)))))) (define-public %cern-home (home-environment (packages ;; These packages will show up in the home profile, under ~/.guix-home/profile. - (append %interactive-packages %pim-packages %common-packages)) + (append %common-packages %interactive-packages pim-packages)) ;; To search for available home services, run 'guix home search KEYWORD'. (services @@ -57,10 +99,11 @@ (nighttime-brightness 0.7) (extra-content "fade=0"))) ; with fade=1, restarting redshift causes flickering for a few secs - (simple-service 'cern-desktop-gui-services home-shepherd-service-type + (simple-service 'xorg-setup-services home-shepherd-service-type (list (polybar-service "DP-2") (polybar-service "DP-1-8") + (shepherd-service (documentation "Set up X displays on login.") (provision '(xorg-setup)) @@ -83,6 +126,6 @@ (openssh-service #f) - (append %interactive-services %pim-services %common-services))))) + (append %common-services %interactive-services pim-services))))) %cern-home diff --git a/tw/home/files/aerc/accounts.work.conf b/tw/home/files/aerc/accounts.work.conf new file mode 100644 index 00000000..469c912e --- /dev/null +++ b/tw/home/files/aerc/accounts.work.conf @@ -0,0 +1,20 @@ +[CERN] +# https://man.sr.ht/~rjarry/aerc/providers/microsoft.md#office365-with-xoauth2 +source = imaps+xoauth2://timo.wilken%40cern.ch@outlook.office365.com?client_id=9e5f94bc-e8a4-4e73-b8be-63364c29d753&token_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/token&scope=https://outlook.office.com/SMTP.Send https://outlook.office.com/IMAP.AccessAsUser.All offline_access +outgoing = smtp+xoauth2://timo.wilken%40cern.ch@smtp.office365.com:587?client_id=9e5f94bc-e8a4-4e73-b8be-63364c29d753&token_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/token&scope=https://outlook.office.com/SMTP.Send https://outlook.office.com/IMAP.AccessAsUser.All offline_access +smtp-starttls = yes +# To authorize for the first time (to get refresh token): +# mutt_oauth2.py ~/.local/share/aerc/twilken.tokens --authorize --authflow authcode --provider microsoft \ +# --email timo.wilken@cern.ch --client-id 9e5f94bc-e8a4-4e73-b8be-63364c29d753 --client-secret '' \ +# --encryption-pipe 'gpg --encrypt --recipient C2249BBE5E8761C943A0CFA1B7B3914BF63ACD7C' +# Confirm empty client secret. When done, copy-paste ?code= value from final URL to the command-line. +# Then, to store the refresh token: +# gpg --decrypt ~/.local/share/aerc/twilken.tokens | jq -r .refresh_token | pass insert -e -f cern/exol/refresh-token +source-cred-cmd = pass cern/exol/refresh-token +outgoing-cred-cmd = pass cern/exol/refresh-token +default = INBOX +from = Timo Wilken <timo.wilken@cern.ch> +aliases = twilken@cern.ch +copy-to = Sent Items +postpone = Drafts +cache-headers = true diff --git a/tw/home/files/aerc/aerc.conf b/tw/home/files/aerc/aerc.conf index aae2806a..01c2527d 100644 --- a/tw/home/files/aerc/aerc.conf +++ b/tw/home/files/aerc/aerc.conf @@ -126,7 +126,7 @@ text/html=lynx -display_charset=UTF-8 -force_html -dump -stdin #text/*=bat -fP --file-name="$AERC_FILENAME" #application/x-sh=bat -fP -l sh #image/*=catimg -w $(tput cols) - -image/*=kitty +kitten icat /dev/stdin +image/*=imv - #subject,~Git(hub|lab)=lolcat -f #from,thatguywhodoesnothardwraphismessages=fmt -w 72 | colorize diff --git a/tw/home/files/gitconfig b/tw/home/files/gitconfig index 51e60054..6bed5cc8 100644 --- a/tw/home/files/gitconfig +++ b/tw/home/files/gitconfig @@ -1,13 +1,10 @@ # This is Git's per-user configuration file. [user] name = Timo Wilken - email = git@twilken.net - signingkey = 53EC3C06856883DD92355BC22FC78504681F69B0 + email = timo.wilken@cern.ch + signingkey = C2249BBE5E8761C943A0CFA1B7B3914BF63ACD7C [commit] gpgsign = true -# For work repos, include the gitconfig that sets up my work identity. -[includeIf "gitdir:~/src/alice/"] - path = ~/src/alice/.gitconfig [url "https://"] insteadOf = git:// [url "ssh://git@gitlab.cern.ch:7999/"] diff --git a/tw/home/files/zshrc b/tw/home/files/zshrc index 882cf60c..2382fa27 100644 --- a/tw/home/files/zshrc +++ b/tw/home/files/zshrc @@ -105,6 +105,9 @@ alias nomad-diskfree='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1 alias levant='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \levant' alias consul='CONSUL_HTTP_TOKEN=$(pass cern/ci/consul-bootstrap-token | head -1) \consul' alias vault='VAULT_TOKEN=$(pass cern/ci/vault-root-token | head -1) \vault' +nomad-shell () { + nomad alloc exec "$1" sh -c 'export TERM=xterm-256color HOME=$NOMAD_TASK_DIR PS1="\\u@\\h \\w \\\$ "; cd; exec bash -i' +} # Git aliases alias ga='git add' diff --git a/tw/home/lap.scm b/tw/home/lap.scm index 13083c83..f006d8e1 100644 --- a/tw/home/lap.scm +++ b/tw/home/lap.scm @@ -14,13 +14,17 @@ #:use-module (gnu home services guix) #:use-module (gnu home services pm) #:use-module (gnu home services shepherd) - #:use-module (gnu packages) #:use-module (gnu packages android) #:use-module (gnu packages bittorrent) + #:use-module (gnu packages calendar) + #:use-module (gnu packages dav) #:use-module (gnu packages gnome) + #:use-module (gnu packages mail) #:use-module (gnu packages messaging) #:use-module (gnu packages music) #:use-module (gnu packages networking) + #:use-module (gnu packages syndication) + #:use-module (gnu packages web-browsers) #:use-module (gnu packages xorg) #:use-module (gnu packages xdisorg) #:use-module (gnu services) @@ -31,7 +35,38 @@ #:select (signal-desktop)) #:use-module ((nongnu packages steam-client) #:select (steam)) - #:use-module (tw home)) + #:use-module (tw home) + #:use-module (tw theme)) + +(define pim-packages + (list newsboat vdirsyncer khal khard aerc lynx)) ; lynx for HTML mail + +(define pim-services + (list + (simple-service 'pim-config home-xdg-configuration-files-service-type + `(("khal/config" ,(local-file "home/files/khal.conf")) + ("khard/khard.conf" ,(local-file "home/files/khard.conf")) + ("aerc/accounts.conf" ,(local-file "files/aerc/accounts.conf")) + ("aerc/aerc.conf" ,(local-file "files/aerc/aerc.conf")) + ("aerc/binds.conf" ,(local-file "files/aerc/binds.conf")) + ("aerc/filters" ,(local-file "files/aerc/filters" #:recursive? #t)) + ("aerc/stylesets" ,(local-file "files/aerc/stylesets" #:recursive? #t)) + ("newsboat/config" ,(local-file "home/files/newsboat.conf")) + ("newsboat/config.catppuccin" ,catppuccin-newsboat) + ("vdirsyncer/config" ,(local-file "home/files/vdirsyncer.conf")))) + + ;; These cron jobs are annoying because they pop up a password prompt every time they run. + ;; (simple-service 'pim-cronjobs home-mcron-service-type + ;; (list #~(job "15 */4 * * *" ; every four hours at HH:15 + ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " metasync")) + ;; #~(job "0,30 * * * *" ; every half hour + ;; (string-append #$(file-append vdirsyncer "/bin/vdirsyncer") " sync")))) + + (simple-service 'mail-files home-files-service-type + `(;; The file from git main is newer than the one bundled with the + ;; packaged neomutt version and contains a few fixes. + (".local/bin/mutt_oauth2.py" + ,(local-file "home/files/neomutt/contrib/oauth2/mutt_oauth2.py" #:recursive? #t)))))) (define-public %lap-home (home-environment @@ -50,7 +85,7 @@ ;; home environment faster. ;; 0ad flightgear freeciv simutrans/pak128 warzone2100 widelands pioneer - (append %interactive-packages %pim-packages %common-packages))) + (append %interactive-packages pim-packages %common-packages))) ;; To search for available home services, run 'guix home search KEYWORD'. (services @@ -133,6 +168,6 @@ (openssh-service #t) - (append %pim-services %interactive-services %common-services))))) + (append pim-services %interactive-services %common-services))))) %lap-home diff --git a/tw/packages/ci.scm b/tw/packages/ci.scm index 6f2c5f9d..1b118c4c 100644 --- a/tw/packages/ci.scm +++ b/tw/packages/ci.scm @@ -128,3 +128,28 @@ native Consul and Vault integrations.") HashiCorp Nomad jobs that provides realtime feedback and detailed failure messages upon deployment issues.") (license license:mpl2.0))) + +(define-public act-bin + (package + (name "act") + (version "0.2.43") + (home-page "https://github.com/nektos/act") + (source + (origin + (method url-fetch/tarbomb) + (uri (string-append home-page "/releases/download/v" + version "/act_Linux_x86_64.tar.gz")) + (sha256 (base32 "1wqbii5baxpr89b3z9g574dlxa54xpma1g849a75vwqllaccxvx4")))) + (build-system copy-build-system) + (arguments + `(#:install-plan '(("act" "bin/")))) + (synopsis "Run your GitHub Actions locally") + (description "When you run act it reads in your GitHub Actions from +@samp{.github/workflows/} and determines the set of actions that need to be +run. It uses the Docker API to either pull or build the necessary images, as +defined in your workflow files and finally determines the execution path based +on the dependencies that were defined. Once it has the execution path, it +then uses the Docker API to run containers for each action based on the images +prepared earlier. The environment variables and filesystem are all configured +to match what GitHub provides.") + (license license:expat))) diff --git a/tw/system/cern.scm b/tw/system/cern.scm new file mode 100644 index 00000000..bb08123b --- /dev/null +++ b/tw/system/cern.scm @@ -0,0 +1,276 @@ +;; This is an operating system configuration file for a fairly minimal +;; "desktop" setup with i3 where the /home partition partition is +;; encrypted with LUKS. +;; +;; https://guix.gnu.org/manual/en/html_node/operating_002dsystem-Reference.html + +(define-module (tw system cern) + #:use-module (gnu) + #:use-module (gnu bootloader grub) + #:use-module (gnu system locale) + #:use-module (gnu system nss) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (tw system)) + +(use-package-modules certs cups disk docker file-systems gnome kerberos linux + mtools pulseaudio search shells wm xorg) + +(use-service-modules admin authentication avahi base cups dbus desktop docker + kerberos linux mcron networking pm shepherd ssh syncthing + vpn xorg) + +(define efi-system-partition ; /dev/nvme0n1p1 + (uuid "806A-2762" 'fat)) +(define guixsd-root-partition ; /dev/nvme0n1p2 + (uuid "04134b95-9cc5-4931-903a-c3446297a006" 'btrfs)) +(define swap-partition ; /dev/nvme0n1p3 + (uuid "53559d6c-bf62-4cf6-991a-6dce6dd1dc64")) + +(define custom-xorg-config + (xorg-configuration + (keyboard-layout %british-keyboard))) + +(define-public %cern-system + (operating-system + (host-name "twilkendesktop.cern.ch") + (timezone "Europe/Zurich") + (locale "en_GB.utf8") + (locale-definitions + (list (locale-definition (name "en_GB.utf8") (source "en_GB")) + (locale-definition (name "en_US.utf8") (source "en_US")) + (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss) + + ;; Choose UK English X11 keyboard layout. + (keyboard-layout %british-keyboard) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader + (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Note: keyboard-layout