diff options
Diffstat (limited to 'tw/system/frm.scm')
-rw-r--r-- | tw/system/frm.scm | 205 |
1 files changed, 17 insertions, 188 deletions
diff --git a/tw/system/frm.scm b/tw/system/frm.scm index e52ff1a1..f60dcfe0 100644 --- a/tw/system/frm.scm +++ b/tw/system/frm.scm @@ -7,6 +7,12 @@ (define-module (tw system frm) #:use-module (gnu) #:use-module (gnu bootloader grub) + #:use-module (gnu packages linux) + #:use-module (gnu packages shells) + #:use-module (gnu services admin) + #:use-module (gnu services desktop) + #:use-module (gnu services pm) + #:use-module (gnu services syncthing) #:use-module (gnu system locale) #:use-module (gnu system nss) #:use-module (guix gexp) @@ -20,34 +26,14 @@ #:use-module ((nonguix licenses) #:prefix nongnu:) #:use-module (tw channels) - #:use-module (tw packages scanner) #:use-module (tw services secrets) - #:use-module (tw services wireguard) #:use-module (tw system)) -(use-package-modules android certs cups disk docker file-systems gnome guile - kerberos linux mtools pulseaudio search shells tls wm xorg) - -(use-service-modules admin authentication avahi base cups dbus desktop docker - kerberos linux mcron networking pm shepherd ssh syncthing - vpn xorg) - (define efi-system-partition ; /dev/nvme0n1p1 (uuid "D8C7-2624" 'fat)) (define root-partition ; /dev/nvme0n1p2 (uuid "62fb4710-33d1-4eaf-aaaa-43d16ab26a58" 'btrfs)) -(define touchpad-xorg-config - (@@ (tw system lap) touchpad-xorg-config)) - -(define set-timezone-script - (@@ (tw system lap) set-timezone-script)) - -(define custom-xorg-config - (xorg-configuration - (keyboard-layout %british-keyboard) - (extra-config (list touchpad-xorg-config)))) - (define select-firmware (@@ (nongnu packages linux) select-firmware)) @@ -102,6 +88,7 @@ These are actually Mediatek MT7922 chips.") ;; The MT7921E module is for the card connected via PCIe, which it is ;; (it's in an M.2 slot). Alternatives are S (SDIO) and U (USB). (kernel (nongnu:corrupt-linux linux-libre #:configs '("CONFIG_MT7921E=m"))) + (kernel-loadable-modules (list ddcci-driver-linux)) (initrd nongnu:microcode-initrd) ;; TODO: Enable wifi firmware, if necessary? (firmware (cons* nongnu:amdgpu-firmware mt7922-firmware %base-firmware)) @@ -158,33 +145,7 @@ These are actually Mediatek MT7922 chips.") "/run/current-system/profile/sbin/shutdown\n"))) ;; This is where we specify system-wide packages. - (packages - (cons* - ;; System stuff - cups docker mit-krb5 - ;; File systems - dosfstools mtools ntfs-3g - ;; Desktop and drivers - ;; FIXME: lightdm depends on python-2, but the build throws an - ;; error that python2 is not supported. - ;; TODO: Does lightdm have a service I need to enable? - ;;lightdm lightdm-gtk-greeter - pulseaudio xf86-video-amdgpu - ;; Adds /sys/class/backlight entries for external monitors. - ;; Not needed for laptop display. - ;; ddcci-driver-linux - i3-gaps ; install i3 here so gdm can see its xsession file - i3lock ; we need a system service to make i3lock setuid root - ;; We need to install gnome-keyring here so its PAM module is - ;; enabled properly (by its service; see below). - ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). - gnome-keyring - ;; It's probably easiest to install geoclue system-wide, so it - ;; gets added to `%desktop-services' and redshift can access the - ;; location. - geoclue - ;; Base packages - %base-system-packages)) + (packages %enduser-system-packages) ;; Use the "desktop" services, which include the X11 ;; log-in service, networking with NetworkManager, and more. @@ -195,60 +156,12 @@ These are actually Mediatek MT7922 chips.") (syncthing-configuration (user "timo"))) - (service cups-service-type - (cups-configuration - (web-interface? #t) - (default-shared? #f) - ;; See info '(guix)Printing Services' for more extensions. - (extensions - (list cups-filters foomatic-filters brlaser)))) - (service bluetooth-service-type) - (service tw-wireguard-service-type - (tw-wireguard-configuration - (this-host host-name))) - - (service docker-service-type - (docker-configuration)) - - (service krb5-service-type - (krb5-configuration - (default-realm "CERN.CH") - (rdns? #f) - (realms (list (krb5-realm - (name "CERN.CH") - (default-domain "cern.ch") - (kdc "cerndc.cern.ch")))))) - - (service tlp-service-type - (tlp-configuration)) ; TODO: configure properly - - (service thermald-service-type - (thermald-configuration - (adaptive? #t))) - - (service earlyoom-service-type - (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + (service tlp-service-type) ; TODO: configure properly - (service fprintd-service-type) - - ;; Install i3lock as a setuid binary, so it can talk to PAM. - (service screen-locker-service-type - (screen-locker-configuration - (name "i3lock") - (program (file-append i3lock "/bin/i3lock")))) - - ;; gnome-keyring is not in `%desktop-services' by default, - ;; but needs to be there to add itself to /etc/pam.d/. - ;; If using a DM other than GDM, add it to `pam-services' in - ;; `gnome-keyring-configuration' (see its docs). - (service gnome-keyring-service-type - (gnome-keyring-configuration)) - - (udev-rules-service 'android android-udev-rules #:groups '("adbusers")) - - (set-xorg-configuration custom-xorg-config) + ;; fprintd complains about missing firmware, but fwpud doesn't find any. + ;; (service fprintd-service-type) (service unattended-upgrade-service-type (unattended-upgrade-configuration @@ -261,100 +174,16 @@ These are actually Mediatek MT7922 chips.") ;; Anything that won't cause disruption when restarting. '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron)))) - (simple-service 'disk-maintenance mcron-service-type - ;; I don't think jobs run on boot if they would have run when the - ;; computer was turned off, so choose a time when the computer is - ;; probably turned on. - (list #~(job "45 21 * * *" "guix gc -d 2w -F 25G") ; after unattended-upgrade - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - (extra-special-file "/etc/NetworkManager/dispatcher.d/09-set-timezone" - (program-file "set-timezone" set-timezone-script)) - - (simple-service 'scanning-services shepherd-root-service-type - (list - (shepherd-service - (documentation "Expose USB scanners over IPP.") - (provision '(ipp-usb)) - (requirement '(networking)) ; only on localhost, though - (start #~(make-forkexec-constructor - (list #$(file-append ipp-usb "/bin/ipp-usb") "standalone"))) - (stop #~(make-kill-destructor))))) - - ;; Since Guix 953c65ffdd4, build-machines can be directly specified in - ;; `guix-configuration'. However, this doesn't allow the dynamic - ;; selection of build machines as is done here. - (extra-special-file "/etc/guix/machines.scm" - (scheme-file "machines.scm" - #~(let ((lud (build-machine - (name "lud.twilken.net") - (systems '("x86_64-linux")) - (port '#$(assoc-ref %ssh-ports "lud.twilken.net")) - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqXbxv3a2bZyGjnEirVCMtRBeLKW/ha8ULSR9Xye4Z1") - (user "timo") - (private-key "/home/timo/.local/share/ssh-keys/id_rsa") - (speed 1/3))) ; 4 cores, 16 GB RAM - (vin (build-machine - (name "vin.twilken.net") - (systems '("x86_64-linux")) - (port '#$(assoc-ref %ssh-ports "vin.twilken.net")) - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEpdfKxzoCwg53TKPF5YxgUwhGF+bELAyBGdxagQroJ") - (user "timo") - (private-key "/home/timo/.local/share/ssh-keys/id_rsa") - (speed 2/3)))) ; 8 cores, 16 GB RAM - (use-modules (ice-9 popen) - (ice-9 textual-ports) - (ice-9 regex)) - (let* ((regexp (make-regexp "^GENERAL\\.CONNECTION:[[:space:]]+TLAN$" regexp/newline)) - (pipe (open-pipe* OPEN_READ #$(file-append network-manager "/bin/nmcli") - "device" "show" "wlp3s0")) - (at-home? (regexp-exec regexp (get-string-all pipe)))) - (close-pipe pipe) - ;; Only offload to vin when at home, as the network connection is too bad otherwise. - (if at-home? - (list vin) - (list lud)))))) - ;; Set up a secrets config for WireGuard to extend. (service secrets-service-type (secrets-configuration + ;; TODO: reencrypt with SSH host key (host-key "/etc/secrets.key"))) ; we have no SSH host keys, so use a custom key - (service openssh-service-type - (openssh-configuration - (x11-forwarding? #t) - (permit-root-login #f) - (password-authentication? #f) - (authorized-keys - `(("timo" ,(local-file "files/timo.pub")))))) - - (modify-services (append %system-channel-services %desktop-services) - ;; Let sane find the airscan backend. ipp-usb needs to be running separately. - (sane-service-type _ => sane-backends/airscan) - - (gdm-service-type - config => - (gdm-configuration - (inherit config) - (auto-login? #f) - (default-user "timo") - (xorg-configuration custom-xorg-config))) - - (geoclue-service-type - config => - (geoclue-configuration - (inherit config) - (applications - (cons* (geoclue-application "redshift" #:system? #f) - %standard-geoclue-applications)))) - - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f)))))))) + (enduser-system-services + #:host-name host-name + #:cores 12 + #:wireless-interface "wlp1s0" + #:backlight-device "amdgpu_bl0"))))) %frm-system |