From 02807429549df9a134edf0a3b54ddd3a3c625631 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Mon, 13 May 2024 18:27:53 +0200 Subject: Integrate CERN laptop configuration into main system config --- tw/home.scm | 1 - tw/system.scm | 19 ++++--- tw/system/cern.scm | 152 ++++++++++++----------------------------------------- 3 files changed, 45 insertions(+), 127 deletions(-) diff --git a/tw/home.scm b/tw/home.scm index 2cf21a7e..c7f30bf7 100644 --- a/tw/home.scm +++ b/tw/home.scm @@ -268,7 +268,6 @@ (identity-file "~/.local/share/ssh-keys/epn_id_rsa")) ,(openssh-host (name "twilkendesktop.cern.ch") - (port 22022) (forward-x11? #t) (extra-content "GSSAPIDelegateCredentials yes")) ,@(map (lambda (spec) diff --git a/tw/system.scm b/tw/system.scm index 30710b8f..e706d84c 100644 --- a/tw/system.scm +++ b/tw/system.scm @@ -52,9 +52,10 @@ ("pi3.twilken.net" . 51022) ("lap.twilken.net" . 22) ("frm.twilken.net" . 22) - ("btl.twilken.net" . 23022))) + ("btl.twilken.net" . 23022) + ("twilkenlaptop.cern.ch" . 22022))) -(define (tw-openssh-service host-name) +(define (tw-openssh-service host-name work-system?) "Configure the SSH server for remote login." ;; SSH login, allowing access only for me. To give more public keys ;; access, extend `openssh-service-type'. @@ -67,9 +68,12 @@ (password-authentication? #f) (accepted-environment '("LANG" "LC_*")) (authorized-keys - `(("timo" - ,(local-file "system/files/timo.pub") - ,(local-file "system/files/timo-phone-gpg.pub"))))))) + (if work-system? + `(("twilken" + ,(local-file "system/files/timo-cern.pub"))) + `(("timo" + ,(local-file "system/files/timo.pub") + ,(local-file "system/files/timo-phone-gpg.pub")))))))) (define-public (tw-login-configuration config) "Patch the given `login-configuration' to my liking." @@ -213,6 +217,7 @@ ACTION!=\"remove\", SUBSYSTEM==\"leds\", GROUP=\"video\", MODE=\"0664\" (define* (enduser-system-services #:key host-name cores wireless-interface backlight-device + (work-system? #f) (xorg-extra-modules '()) (xorg-drivers '())) @@ -323,7 +328,7 @@ ACTION!=\"remove\", SUBSYSTEM==\"leds\", GROUP=\"video\", MODE=\"0664\" (tw-wireguard-configuration (this-host host-name))) - (tw-openssh-service host-name) + (tw-openssh-service host-name work-system?) ;; Since Guix 953c65ffdd4, build-machines can be directly specified in ;; `guix-configuration'. However, this doesn't allow the dynamic @@ -383,7 +388,7 @@ ACTION!=\"remove\", SUBSYSTEM==\"leds\", GROUP=\"video\", MODE=\"0664\" (gdm-configuration (inherit config) (auto-login? #f) - (default-user "timo") + (default-user (if work-system? "twilken" "timo")) (xorg-configuration xorg-config))) (geoclue-service-type diff --git a/tw/system/cern.scm b/tw/system/cern.scm index 0f706e21..c519bbe9 100644 --- a/tw/system/cern.scm +++ b/tw/system/cern.scm @@ -11,7 +11,10 @@ #:use-module (gnu system nss) #:use-module (guix gexp) #:use-module (guix packages) + #:use-module ((nongnu packages linux) #:prefix nongnu:) + #:use-module ((nongnu system linux-initrd) #:prefix nongnu:) #:use-module (tw channels) + #:use-module (tw services wireguard) #:use-module (tw system)) (use-package-modules certs cups disk docker file-systems gnome kerberos linux @@ -40,6 +43,16 @@ (locale-definition (name "en_US.utf8") (source "en_US")) (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) + ;; Use non-free kernel to load non-free firmware (e.g. for wifi). + ;; Enable MT7921 module for Mediatek MT7922 (AMD RZ616) WiFi card. + ;; The MT7921E module is for the card connected via PCIe, which it is + ;; (it's in an M.2 slot). Alternatives are S (SDIO) and U (USB). + (kernel nongnu:linux) + ;; (kernel-loadable-modules (list ddcci-driver-linux)) ; TODO: disabled because the package fails to build + (initrd nongnu:microcode-initrd) + (firmware (cons* nongnu:i915-firmware nongnu:ibt-hw-firmware nongnu:sof-firmware + nongnu:iwlwifi-firmware %base-firmware)) + ;; Allow resolution of '.local' host names with mDNS. (name-service-switch %mdns-host-lookup-nss) @@ -98,96 +111,24 @@ "/run/current-system/profile/sbin/shutdown\n"))) ;; This is where we specify system-wide packages. - (packages - (cons* - ;; System stuff - cups docker mit-krb5 - ;; Desktop and drivers - ;; FIXME: lightdm depends on python-2, but the build throws an - ;; error that python2 is not supported. - ;; TODO: Does lightdm have a service I need to enable? - ;;lightdm lightdm-gtk-greeter - pulseaudio xf86-video-intel - i3-wm ; install i3 here so gdm can see its xsession file - i3lock ; we need a system service