From 7a6735ecee74d53d2e0ebc342b117b6cd29f0aa0 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Mon, 23 Jan 2023 18:39:13 +0100 Subject: Export laptop system as a variable --- tw/system/lap.scm | 553 +++++++++++++++++++++++++++--------------------------- 1 file changed, 278 insertions(+), 275 deletions(-) (limited to 'tw/system/lap.scm') diff --git a/tw/system/lap.scm b/tw/system/lap.scm index de879e9e..41ef690c 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -108,280 +108,283 @@ EndSection ;; for symlinks). (define nouveau-firmware (package - (inherit nongnu:linux-firmware) - (name "nouveau-firmware") - (arguments - `(#:license-file-regexp "LICENSE.nvidia" - ,@(substitute-keyword-arguments (package-arguments nongnu:linux-firmware) - ((#:phases phases) - `(modify-phases ,phases - (add-after 'unpack 'select-firmware - ,((@@ (nongnu packages linux) select-firmware) - "^nvidia/(g|tu)"))))))) ; `select-firmware' is private - (home-page "https://www.nvidia.com/en-us/drivers/unix/") - (synopsis "Nonfree firmware for NVIDIA graphics chips") - (description "\ + (inherit nongnu:linux-firmware) + (name "nouveau-firmware") + (arguments + `(#:license-file-regexp "LICENSE.nvidia" + ,@(substitute-keyword-arguments (package-arguments nongnu:linux-firmware) + ((#:phases phases) + `(modify-phases ,phases + (add-after 'unpack 'select-firmware + ,((@@ (nongnu packages linux) select-firmware) + "^nvidia/(g|tu)"))))))) ; `select-firmware' is private + (home-page "https://www.nvidia.com/en-us/drivers/unix/") + (synopsis "Nonfree firmware for NVIDIA graphics chips") + (description "\ Nonfree firmware for NVIDIA graphics chips. Required for nouveau to support extra features (acr, pmu, gr).") - (license - (nonfree - (string-append - "https://git.kernel.org/pub/scm/linux/kernel/git/firmware" - "/linux-firmware.git/plain/LICENSE.nvidia"))))) - -(operating-system - (host-name "lap.twilken.net") - (timezone "Europe/Paris") - (locale "en_GB.utf8") - (locale-definitions - (list (locale-definition (name "en_GB.utf8") (source "en_GB")) - (locale-definition (name "en_US.utf8") (source "en_US")) - (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) - - (hosts-file %wireguard-etc-hosts) - ;; Allow resolution of '.local' host names with mDNS. - (name-service-switch %mdns-host-lookup-nss) - - ;; Choose UK English X11 keyboard layout. - (keyboard-layout %british-keyboard) - - ;; Use the UEFI variant of GRUB with the EFI System - ;; Partition mounted on /boot/efi. - (bootloader - (bootloader-configuration - (bootloader grub-efi-bootloader) - (targets '("/boot/efi")) - ;; Note: keyboard-layout is ignored by non-grub bootloaders. - (keyboard-layout keyboard-layout) - (menu-entries - (list - (menu-entry - (label "systemd-boot") - (device efi-system-partition) - (chain-loader "/EFI/systemd/systemd-bootx64.efi")))))) - - ;; Use non-free kernel to load non-free firmware (e.g. for wifi). - (kernel nongnu:linux-lts) - (kernel-arguments - (cons* ;;"nosplash" - ;;"vt.global_cursor_default=0" - ;;"video.use_native_backlight=1" - ;;"nvidia-drm.modeset=1" - ;;"acpi_osi=\"!Windows 2015\"" - ;;"acpi_enforce_resources=lax" - %default-kernel-arguments)) - (initrd microcode-initrd) - ;; TODO: nouveau complains about missing firmware (see dmesg). - (firmware (cons* nongnu:atheros-firmware ; for atk10k/QCA6174/hw3.0 (wifi card) - nongnu:i915-firmware ; for Intel GPU runtime power management etc - nouveau-firmware ; for nouveau to use NVIDIA GPU - %base-firmware)) - - ;; Specify a mapped device for the encrypted home partition. - ;; The UUID is that returned by 'cryptsetup luksUUID'. - (mapped-devices - (list (mapped-device - (source data-partition-outside-luks) - (target "data") - (type luks-device-mapping)))) - - (swap-devices - (list (swap-space - (target swap-partition) - (discard? #t)))) - - (file-systems - (cons* (file-system - (device guixsd-root-partition) - (mount-point "/") - (flags '(no-atime)) - (options (alist->file-system-options - '("ssd" ("compress" . "zstd")))) - (type "btrfs")) - (file-system - (device efi-system-partition) - (mount-point "/boot/efi") - (flags '(no-atime)) - (type "vfat")) - (file-system - (device data-partition-inside-luks) - (mount-point "/home") - (flags '(no-atime)) - (options (alist->file-system-options - '("ssd" ("compress" . "zstd") - ("subvol" . "home/guixsd")))) - (type "btrfs") - (dependencies mapped-devices)) - %base-file-systems)) - - ;; Members of the wheel group are allowed to use sudo. - (users (cons* (user-account - (name "timo") - (comment "Timo