From 04925b8eef4678ff06f408b446aba8e8098f98ce Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Mon, 20 Nov 2023 21:02:50 +0100 Subject: Manage new Framework laptop --- tw/services/files/wireguard/frm-fp4.psk.enc | 8 + tw/services/files/wireguard/frm-lap.psk.enc | 8 + tw/services/files/wireguard/frm-lud.psk.enc | 8 + tw/services/files/wireguard/frm-pi3.psk.enc | 8 + tw/services/files/wireguard/frm-vin.psk.enc | 8 + tw/services/files/wireguard/frm.key.enc | 8 + tw/services/files/wireguard/lap-frm.psk.enc | 8 + tw/services/files/wireguard/lud-frm.psk.enc | 8 + tw/services/files/wireguard/vin-frm.psk.enc | 8 + tw/services/wireguard.scm | 8 +- tw/system/frm.scm | 320 ++++++++++++++++++++++++++++ 11 files changed, 399 insertions(+), 1 deletion(-) create mode 100644 tw/services/files/wireguard/frm-fp4.psk.enc create mode 100644 tw/services/files/wireguard/frm-lap.psk.enc create mode 100644 tw/services/files/wireguard/frm-lud.psk.enc create mode 100644 tw/services/files/wireguard/frm-pi3.psk.enc create mode 100644 tw/services/files/wireguard/frm-vin.psk.enc create mode 100644 tw/services/files/wireguard/frm.key.enc create mode 100644 tw/services/files/wireguard/lap-frm.psk.enc create mode 100644 tw/services/files/wireguard/lud-frm.psk.enc create mode 100644 tw/services/files/wireguard/vin-frm.psk.enc create mode 100644 tw/system/frm.scm (limited to 'tw') diff --git a/tw/services/files/wireguard/frm-fp4.psk.enc b/tw/services/files/wireguard/frm-fp4.psk.enc new file mode 100644 index 00000000..9331caa0 --- /dev/null +++ b/tw/services/files/wireguard/frm-fp4.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdWRZamxwdTJ1ZjArZVZa +TngzTGpualZiRDZPTlNBcW5hVGlFQTNWTVgwCndlQ2x3UEpjYkJqU25YRThMb0Uv +d250OWJWbVZ5S3l3eHB3cGVKNWhBMFUKLS0tIEZDK1hveWk5QzI3OTBmZTRoMDZz +c1MzRWNYbkc4MXluZ3lCK21ScndaaEkKx4a+8MdoHqDBdmkX1St7qa5zG2CQ4R+z +3HWUtAI3woUWoC+S2FM31glN5ZFKqWCmU2oUJKrvc9H338hvMgYneY3vzDIU4hoE +oOyau8c= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/frm-lap.psk.enc b/tw/services/files/wireguard/frm-lap.psk.enc new file mode 100644 index 00000000..ea83fdee --- /dev/null +++ b/tw/services/files/wireguard/frm-lap.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM3RJM0ZyMzZVellNb2w4 +dWpnRlhWNy9Od3FjL051WVNYMVVhc0tQMEc0CjlCamtxUE9uTHRrSkpLeDJYSE1C +dXo3SFFaTU5ac0tMUnpIUHdnN3FiTXMKLS0tIHp5NHR4enNPR1piTHRRUjJVbEJ6 +QmlRWXhRU2VSNTFUUWUvQ011SFE0MkEKpyz/6Q7UEZhqbrtJlsx5g7irZ94BeGCj +Xo5VWUFXv2IHpDBP8TkQzPyJo+eDXOERumLeAWt0/Vx6I//VxsJgAj4v+sgRdDDM +mnZ7Hv4= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/frm-lud.psk.enc b/tw/services/files/wireguard/frm-lud.psk.enc new file mode 100644 index 00000000..025c2501 --- /dev/null +++ b/tw/services/files/wireguard/frm-lud.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdHc3MitWWjlHcEhGR1l2 +VmhLNklqMkUvRng3aHNUMktoZlZ2ZDliV3pzCkVYTk5TOXVNcnIxalNYbHBlbm9K +MG4vTmFuS3NVbEVyRjVzZnRVTmFWZTgKLS0tIFFWcENXdDNVU0Y1cFBJcFpGRlR5 +UFlQSW8vUWcxWmlWRWVIWVQwZlEyMjgKHpjhFm/yzFzw76a+FyV1bwQyWzQ6fQxM +/F4G+JtFyrTla5C7MKXlyXStpXRjXV+8lHJSfgbCQbLRGCJFG84eCsv8AJIaVtDV +8XnHZms= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/frm-pi3.psk.enc b/tw/services/files/wireguard/frm-pi3.psk.enc new file mode 100644 index 00000000..119a7b99 --- /dev/null +++ b/tw/services/files/wireguard/frm-pi3.