diff options
Diffstat (limited to 'tw/system/cern.scm')
-rw-r--r-- | tw/system/cern.scm | 276 |
1 files changed, 276 insertions, 0 deletions
diff --git a/tw/system/cern.scm b/tw/system/cern.scm new file mode 100644 index 00000000..bb08123b --- /dev/null +++ b/tw/system/cern.scm @@ -0,0 +1,276 @@ +;; This is an operating system configuration file for a fairly minimal +;; "desktop" setup with i3 where the /home partition partition is +;; encrypted with LUKS. +;; +;; https://guix.gnu.org/manual/en/html_node/operating_002dsystem-Reference.html + +(define-module (tw system cern) + #:use-module (gnu) + #:use-module (gnu bootloader grub) + #:use-module (gnu system locale) + #:use-module (gnu system nss) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (tw system)) + +(use-package-modules certs cups disk docker file-systems gnome kerberos linux + mtools pulseaudio search shells wm xorg) + +(use-service-modules admin authentication avahi base cups dbus desktop docker + kerberos linux mcron networking pm shepherd ssh syncthing + vpn xorg) + +(define efi-system-partition ; /dev/nvme0n1p1 + (uuid "806A-2762" 'fat)) +(define guixsd-root-partition ; /dev/nvme0n1p2 + (uuid "04134b95-9cc5-4931-903a-c3446297a006" 'btrfs)) +(define swap-partition ; /dev/nvme0n1p3 + (uuid "53559d6c-bf62-4cf6-991a-6dce6dd1dc64")) + +(define custom-xorg-config + (xorg-configuration + (keyboard-layout %british-keyboard))) + +(define-public %cern-system + (operating-system + (host-name "twilkendesktop.cern.ch") + (timezone "Europe/Zurich") + (locale "en_GB.utf8") + (locale-definitions + (list (locale-definition (name "en_GB.utf8") (source "en_GB")) + (locale-definition (name "en_US.utf8") (source "en_US")) + (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss) + + ;; Choose UK English X11 keyboard layout. + (keyboard-layout %british-keyboard) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader + (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Note: keyboard-layout is ignored by non-grub bootloaders. + (keyboard-layout keyboard-layout) + (menu-entries + (list + (menu-entry + (label "systemd-boot") + (device efi-system-partition) + (chain-loader "/EFI/systemd/systemd-bootx64.efi")))))) + + (kernel linux-libre) + + (swap-devices + (list (swap-space + (target swap-partition) + (discard? #t)))) + + (file-systems + (cons* (file-system + (device guixsd-root-partition) + (mount-point "/") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd")))) + (type "btrfs")) + (file-system + (device efi-system-partition) + (mount-point "/boot/efi") + (flags '(no-atime)) + (type "vfat")) + %base-file-systems)) + + ;; Members of the wheel group are allowed to use sudo. + (users (cons* (user-account + (name "twilken") + (comment "Timo Wilken") + (group "users") + (supplementary-groups + '("wheel" "audio" "video" "docker")) + (shell (file-append zsh "/bin/zsh"))) + %base-user-accounts)) + + (sudoers-file + (plain-file + "sudoers" + (string-append + ;; We need to preserve $TERMINFO so that programs under sudo can + ;; find kitty's terminfo files. This is possibly unsafe; sudo + ;; explicitly deletes this variable by default. + "Defaults env_keep += \"TERMINFO\"\n" + (plain-file-content %sudoers-specification) + ;; In addition to the default rules, allow admins to power off + ;; the computer. They'll have to use the system binaries, not + ;; those from their user profile, as /etc/sudoers requires + ;; absolute paths to commands. + "%wheel ALL=(ALL) NOPASSWD: " + "/run/current-system/profile/sbin/halt, " + "/run/current-system/profile/sbin/reboot, " + "/run/current-system/profile/sbin/shutdown\n"))) + + ;; This is where we specify system-wide packages. + (packages + (cons* + ;; System stuff + cups docker mit-krb5 + ;; Desktop and drivers + ;; FIXME: lightdm depends on python-2, but the build throws an + ;; error that python2 is not supported. + ;; TODO: Does lightdm have a service I need to enable? + ;;lightdm lightdm-gtk-greeter + pulseaudio xf86-video-intel + ;; Adds /sys/class/backlight entries for external monitors. + ;; Not needed for laptop display. + ;; ddcci-driver-linux + i3-gaps ; install i3 here so gdm can see its xsession file + i3lock ; we need a system service to make i3lock setuid root + ;; We