Wilken") - (group "users") - (supplementary-groups - '("wheel" "audio" "video" "docker" "adbusers")) - (shell (file-append zsh "/bin/zsh"))) - %base-user-accounts)) - - (sudoers-file - (plain-file - "sudoers" - (string-append - ;; We need to preserve $TERMINFO so that programs under sudo can - ;; find kitty's terminfo files. This is possibly unsafe; sudo - ;; explicitly deletes this variable by default. - "Defaults env_keep += \"TERMINFO\"\n" - (plain-file-content %sudoers-specification) - ;; In addition to the default rules, allow admins to power off - ;; the computer. They'll have to use the system binaries, not - ;; those from their user profile, as /etc/sudoers requires - ;; absolute paths to commands. - "%wheel ALL=(ALL) NOPASSWD: " - "/run/current-system/profile/sbin/halt, " - "/run/current-system/profile/sbin/reboot, " - "/run/current-system/profile/sbin/shutdown\n"))) - - ;; This is where we specify system-wide packages. - (packages - (cons* - ;; System stuff - cups docker mit-krb5 - ;; File systems - dosfstools mtools ntfs-3g - ;; Printing and scanning - ;; SANE doesn't detect my scanner without brscan4's etc/sane.d/dll.conf. - brscan4 - ;; Desktop and drivers - ;; FIXME: lightdm depends on python-2, but the build throws an - ;; error that python2 is not supported. - ;; TODO: Does lightdm have a service I need to enable? - ;;lightdm lightdm-gtk-greeter - pulseaudio xf86-video-intel xf86-video-nouveau - ;; Adds /sys/class/backlight entries for external monitors. - ;; Not needed for laptop display. - ;; ddcci-driver-linux - i3-gaps ; install i3 here so gdm can see its xsession file - i3lock ; we need a system service to make i3lock setuid root - ;; We need to install gnome-keyring here so its PAM module is - ;; enabled properly (by its service; see below). - ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). - gnome-keyring - ;; It's probably easiest to install geoclue system-wide, so it - ;; gets added to `%desktop-services' and redshift can access the - ;; location. - geoclue - ;; Base packages - %base-system-packages)) - - ;; Use the "desktop" services, which include the X11 - ;; log-in service, networking with NetworkManager, and more. - ;; See info '(guix)Services' for useful services. - (services - (cons* - (service syncthing-service-type - (syncthing-configuration - (user "timo"))) - - (service cups-service-type - (cups-configuration - (web-interface? #t) - (default-shared? #f) - ;; See info '(guix)Printing Services' for more extensions. - (extensions - (list cups-filters foomatic-filters brlaser)))) - - (bluetooth-service) - - (wireguard-service host-name) - - (service docker-service-type - (docker-configuration)) - - (service krb5-service-type - (krb5-configuration - (default-realm "CERN.CH") - (rdns? #f) - (realms (list (krb5-realm - (name "CERN.CH") - (default-domain "cern.ch") - (kdc "cerndc.cern.ch")))))) - - (service tlp-service-type - (tlp-configuration)) ; TODO: configure properly - - (service thermald-service-type - (thermald-configuration - (adaptive? #t))) - - (service earlyoom-service-type - (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' - - ;; Disabled as it doesn't work with my hardware. - ;; It always says "logging in with fingerprint failed" and blocks password login in gdm. - ;; (service fprintd-service-type) - - ;; Install i3lock as a setuid binary, so it can talk to PAM. - (screen-locker-service i3lock "i3lock") - - ;; gnome-keyring is not in `%desktop-services' by default, - ;; but needs to be there to add itself to /etc/pam.d/. - ;; If using a DM other than GDM, add it to `pam-services' in - ;; `gnome-keyring-configuration' (see its docs). - (service gnome-keyring-service-type - (gnome-keyring-configuration)) - - ;; Allow anyone in the "video" group to set the display's brightness. - ;; Run `udevadm info -q all /sys/class/backlight/intel_backlight' - ;; to see properties. - (udev-rules-service 'backlight backlight-udev-rules #:groups '("video")) - ;; According to "info '(guix) Base Services'", the above should - ;; have a `#:groups '("video")', but that group is already - ;; declared as a supplementary group for my user and guix warns - ;; that it's declared twice. - - (udev-rules-service 'android android-udev-rules #:groups '("adbusers")) - - (set-xorg-configuration custom-xorg-config) - - (simple-service 'cronjobs mcron-service-type - ;; I don't think jobs run on boot if they would have run when the - ;; computer was turned off, so choose a time when the computer is - ;; probably turned on. - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - ;; The nonguix channel is added to channels.scm as an `extra-special-file'. - ;; The gaming channel (https://gitlab.com/guix-gaming-channels) is per-user only. - (simple-service 'nonguix guix-service-type - (guix-extension - (authorized-keys (list nonguix-signing-key)) - (substitute-urls '("https://substitutes.nonguix.org")))) - - (extra-special-file "/etc/guix/channels.scm" extra-channels) - - (modify-services %desktop-services - (gdm-service-type - config => - (gdm-configuration - (inherit config) - (auto-login? #f) - (default-user "timo") - (xorg-configuration custom-xorg-config))) - - (geoclue-service-type - config => - (geoclue-configuration - (inherit config) - (applications - (cons* (geoclue-application "redshift" #:system? #f) - %standard-geoclue-applications)))) - - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f))))))) + (license + (nonfree + (string-append + "https://git.kernel.org/pub/scm/linux/kernel/git/firmware" + "/linux-firmware.git/plain/LICENSE.nvidia"))))) + +(define-public %lap-system + (operating-system + (host-name "lap.twilken.net") + (timezone "Europe/Paris") + (locale "en_GB.utf8") + (locale-definitions + (list (locale-definition (name "en_GB.utf8") (source "en_GB")) + (locale-definition (name "en_US.utf8") (source "en_US")) + (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) + + (hosts-file %wireguard-etc-hosts) + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss) + + ;; Choose UK English X11 keyboard layout. + (keyboard-layout %british-keyboard) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader + (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Note: keyboard-layout is ignored by non-grub bootloaders. + (keyboard-layout keyboard-layout) + (menu-entries + (list + (menu-entry + (label "systemd-boot") + (device efi-system-partition) + (chain-loader "/EFI/systemd/systemd-bootx64.efi")))))) + + ;; Use non-free kernel to load non-free firmware (e.g. for wifi). + (kernel nongnu:linux-lts) + (kernel-arguments + (cons* ;;"nosplash" + ;;"vt.global_cursor_default=0" + ;;"video.use_native_backlight=1" + ;;"nvidia-drm.modeset=1" + ;;"acpi_osi=\"!Windows 2015\"" + ;;"acpi_enforce_resources=lax" + %default-kernel-arguments)) + (initrd microcode-initrd) + ;; TODO: nouveau complains about missing firmware (see dmesg). + (firmware (cons* nongnu:atheros-firmware ; for atk10k/QCA6174/hw3.0 (wifi card) + nongnu:i915-firmware ; for Intel GPU runtime power management etc + nouveau-firmware ; for nouveau to use NVIDIA GPU + %base-firmware)) + + ;; Specify a mapped device for the encrypted home partition. + ;; The UUID is that returned by 'cryptsetup luksUUID'. + (mapped-devices + (list (mapped-device + (source data-partition-outside-luks) + (target "data") + (type luks-device-mapping)))) + + (swap-devices + (list (swap-space + (target swap-partition) + (discard? #t)))) + + (file-systems + (cons* (file-system + (device guixsd-root-partition) + (mount-point "/") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd")))) + (type "btrfs")) + (file-system + (device efi-system-partition) + (mount-point "/boot/efi") + (flags '(no-atime)) + (type "vfat")) + (file-system + (device data-partition-inside-luks) + (mount-point "/home") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd") + ("subvol" . "home/guixsd")))) + (type "btrfs") + (dependencies mapped-devices)) + %base-file-systems)) + + ;; Members of the wheel group are allowed to use sudo. + (users (cons* (user-account + (name "timo") + (comment "Timo Wilken") + (group "users") + (supplementary-groups + '("wheel" "audio" "video" "docker" "adbusers")) + (shell (file-append zsh "/bin/zsh"))) + %base-user-accounts)) + + (sudoers-file + (plain-file + "sudoers" + (string-append + ;; We need to preserve $TERMINFO so that programs under sudo can + ;; find kitty's terminfo files. This is possibly unsafe; sudo + ;; explicitly deletes this variable by default. + "Defaults env_keep += \"TERMINFO\"\n" + (plain-file-content %sudoers-specification) + ;; In addition to the default rules, allow admins to power off + ;; the computer. They'll have to use the system binaries, not + ;; those from their user profile, as /etc/sudoers requires + ;; absolute paths to commands. + "%wheel ALL=(ALL) NOPASSWD: " + "/run/current-system/profile/sbin/halt, " + "/run/current-system/profile/sbin/reboot, " + "/run/current-system/profile/sbin/shutdown\n"))) + + ;; This is where we specify system-wide packages. + (packages + (cons* + ;; System stuff + cups docker