From ae3206dbf89b494264afbe457b13afebdea920d2 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Sun, 22 Jan 2023 22:56:03 +0100 Subject: Rename "common" modules to be base modules --- tw/home.scm | 224 +++++++++++++++++++++++++++++++++++++++++++++++++++ tw/home/common.scm | 224 --------------------------------------------------- tw/home/lap.scm | 2 +- tw/home/lud.scm | 11 --- tw/home/server.scm | 11 +++ tw/system.scm | 191 +++++++++++++++++++++++++++++++++++++++++++ tw/system/common.scm | 191 ------------------------------------------- tw/system/lap.scm | 2 +- tw/system/lud.scm | 2 +- tw/system/vin.scm | 2 +- 10 files changed, 430 insertions(+), 430 deletions(-) create mode 100644 tw/home.scm delete mode 100644 tw/home/common.scm delete mode 100644 tw/home/lud.scm create mode 100644 tw/home/server.scm create mode 100644 tw/system.scm delete mode 100644 tw/system/common.scm (limited to 'tw') diff --git a/tw/home.scm b/tw/home.scm new file mode 100644 index 00000000..cc97308c --- /dev/null +++ b/tw/home.scm @@ -0,0 +1,224 @@ +(define-module (tw home) + #:use-module (ice-9 string-fun) + #:use-module (gnu) + #:use-module (gnu home services) + #:use-module (gnu home services shells) + #:use-module (gnu home services shepherd) + #:use-module (gnu home services ssh) + #:use-module (guix gexp) + #:use-module (tw packages shell) + #:use-module (tw system)) + +(use-package-modules admin compression curl databases disk dns file finance + gnupg graphviz imagemagick less linux lisp maths + password-utils pretty-print pv python python-xyz rsync + shells shellutils ssh textutils tmux version-control + video vim web) + +(define-public common-packages + (list + curl dos2unix fdupes file git gnupg gnuplot graphviz hledger imagemagick jq + less lesspipe net-tools openssh password-store pass-otp pv python + python-ipython recutils rsync sbcl smartmontools source-highlight tmux tree + xxd zip unzip + get-iplayer ffmpeg atomicparsley yt-dlp + + ;; Install only bind-utils like dig, not the full suite. + (list isc-bind "utils") + + ;; Ranger can do code highlighting using python-pygments and + ;; image previews in kitty using python-pillow. + ranger python-pygments python-pillow mediainfo python-pdftotext + + ;; Shell + zsh zsh-autosuggestions zsh-history-substring-search + zsh-syntax-highlighting zsh-completions)) + +(export gnupg-services) ; there doesn't seem to be a `define*-public' macro +(define* (gnupg-services #:key gui-pinentry?) + (list + (simple-service 'gnupg-config home-files-service-type + `(;; GnuPG config files must be in ~/.local/share/gnupg, not ~/.config, + ;; so we can't use `home-xdg-configuration-files-service-type'. + (".local/share/gnupg/gpg.conf" ,(local-file "home/files/gpg.conf")) + (".local/share/gnupg/gpg-agent.conf" + ,(mixed-text-file "gpg-agent.conf" "\ +pinentry-program " (if gui-pinentry? + (file-append pinentry-rofi "/bin/pinentry-rofi") + (file-append pinentry-tty "/bin/pinentry-tty")) " +# Needed if spawning lots of parallel gpg --decrypt processes. https://dev.gnupg.org/T3530 +auto-expand-secmem +")))) + + (simple-service 'gnupg-agent home-shepherd-service-type + (list + (shepherd-service + (documentation "GPG agent; caches key passwords.") + (provision '(gpg-agent)) + (start #~(lambda _ + (invoke #$(file-append gnupg "/bin/gpg-agent") + "--daemon" "--no-detach"))) + (stop #~(lambda _ + (invoke "gpg-connect-agent" "killagent" "/bye")))))))) + +(define (wireguardify host) + (string-replace-substring host ".twilken.net" ".wg")) + +(define (make-own-ssh-host host