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQM1Y4NXNmVFBhOVZFaDRO +dy9ZdU5rTHk0T2JRUFBqVnFTNjBDT25PbUNZCmdGTHYzU0RET25mWkZGa0hwUHFK +bmlxajFoci83VjZGWndCMWo5K0RUSVkKLS0tIFdOdFlCa3lvMXhGVEV1VU91eHly +UjRtbUNvUjBDbEo1aW14YXI5MmM1TTgKjS13mwy5dY2fx1boKstTbqb4QjIFMo8j +eToNx9Lq6KWyOEqE84oQHHgOxzYGKCerrxwTRcaTCKKaxeUwvau5VkbzMeRdRUMj +iWJXDj8= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/frm-vin.psk.enc b/tw/services/files/wireguard/frm-vin.psk.enc new file mode 100644 index 00000000..0d08ec3e --- /dev/null +++ b/tw/services/files/wireguard/frm-vin.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRjlZMzlwakdIQmx0Zzk2 +TjJWelFQK1p0YUYrS1Y5djd3TEloME5SS1NBCnlLMkg1WHRVZ2k5T2VORzlpaDZI +RlNmQWNDK0s5dVRNVjRjQnNOOVBWM0EKLS0tIFVhL1ZJT1lveVd1OW16YkVuWUtr +OW55WHFUdGd6SGZUSll5MjcvYSsrUkUKoEYFPmE+gx2Jzsn00pceiN7mekclWPTf +xwQiX1qkST3+KjYd1wNCvv60eU2OCKE2LpdELYGXn6FTV7EiK0QZEBQHM1xNqyKV +kjx+AvA= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/frm.key.enc b/tw/services/files/wireguard/frm.key.enc new file mode 100644 index 00000000..8e2a1f82 --- /dev/null +++ b/tw/services/files/wireguard/frm.key.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdU5HZEViSzNYYTB5NE93 +eXZ0VVRESGozSlFvd2pjL2M0Ri9CbmJ3bUNrCmgwUnQzejVaLzIzdDUxTVRtN3Jj +aG1oUzRHb0ZBL3VvTkp1aHAwMytIdUUKLS0tIDdlREVBTnd5alBYVGJmRmNRNDky +Vnl2eFg2VmZjcEpOd1M2eFhFUDNOTXMKn9BhStBgbP79DPvU2RXUmyZnFf8QY91J +HcM+3r9rfFeSfGOE4Z2UEmy+k83LC1tam1KRS9ak7CEVCRCMWfRmTeI3BfS2QCl5 +9Ab7lzs= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lap-frm.psk.enc b/tw/services/files/wireguard/lap-frm.psk.enc new file mode 100644 index 00000000..91977395 --- /dev/null +++ b/tw/services/files/wireguard/lap-frm.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT21JeHlsYi9pREVPenpC +R3dIaUpBeC9Lb2NRazRwcEEvSHQvaVJKekFrCldlNlRpWXMvSEFUWTBZT1F0L0Z1 +ZnNuY0poQ0ZQS013aFF5SHdUTjdHUkkKLS0tIE8vY2haWTdwZE9zMnBueGx5Nm1L +WjNVbDFRcEhqNUtpaWlwNHFnNmJMd1UKhWgbbnN10725uP1Ofvav7gzYuVwsyzmN +FFNrwMI0pVtRKUPH3i+7cKpMYdfGF5iKCIz7JOc3XdzTgAQc7lqxS5LKiMBK6lVl +Cjxds94= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud-frm.psk.enc b/tw/services/files/wireguard/lud-frm.psk.enc new file mode 100644 index 00000000..ad1ff758 --- /dev/null +++ b/tw/services/files/wireguard/lud-frm.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA0ZXR5 +MDRuNnBOSnhwWjNBZ1FzVFliUEF4dnk4aXVXVUx0N0NSYVBMbW1BCmJBeDUwbjVY +UGZ6ckJXeG5XdkJ0NW8xTFJEV0UwN0ZnUEt6QmIxRExDNEkKLS0tIGJuRTVqVnhz +MXM1SXBPR1dEdDVWWlN1cGFzU0N6RFdLQi83MFBNU3NGT0EKViTwHGDX7oCwl+Fg +ASRwy0oTXZowSGn7WO2Ko95PfCEJMILt8JoYdggGh6PvPcpOLxemt6tfn8ISXvDK +NCo5BHemt6k1ikqM2HBRH04= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin-frm.psk.enc b/tw/services/files/wireguard/vin-frm.psk.enc new file mode 100644 index 00000000..3cbfee12 --- /dev/null +++ b/tw/services/files/wireguard/vin-frm.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBWMWZu +Vkd6clRTd05lUE1IdHRGa1JxclpjRHNNelQzUkVtbG9hOWgwUkVzClJQRXZWTytL +SGFpTmpXU2tXVUMwem5kQURPb2U5N2RVS0Z4SmZ4dk9MbDgKLS0tIEloQkpJVVU4 +MDhPaExndGo4NzFyRFNEODRJOE40T2lXYnhOS28rZGdBUlUKfrQeK72CdIFwxTaR +T+nXLL8Ol7zPv0xyLdsbz6naLfa+kdWIo++pqowKAb5QRKkWo8cBVsMYoCIGD3cS +3nd+DcYi1vOrOm94rGSnOYI= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm index e975fe46..4a69be8c 100644 --- a/tw/services/wireguard.scm +++ b/tw/services/wireguard.scm @@ -47,7 +47,13 @@ (endpoint "pi3.twilken.net:58922") (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) + (allowed-ips '("10.0.0.5/32" "fc00::5/128")))) + ("frm.twilken.net" . + ,(wireguard-peer + (name "frm.wg") + (public-key "frm/YGu1BfXUl4jrN0PTFMNdTQXWPSuY1wEpz5W9C2Y=") + (preshared-key "/etc/wireguard/frm.psk") + (allowed-ips '("10.0.0.6/32" "fc00::6/128")))))) (define (wireguard-peers-list? object) (and (list? object) diff --git a/tw/system/frm.scm b/tw/system/frm.scm