mit-krb5 + ;; File systems + dosfstools mtools ntfs-3g + ;; Printing and scanning + ;; SANE doesn't detect my scanner without brscan4's etc/sane.d/dll.conf. + brscan4 + ;; Desktop and drivers + ;; FIXME: lightdm depends on python-2, but the build throws an + ;; error that python2 is not supported. + ;; TODO: Does lightdm have a service I need to enable? + ;;lightdm lightdm-gtk-greeter + pulseaudio xf86-video-intel xf86-video-nouveau + ;; Adds /sys/class/backlight entries for external monitors. + ;; Not needed for laptop display. + ;; ddcci-driver-linux + i3-gaps ; install i3 here so gdm can see its xsession file + i3lock ; we need a system service to make i3lock setuid root + ;; We need to install gnome-keyring here so its PAM module is + ;; enabled properly (by its service; see below). + ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). + gnome-keyring + ;; It's probably easiest to install geoclue system-wide, so it + ;; gets added to `%desktop-services' and redshift can access the + ;; location. + geoclue + ;; Base packages + %base-system-packages)) + + ;; Use the "desktop" services, which include the X11 + ;; log-in service, networking with NetworkManager, and more. + ;; See info '(guix)Services' for useful services. + (services + (cons* + (service syncthing-service-type + (syncthing-configuration + (user "timo"))) + + (service cups-service-type + (cups-configuration + (web-interface? #t) + (default-shared? #f) + ;; See info '(guix)Printing Services' for more extensions. + (extensions + (list cups-filters foomatic-filters brlaser)))) + + (bluetooth-service) + + (wireguard-service host-name) + + (service docker-service-type + (docker-configuration)) + + (service krb5-service-type + (krb5-configuration + (default-realm "CERN.CH") + (rdns? #f) + (realms (list (krb5-realm + (name "CERN.CH") + (default-domain "cern.ch") + (kdc "cerndc.cern.ch")))))) + + (service tlp-service-type + (tlp-configuration)) ; TODO: configure properly + + (service thermald-service-type + (thermald-configuration + (adaptive? #t))) + + (service earlyoom-service-type + (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + + ;; Disabled as it doesn't work with my hardware. + ;; It always says "logging in with fingerprint failed" and blocks password login in gdm. + ;; (service fprintd-service-type) + + ;; Install i3lock as a setuid binary, so it can talk to PAM. + (screen-locker-service i3lock "i3lock") + + ;; gnome-keyring is not in `%desktop-services' by default, + ;; but needs to be there to add itself to /etc/pam.d/. + ;; If using a DM other than GDM, add it to `pam-services' in + ;; `gnome-keyring-configuration' (see its docs). + (service gnome-keyring-service-type + (gnome-keyring-configuration)) + + ;; Allow anyone in the "video" group to set the display's brightness. + ;; Run `udevadm info -q all /sys/class/backlight/intel_backlight' + ;; to see properties. + (udev-rules-service 'backlight backlight-udev-rules #:groups '("video")) + ;; According to "info '(guix) Base Services'", the above should + ;; have a `#:groups '("video")', but that group is already + ;; declared as a supplementary group for my user and guix warns + ;; that it's declared twice. + + (udev-rules-service 'android android-udev-rules #:groups '("adbusers")) + + (set-xorg-configuration custom-xorg-config) + + (simple-service 'cronjobs mcron-service-type + ;; I don't think jobs run on boot if they would have run when the + ;; computer was turned off, so choose a time when the computer is + ;; probably turned on. + (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") + #~(job "0 22 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + ;; The nonguix channel is added to channels.scm as an `extra-special-file'. + ;; The gaming channel (https://gitlab.com/guix-gaming-channels) is per-user only. + (simple-service 'nonguix guix-service-type + (guix-extension + (authorized-keys (list nonguix-signing-key)) + (substitute-urls '("https://substitutes.nonguix.org")))) + + (extra-special-file "/etc/guix/channels.scm" extra-channels) + + (modify-services %desktop-services + (gdm-service-type + config => + (gdm-configuration + (inherit config) + (auto-login? #f) + (default-user "timo") + (xorg-configuration custom-xorg-config))) + + (geoclue-service-type + config => + (geoclue-configuration + (inherit config) + (applications + (cons* (geoclue-application "redshift" #:system? #f) + %standard-geoclue-applications)))) + + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f)))))))) + +%lap-system -- cgit v1.2.3