to make i3lock setuid root - ;; We need to install gnome-keyring here so its PAM module is - ;; enabled properly (by its service; see below). - ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). - gnome-keyring - ;; It's probably easiest to install geoclue system-wide, so it - ;; gets added to `%desktop-services' and redshift can access the - ;; location. - geoclue - ;; Base packages - %base-system-packages)) + (packages %enduser-system-packages) ;; Use the "desktop" services, which include the X11 ;; log-in service, networking with NetworkManager, and more. ;; See info '(guix)Services' for useful services. (services (cons* - (service cups-service-type - (cups-configuration - (web-interface? #t) - (default-shared? #f) - ;; See info '(guix)Printing Services' for more extensions. - (extensions - (list cups-filters foomatic-filters)))) - - (service docker-service-type - (docker-configuration)) - - (service krb5-service-type - (krb5-configuration - (default-realm "CERN.CH") - (rdns? #f) - (realms (list (krb5-realm - (name "CERN.CH") - (default-domain "cern.ch") - (kdc "cerndc.cern.ch")))))) - - ;; At high CPU frequencies, the fan is very loud, starting around 3.5 GHz. - (simple-service 'cpufreq shepherd-root-service-type - (list (shepherd-service - (documentation "Limit CPU frequency") - (provision '(cpufreq)) - (one-shot? #t) - (start #~(make-forkexec-constructor - (list #$(file-append cpupower "/bin/cpupower") - "frequency-set" "--max" "3.6GHz"))) - (stop #~(make-forkexec-constructor - (list #$(file-append cpupower "/bin/cpupower") - "frequency-set" "--max" "4.8GHz"))) - (actions - (list (shepherd-action - (name 'current) - (documentation "Show the current CPU frequencies.") - (procedure - #~(lambda _ - (system* #$(file-append cpupower "/bin/cpupower") - "frequency-info"))))))))) - - (service thermald-service-type - (thermald-configuration - (adaptive? #t))) - - (service earlyoom-service-type - (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' - - ;; Install i3lock as a setuid binary, so it can talk to PAM. - (service screen-locker-service-type - (screen-locker-configuration - (name "i3lock") - (program (file-append i3lock "/bin/i3lock")))) - - ;; gnome-keyring is not in `%desktop-services' by default, - ;; but needs to be there to add itself to /etc/pam.d/. - ;; If using a DM other than GDM, add it to `pam-services' in - ;; `gnome-keyring-configuration' (see its docs). - (service gnome-keyring-service-type - (gnome-keyring-configuration)) - - (set-xorg-configuration custom-xorg-config) + (service bluetooth-service-type) + + (service tlp-service-type + (tlp-configuration ; see also: radeon-* properties + (cpu-scaling-governor-on-ac '("powersave")) + (cpu-scaling-governor-on-bat '("powersave")) + (energy-perf-policy-on-ac "powersave") + (energy-perf-policy-on-bat "powersave") + (sched-powersave-on-ac? #t) + (sched-powersave-on-bat? #t) + (cpu-boost-on-ac? #t))) (service unattended-upgrade-service-type (unattended-upgrade-configuration @@ -200,21 +141,6 @@ ;; Anything that won't cause disruption when restarting. '(mcron earlyoom thermald)))) - (simple-service 'disk-maintenance mcron-service-type - (list #~(job "45 22 * * *" "guix gc -d 2m -F 100G") ; after unattended-upgrade - #~(job "0 23 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - (service openssh-service-type - (openssh-configuration - (port-number 22022) - (x11-forwarding? #t) - (permit-root-login #f) - (password-authentication? #f) - (authorized-keys - `(("twilken" ,(local-file "files/timo-cern.pub")))))) - (service openntpd-service-type (openntpd-configuration ;; Use CERN time servers. @@ -222,26 +148,14 @@ "ip-time-1.cern.ch" "ip-time-2.cern.ch")))) - (modify-services (append %system-channel-services %desktop-services) - (gdm-service-type - config => - (gdm-configuration - (inherit config) - (auto-login? #f) - (default-user "twilken") - (xorg-configuration custom-xorg-config))) - - (geoclue-service-type - config => - (geoclue-configuration - (inherit config) - (applications - (cons* (geoclue-application "redshift" #:system? #f) - %standard-geoclue-applications)))) - - (login-service-type config => (tw-login-configuration config)) - + (modify-services (enduser-system-services + #:host-name host-name + #:cores 12 + #:work-system? #t + #:wireless-interface "wlp0s20f3" + #:backlight-device "intel_backlight") ;; openntpd works better. - (delete ntp-service-type)))))) + (delete ntp-service-type) + (delete tw-wireguard-service-type)))))) %cern-system -- cgit v1.2.3