new file mode 100644 index 00000000..f19d36ce --- /dev/null +++ b/tw/system/frm.scm @@ -0,0 +1,320 @@ +;; This is an operating system configuration file for a fairly minimal +;; "desktop" setup with i3 where the /home partition partition is +;; encrypted with LUKS. +;; +;; https://guix.gnu.org/manual/en/html_node/operating_002dsystem-Reference.html + +(define-module (tw system frm) + #:use-module (gnu) + #:use-module (gnu bootloader grub) + #:use-module (gnu system locale) + #:use-module (gnu system nss) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module ((nongnu packages linux) + #:prefix nongnu:) ; don't interfere with (gnu packages linux) + #:use-module ((nongnu system linux-initrd) + #:prefix nongnu:) + #:use-module (tw channels) + #:use-module (tw packages scanner) + #:use-module (tw services secrets) + #:use-module (tw services wireguard) + #:use-module (tw system)) + +(use-package-modules android certs cups disk docker file-systems gnome guile + kerberos linux mtools pulseaudio search shells tls wm xorg) + +(use-service-modules admin authentication avahi base cups dbus desktop docker + kerberos linux mcron networking pm shepherd syncthing vpn xorg) + +(define efi-system-partition ; /dev/nvme0n1p1 + (uuid "D8C7-2624" 'fat)) +(define root-partition ; /dev/nvme0n1p2 + (uuid "62fb4710-33d1-4eaf-aaaa-43d16ab26a58" 'btrfs)) + +(define touchpad-xorg-config + (@@ (tw system lap) touchpad-xorg-config)) + +(define set-timezone-script + (@@ (tw system lap) set-timezone-script)) + +(define custom-xorg-config + (xorg-configuration + (keyboard-layout %british-keyboard) + (extra-config (list touchpad-xorg-config)))) + +(define-public %frm-system + (operating-system + (host-name "frm.twilken.net") + (timezone "Europe/Paris") + (locale "en_GB.utf8") + (locale-definitions + (list (locale-definition (name "en_GB.utf8") (source "en_GB")) + (locale-definition (name "en_US.utf8") (source "en_US")) + (locale-definition (name "fr_FR.utf8") (source "fr_FR")))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss) + + ;; Choose UK English X11 keyboard layout. + (keyboard-layout %british-keyboard) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader + (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Note: keyboard-layout is ignored by non-grub bootloaders. + (keyboard-layout keyboard-layout))) + + ;; Use non-free kernel to load non-free firmware (e.g. for wifi). + (kernel nongnu:linux) + (initrd nongnu:microcode-initrd) + (firmware (cons* nongnu:amdgpu-firmware ; TODO: wifi firmware? + %base-firmware)) + + (file-systems + (cons* (file-system + (device root-partition) + (mount-point "/") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd")))) + (type "btrfs")) + (file-system + (device efi-system-partition) + (mount-point "/boot/efi") + (flags '(no-atime)) + (type "vfat")) + ;; Put /home in a subvolume for better accounting/snapshotting potential. + (file-system + (device root-partition) + (mount-point "/home") + (flags '(no-atime)) + (options (alist->file-system-options + '("ssd" ("compress" . "zstd") + ("subvol" . "home")))) + (type "btrfs")) + %base-file-systems)) + + ;; Members of the wheel group are allowed to use sudo. + (users (cons* (user-account + (name "timo") + (comment "Timo Wilken") + (group "users") + (supplementary-groups + '("wheel" "audio" "video" "docker" "adbusers")) + (shell (file-append zsh "/bin/zsh"))) + %base-user-accounts)) + + (sudoers-file + (plain-file "sudoers" + (string-append + ;; We need to preserve $TERMINFO so that programs under sudo