need to install gnome-keyring here so its PAM module is + ;; enabled properly (by its service; see below). + ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). + gnome-keyring + ;; It's probably easiest to install geoclue system-wide, so it + ;; gets added to `%desktop-services' and redshift can access the + ;; location. + geoclue + ;; Base packages + %base-system-packages)) + + ;; Use the "desktop" services, which include the X11 + ;; log-in service, networking with NetworkManager, and more. + ;; See info '(guix)Services' for useful services. + (services + (cons* + (service cups-service-type + (cups-configuration + (web-interface? #t) + (default-shared? #f) + ;; See info '(guix)Printing Services' for more extensions. + (extensions + (list cups-filters foomatic-filters)))) + + (service docker-service-type + (docker-configuration)) + + (service krb5-service-type + (krb5-configuration + (default-realm "CERN.CH") + (rdns? #f) + (realms (list (krb5-realm + (name "CERN.CH") + (default-domain "cern.ch") + (kdc "cerndc.cern.ch")))))) + + ;; At high CPU frequencies, the fan is very loud, starting around 3.5 GHz. + (simple-service 'cpufreq shepherd-root-service-type + (list (shepherd-service + (documentation "Limit CPU frequency") + (provision '(cpufreq)) + (one-shot? #t) + (start #~(make-system-constructor + #$(file-append cpupower "/bin/cpupower") + " frequency-set --max 3.6GHz")) + (stop #~(make-system-constructor + #$(file-append cpupower "/bin/cpupower") + " frequency-set --max 4.8GHz")) + (actions + (list (shepherd-action + (name 'current) + (documentation "Show the current CPU frequencies.") + (procedure + #~(lambda _ + (system* #$(file-append cpupower "/bin/cpupower") + "frequency-info"))))))))) + + (service thermald-service-type + (thermald-configuration + (adaptive? #t))) + + (service earlyoom-service-type + (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + + ;; Install i3lock as a setuid binary, so it can talk to PAM. + (service screen-locker-service-type + (screen-locker-configuration + "i3lock" (file-append i3lock "/bin/i3lock") #f)) + + ;; gnome-keyring is not in `%desktop-services' by default, + ;; but needs to be there to add itself to /etc/pam.d/. + ;; If using a DM other than GDM, add it to `pam-services' in + ;; `gnome-keyring-configuration' (see its docs). + (service gnome-keyring-service-type + (gnome-keyring-configuration)) + + (set-xorg-configuration custom-xorg-config) + + (service unattended-upgrade-service-type + (unattended-upgrade-configuration + (schedule "0 21 * * *") ; every night at 22:00 + (maximum-duration (* 40 60)) ; 40 minutes + (operating-system-expression + #~(begin + (set! %load-path (cons "/home/twilken/src/guix-decls" %load-path)) + (@ (tw system cern) %cern-system))) + (services-to-restart + ;; Anything that won't cause disruption when restarting. + '(mcron earlyoom thermald)))) + + (simple-service 'disk-maintenance mcron-service-type + (list #~(job "45 22 * * *" "guix gc -d 2m -F 100G") ; after unattended-upgrade + #~(job "0 23 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + (simple-service 'arm-builders hosts-service-type + (list (host "188.184.68.217" "arm-builder-1") + (host "188.184.71.187" "arm-builder-2") + (host "188.184.69.33" "arm-builder-3"))) + + (service openssh-service-type + (openssh-configuration + (port-number 22022) + (x11-forwarding? #t) + (permit-root-login #f) + (password-authentication? #f) + (authorized-keys + `(("twilken" ,(local-file "files/timo-cern.pub")))))) + + (service openntpd-service-type + (openntpd-configuration + ;; Use CERN time servers. + (servers '("ip-time-0.cern.ch" + "ip-time-1.cern.ch" + "ip-time-2.cern.ch")) + (constraints-from '("home.cern")))) + + (modify-services %desktop-services + (gdm-service-type + config => + (gdm-configuration + (inherit config) + (auto-login? #f) + (default-user "twilken") + (xorg-configuration custom-xorg-config))) + + (geoclue-service-type + config => + (geoclue-configuration + (inherit config) + (applications + (cons* (geoclue-application "redshift" #:system? #f) + %standard-geoclue-applications)))) + + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f))) + + ;; openntpd works better. + (delete ntp-service-type)))))) + +%cern-system |