is ignored by non-grub bootloaders. + (keyboard-layout keyboard-layout) + (menu-entries + (list + (menu-entry + (label "systemd-boot") + (device efi-system-partition) + (chain-loader "/EFI/systemd/systemd-bootx64.efi")))))) + + (kernel linux-libre) + + (swap-devices + (list (swap-space + (target swap-partition) + (discard? #t)))) + + (file-systems + (cons* (file-system + (device guixsd-root-partition) + (mount-point "/") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd")))) + (type "btrfs")) + (file-system + (device efi-system-partition) + (mount-point "/boot/efi") + (flags '(no-atime)) + (type "vfat")) + %base-file-systems)) + + ;; Members of the wheel group are allowed to use sudo. + (users (cons* (user-account + (name "twilken") + (comment "Timo Wilken") + (group "users") + (supplementary-groups + '("wheel" "audio" "video" "docker")) + (shell (file-append zsh "/bin/zsh"))) + %base-user-accounts)) + + (sudoers-file + (plain-file + "sudoers" + (string-append + ;; We need to preserve $TERMINFO so that programs under sudo can + ;; find kitty's terminfo files. This is possibly unsafe; sudo + ;; explicitly deletes this variable by default. + "Defaults env_keep += \"TERMINFO\"\n" + (plain-file-content %sudoers-specification) + ;; In addition to the default rules, allow admins to power off + ;; the computer. They'll have to use the system binaries, not + ;; those from their user profile, as /etc/sudoers requires + ;; absolute paths to commands. + "%wheel ALL=(ALL) NOPASSWD: " + "/run/current-system/profile/sbin/halt, " + "/run/current-system/profile/sbin/reboot, " + "/run/current-system/profile/sbin/shutdown\n"))) + + ;; This is where we specify system-wide packages. + (packages + (cons* + ;; System stuff + cups docker mit-krb5 + ;; Desktop and drivers + ;; FIXME: lightdm depends on python-2, but the build throws an + ;; error that python2 is not supported. + ;; TODO: Does lightdm have a service I need to enable? + ;;lightdm lightdm-gtk-greeter + pulseaudio xf86-video-intel + ;; Adds /sys/class/backlight entries for external monitors. + ;; Not needed for laptop display. + ;; ddcci-driver-linux + i3-gaps ; install i3 here so gdm can see its xsession file + i3lock ; we need a system service to make i3lock setuid root + ;; We need to install gnome-keyring here so its PAM module is + ;; enabled properly (by its service; see below). + ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). + gnome-keyring + ;; It's probably easiest to install geoclue system-wide, so it + ;; gets added to `%desktop-services' and redshift can access the + ;; location. + geoclue + ;; Base packages + %base-system-packages)) + + ;; Use the "desktop" services, which include the X11 + ;; log-in service, networking with NetworkManager, and more. + ;; See info '(guix)Services' for useful services. + (services + (cons* + (service cups-service-type + (cups-configuration + (web-interface? #t) + (default-shared? #f) + ;; See info '(guix)Printing Services' for more extensions. + (extensions + (list cups-filters foomatic-filters)))) + + (service docker-service-type + (docker-configuration)) + + (service krb5-service-type + (krb5-configuration + (default-realm "CERN.CH") + (rdns? #f) + (realms (list (krb5-realm + (name "CERN.CH") + (default-domain "cern.ch") + (kdc "cerndc.cern.ch")))))) + + ;; At high CPU frequencies, the fan is very loud, starting around 3.5 GHz. + (simple-service 'cpufreq shepherd-root-service-type + (list (shepherd-service + (documentation "Limit CPU frequency") + (provision '(cpufreq)) + (one-shot? #t) + (start #~(make-system-constructor + #$(file-append cpupower "/bin/cpupower") + " frequency-set --max 3.6GHz")) + (stop #~(make-system-constructor + #$(file-append cpupower "/bin/cpupower") + " frequency-set --max 4.8GHz")) + (actions + (list (shepherd-action + (name 'current) + (documentation "Show the current CPU frequencies.") + (procedure + #~(lambda _ + (system* #$(file-append cpupower "/bin/cpupower") + "frequency-info"))))))))) + + (service thermald-service-type + (thermald-configuration + (adaptive? #t))) + + (service earlyoom-service-type + (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + + ;; Install i3lock as a setuid binary, so it can talk to PAM. + (service screen-locker-service-type + (screen-locker-configuration + "i3lock" (file-append i3lock "/bin/i3lock") #f)) + + ;; gnome-keyring is not in `%desktop-services' by default, + ;; but needs to be there to add itself to /etc/pam.d/. + ;; If using a DM other than GDM, add it to `pam-services' in + ;; `gnome-keyring-configuration' (see its docs). + (service gnome-keyring-service-type + (gnome-keyring-configuration)) + + (set-xorg-configuration custom-xorg-config) + + (service unattended-upgrade-service-type + (unattended-upgrade-configuration + (schedule "0 21 * * *") ; every night at 22:00 + (maximum-duration (* 40 60)) ; 40 minutes + (operating-system-expression + #~(begin + (set! %load-path (cons "/home/twilken/src/guix-decls" %load-path)) + (@ (tw system cern) %cern-system))) + (services-to-restart + ;; Anything that won't cause disruption when restarting. + '(mcron earlyoom thermald)))) + + (simple-service 'disk-maintenance mcron-service-type + (list #~(job "45 22 * * *" "guix gc -d 2m -F 100G") ; after unattended-upgrade + #~(job "0 23 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + (simple-service 'arm-builders hosts-service-type + (list (host "188.184.68.217" "arm-builder-1") + (host "188.184.71.187" "arm-builder-2") + (host "188.184.69.33" "arm-builder-3"))) + + (service openssh-service-type + (openssh-configuration + (port-number 22022) + (x11-forwarding? #t) + (permit-root-login #f) + (password-authentication? #f) + (authorized-keys + `(("twilken" ,(local-file "files/timo-cern.pub")))))) + + (service openntpd-service-type + (openntpd-configuration + ;; Use CERN time servers. + (servers '("ip-time-0.cern.ch" + "ip-time-1.cern.ch" + "ip-time-2.cern.ch")) + (constraints-from '("home.cern")))) + + (modify-services %desktop-services + (gdm-service-type + config => + (gdm-configuration + (inherit config) + (auto-login? #f) + (default-user "twilken") + (xorg-configuration custom-xorg-config))) + + (geoclue-service-type + config => + (geoclue-configuration + (inherit config) + (applications + (cons* (geoclue-application "redshift" #:system? #f) + %standard-geoclue-applications)))) + + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f))) + + ;; openntpd works better. + (delete ntp-service-type)))))) + +%cern-system diff --git a/tw/system/files/timo-cern.pub b/tw/system/files/timo-cern.pub new file mode 100644 index 00000000..58aca31b --- /dev/null +++ b/tw/system/files/timo-cern.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoXEe40QydHD2afxYr/1urdzhTLTBUpnpjx6jHV82gT9vzXYfMLbtXHhJWcrs9F5Ms26CBuORltX3jMgmHLyawA5elWFznjRYnd0R+irIkSyycpe/RYIMAiQsCTN/TY4pB9YIn46qK1ZNKIeOXPXOh+mZmb8TssPfJpxP/i7yJAoy2DHS/TJaL7OwXIQ8iKOSm5zoxG5dfSWZZItiElZmjAhjW+Gz1H7J3p2wggJ7wNYQCDJr0a9IJzisx7kUArVq4VDqsPqIr6wDowlVo/d4x5IVleruXwEuqj/uMuVcsJmTolM+DXKgiPAWB/iVtKZkPFk49pR9/RMhga/8dV02RAde8T30iypENwan5noW6BFd0B+BuixmZ/U9QAWBUTMajo14Ji8h4GVWjV6OKN+MUTl9Vza3WL5e2ch3iUUuL64cCAgal1ANE7D/h/si4CIucPq2NriwWKAY5uo6w4yNi2TbfL5yBpoS1SMn8o8s8HpC6L5/+yB4imNvsr19Gda8= timo.wilken@cern.ch |