can + ;; find kitty's terminfo files. This is possibly unsafe; sudo + ;; explicitly deletes this variable by default. + "Defaults env_keep += \"TERMINFO\"\n" + (plain-file-content %sudoers-specification) + ;; In addition to the default rules, allow admins to power off + ;; the computer. They'll have to use the system binaries, not + ;; those from their user profile, as /etc/sudoers requires + ;; absolute paths to commands. + "%wheel ALL=(ALL) NOPASSWD: " + "/run/current-system/profile/sbin/halt, " + "/run/current-system/profile/sbin/reboot, " + "/run/current-system/profile/sbin/shutdown\n"))) + + ;; This is where we specify system-wide packages. + (packages + (cons* + ;; System stuff + cups docker mit-krb5 + ;; File systems + dosfstools mtools ntfs-3g + ;; Desktop and drivers + ;; FIXME: lightdm depends on python-2, but the build throws an + ;; error that python2 is not supported. + ;; TODO: Does lightdm have a service I need to enable? + ;;lightdm lightdm-gtk-greeter + pulseaudio xf86-video-amdgpu + ;; Adds /sys/class/backlight entries for external monitors. + ;; Not needed for laptop display. + ;; ddcci-driver-linux + i3-gaps ; install i3 here so gdm can see its xsession file + i3lock ; we need a system service to make i3lock setuid root + ;; We need to install gnome-keyring here so its PAM module is + ;; enabled properly (by its service; see below). + ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus). + gnome-keyring + ;; It's probably easiest to install geoclue system-wide, so it + ;; gets added to `%desktop-services' and redshift can access the + ;; location. + geoclue + ;; Base packages + %base-system-packages)) + + ;; Use the "desktop" services, which include the X11 + ;; log-in service, networking with NetworkManager, and more. + ;; See info '(guix)Services' for useful services. + (services + (cons* + (service syncthing-service-type + (syncthing-configuration + (user "timo"))) + + (service cups-service-type + (cups-configuration + (web-interface? #t) + (default-shared? #f) + ;; See info '(guix)Printing Services' for more extensions. + (extensions + (list cups-filters foomatic-filters brlaser)))) + + (service bluetooth-service-type) + + (service tw-wireguard-service-type + (tw-wireguard-configuration + (this-host host-name))) + + (service docker-service-type + (docker-configuration)) + + (service krb5-service-type + (krb5-configuration + (default-realm "CERN.CH") + (rdns? #f) + (realms (list (krb5-realm + (name "CERN.CH") + (default-domain "cern.ch") + (kdc "cerndc.cern.ch")))))) + + (service tlp-service-type + (tlp-configuration)) ; TODO: configure properly + + (service thermald-service-type + (thermald-configuration + (adaptive? #t))) + + (service earlyoom-service-type + (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + + (service fprintd-service-type) + + ;; Install i3lock as a setuid binary, so it can talk to PAM. + (service screen-locker-service-type + (screen-locker-configuration + (name "i3lock") + (program (file-append i3lock "/bin/i3lock")))) + + ;; gnome-keyring is not in `%desktop-services' by default, + ;; but needs to be there to add itself to /etc/pam.d/. + ;; If using a DM other than GDM, add it to `pam-services' in + ;; `gnome-keyring-configuration' (see its docs). + (service gnome-keyring-service-type + (gnome-keyring-configuration)) + + (udev-rules-service 'android android-udev-rules #:groups '("adbusers")) + + (set-xorg-configuration custom-xorg-config) + + (service unattended-upgrade-service-type + (unattended-upgrade-configuration + (schedule "0 21 * * *") ; every night at 21:00, when the laptop is turned on + (maximum-duration (* 40 60)) ; 40 minutes to allow for slow downloads + (channels %system-channels) + (operating-system-expression + #~(@ (tw system frm) %frm-system)) + (services-to-restart + ;; Anything that won't cause disruption when restarting. + '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron)))) + + (simple-service 'disk-maintenance mcron-service-type + ;; I don't think jobs run on boot if they would have run when the + ;; computer was turned off, so choose a time when the computer is + ;; probably turned on. + (list #~(job "45 21 * * *" "guix gc -d 2w -F 25G") ; after unattended-upgrade + #~(job "0 22 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + (extra-special-file "/etc/NetworkManager/dispatcher.d/09-set-timezone" + (program-file "set-timezone" set-timezone-script)) + + (simple-service 'scanning-services shepherd-root-service-type + (list + (shepherd-service + (documentation "Expose USB scanners over IPP.") + (provision '(ipp-usb)) + (requirement '(networking)) ; only on localhost, though + (start #~(make-forkexec-constructor + (list #$(file-append ipp-usb "/bin/ipp-usb") "standalone"))) + (stop #~(make-kill-destructor))))) + + ;; Since Guix 953c65ffdd4, build-machines can be directly specified in + ;; `guix-configuration'. However, this doesn't allow the dynamic + ;; selection of build machines as is done here. + (extra-special-file "/etc/guix/machines.scm" + (scheme-file "machines.scm" + #~(let ((lud (build-machine + (name "lud.twilken.net") + (systems '("x86_64-linux")) + (port '#$(assoc-ref %ssh-ports "lud.twilken.net")) + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqXbxv3a2bZyGjnEirVCMtRBeLKW/ha8ULSR9Xye4Z1") + (user "timo") + (private-key "/home/timo/.local/share/ssh-keys/id_rsa") + (speed 1/3))) ; 4 cores, 16 GB RAM + (vin (build-machine + (name "vin.twilken.net") + (systems '("x86_64-linux")) + (port '#$(assoc-ref %ssh-ports "vin.twilken.net")) + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEpdfKxzoCwg53TKPF5YxgUwhGF+bELAyBGdxagQroJ") + (user "timo") + (private-key "/home/timo/.local/share/ssh-keys/id_rsa") + (speed 2/3)))) ; 8 cores, 16 GB RAM + (use-modules (ice-9 popen) + (ice-9 textual-ports) + (ice-9 regex)) + (let* ((regexp (make-regexp "^GENERAL\\.CONNECTION:[[:space:]]+TLAN$" regexp/newline)) + (pipe (open-pipe* OPEN_READ #$(file-append network-manager "/bin/nmcli") + "device" "show" "wlp3s0")) + (at-home? (regexp-exec regexp (get-string-all pipe)))) + (close-pipe pipe) + ;; Only offload to vin when at home, as the network connection is too bad otherwise. + (if at-home? + (list vin) + (list lud)))))) + + ;; Set up a secrets config for WireGuard to extend. + (service secrets-service-type + (secrets-configuration + (host-key "/etc/secrets.key"))) ; we have no SSH host keys, so use a custom key + + (modify-services (append %system-channel-services %desktop-services) + ;; Let sane find the airscan backend. ipp-usb needs to be running separately. + (sane-service-type _ => sane-backends/airscan) + + (gdm-service-type + config => + (gdm-configuration + (inherit config) + (auto-login? #f) + (default-user "timo") + (xorg-configuration custom-xorg-config))) + + (geoclue-service-type + config => + (geoclue-configuration + (inherit config) + (applications + (cons* (geoclue-application "redshift" #:system? #f) + %standard-geoclue-applications)))) + + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f)))))))) + +%frm-system -- cgit v1.2.3