port) + (openssh-host (name host) (port port) (user "timo"))) + +(define-public common-services + (list + (service home-zsh-service-type + (home-zsh-configuration + (zshrc (list (local-file "home/files/zshrc") + (local-file "home/files/prompt.zsh"))))) + + (simple-service 'common-config home-xdg-configuration-files-service-type + `(("git/config" ,(local-file "home/files/gitconfig")) + ("htop/htoprc" ,(local-file "home/files/htoprc")) + ("lesskey" ,(local-file "home/files/lesskey")) + ("ranger/rc.conf" ,(local-file "home/files/ranger.conf")) + ("tmux/tmux.conf" ,(local-file "home/files/tmux.conf")) + ("user-dirs.locale" ,(plain-file "user-dirs.locale" "C")) ; Not sure if this is needed. Arch has it. + ("user-dirs.dirs" ,(local-file "home/files/user-dirs.dirs")))) + + (simple-service 'common-scripts home-files-service-type + ;; With #:recursive? #t, Guix keeps the files' permission bits, i.e. makes them executable. + `((".local/bin/ppscm" ,(local-file "home/files/ppscm" #:recursive? #t)))) ; pretty-print scheme files + + (simple-service 'common-environment home-environment-variables-service-type + `(;; Path to my own package definitions. If invoking `guix home' + ;; afresh, this needs to be set manually to find these packages. + ("GUIX_PACKAGE_PATH" . "$HOME/src/guix-decls") + + ;; Prepend my own binaries to $PATH. These should probably all + ;; be managed through `home-files-service-type'. + ("PATH" . "$HOME/.local/bin${PATH:+:}$PATH") + + ;; Default terminal-related applications (except Emacs, which is separate). + ("PAGER" . "less") + ;; Guix force-overrides $LESS by default, so force-force it to do what I + ;; want instead. `less' reads the `lesskey' file configured above. + ("GUIX_PAGER" . "env -u LESS less") + ;; To make LESS_TERMCAP_* variables (set in lesskey) apply to man pages in kitty. + ("GROFF_NO_SGR" . "1") + + ;; Shell history -- primarily for zsh, but Emacs' eshell uses this too. + ("HISTSIZE" . "10000000") + + ;; ("NVIM_TUI_ENABLE_CURSOR_SHAPE" . "1") + ("LEDGER_FILE" . "$HOME/sync/ledger/ledger.journal") + ("GTAGSLABEL" . "pygments") + + ;; Disable at-spi-dbus-launcher accessibility service. + ("NO_AT_BRIDGE" . "1") + + ;; Auto-compilation is annoying and creates a bunch of files that are never cleaned up. + ("GUILE_AUTO_COMPILE" . "0") + + ;; For some reason, Guix doesn't seem to add these paths automatically. + ("GUILE_LOAD_PATH" . + ,(string-append + "$GUIX_PACKAGE_PATH:" + "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0" + "${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH")) + ("GUILE_LOAD_COMPILED_PATH" . + ,(string-append + "$XDG_CONFIG_HOME/guix/current/lib/guile/3.0/site-ccache:" + "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0" + "${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH")))) + + ;; XDG basedir spec compliance for various programs + ;; See: https://wiki.archlinux.org/index.php/XDG_Base_Directory for a list of programs. + ;; The `home-xdg-base-directories' service (enabled by default) sets $XDG_* variables for us. + (simple-service 'xdg-spec-compliance home-environment-variables-service-type + '(("ANDROID_EMULATOR_HOME" . "$XDG_DATA_HOME/android-emulator") + ("ASPELL_CONF" . "per-conf $XDG_CONFIG_HOME/aspell/aspell.conf; home-dir $XDG_DATA_HOME/aspell") + ("BUP_DIR" . "$XDG_DATA_HOME/bup") + ("CARGO_HOME" . "$XDG_DATA_HOME/cargo") + ("DSHGROUP_PATH" . "$XDG_DATA_HOME/dsh/group:/etc/dsh/group") + ("ELECTRUMDIR" . "$XDG_DATA_HOME/electrum") + ("FG_HOME" . "$XDG_DATA_HOME/fgfs") + ("GETIPLAYERUSERPREFS" . "$XDG_DATA_HOME/get_iplayer") + ("GNUPGHOME" . "$XDG_DATA_HOME/gnupg") + ("GTK2_RC_FILES" . "$XDG_CONFIG_HOME/gtk-2.0/gtkrc") + ("ICEAUTHORITY" . "$XDG_CACHE_HOME/ICEauthority") + ("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc") + ("IPYTHONDIR" . "$XDG_CONFIG_HOME/ipython") + ("JUPYTER_CONFIG_DIR" . "$XDG_CONFIG_HOME/jupyter") + ;; KONAN_DATA_DIR=~/.konan by default; grows to multiple GiB. + ;; https://discuss.kotlinlang.org/t/change-konan-folder-location/18309 + ("KONAN_DATA_DIR" . "$XDG_CACHE_HOME/konan") + ("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc") + ("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/password-store") + ("PLTUSERHOME" . "$XDG_DATA_HOME/racket") + ("PYLINTHOME" . "$XDG_CACHE_HOME/pylint") + ("PYLINTRC" . "$XDG_CONFIG_HOME/pylint/pylintrc") + ("RECOLL_CONFDIR" . "$XDG_CONFIG_HOME/recoll") + ("RLWRAP_HOME" . "$XDG_DATA_HOME/rlwrap") + ("STACK_ROOT" . "$XDG_DATA_HOME/stack") + ("TMUX_TMPDIR" . "$XDG_RUNTIME_DIR") + ("WEECHAT_HOME" . "$XDG_CONFIG_HOME/weechat") + ("XCOMPOSECACHE" . "$XDG_CACHE_HOME/X11/XCompose") + ("XCOMPOSEFILE" . "$XDG_CONFIG_HOME/X11/XCompose") + ("ZDOTDIR" . "$XDG_CONFIG_HOME/zsh") + ("_JAVA_OPTIONS" . + "$_JAVA_OPTIONS${_JAVA_OPTIONS:+ }-Djava.util.prefs.userRoot=$XDG_CONFIG_HOME/java"))) + + (service home-openssh-service-type + (home-openssh-configuration + (hosts + ;; Earlier rules take precedence over later ones. + `(,(openssh-host (name "*.srcf.net") (user "tw466")) + ;; My own machines + ,@(map make-own-ssh-host (map car %ssh-ports) (map cdr %ssh-ports)) + ,@(map make-own-ssh-host (map (compose wireguardify car) %ssh-ports) (map cdr %ssh-ports)) + ,(openssh-host (name "*.fritz.box") (proxy-command "ssh -v -W '[%h]:%p' lud.twilken.net")) + ;; Git hosts + ,@(map (lambda (host) (openssh-host (name host) (user "git"))) + '("github.com" "ssh.github.com" "bitbucket.org")) + ,(openssh-host (name "gitlab.cern.ch") (port 7999) (user "git") (proxy-command "none")) + ;; BitBucket apparently only supports ssh-rsa. + ,(openssh-host + (name "bitbucket.org") + (host-key-algorithms '("+ssh-rsa")) + (accepted-key-types '("+ssh-rsa"))) + ;; CERN stuff + ,(openssh-host (name "lxplus.cern.ch") (proxy-command "none")) ; avoid ProxyJump loops + ,(openssh-host + (name "twilkendesktop.cern.ch") + (port 22022) + (forward-x11? #t) + (extra-content "GSSAPIDelegateCredentials yes")) + ,@(map (lambda (spec) + (openssh-host (name (car spec)) (user (cdr spec)) + (identity-file "~/.local/share/ssh-keys/alicern_id_rsa"))) + '(("alimonitor.cern.ch" . "alibuild") + ("alinsure.cern.ch" . "alibuild") + ("alibuildmac*.cern.ch" . "alibuild") + ("aido*osx*.cern.ch" . "alibuild") + ("alibuild*.cern.ch" . "root") + ("alissandra*.cern.ch" . "root") + ("alimesos*.cern.ch" . "root") + ("alientest*.cern.ch" . "root") + ("aliflow*.cern.ch" . "root") + ("alijenkins*.cern.ch" . "root"))) + ,(openssh-host + (name "*.cern.ch") + (user "twilken") + (identity-file "~/.local/share/ssh-keys/cern_id_rsa") + (proxy-command "ssh -v -W '[%h]:%p' -l twilken lxplus.cern.ch") + (extra-content "\ + # Kerberos authentication + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no + PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive +")) + ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type' + ;; manages that and might delete keys there. + ,(openssh-host + (name "*") + (identity-file "~/.local/share/ssh-keys/id_rsa") + ;; Remote servers probably don't know about xterm-kitty. + (extra-content "SetEnv TERM=xterm-256color")))))))) diff --git a/tw/home/common.scm b/tw/home/common.scm deleted file mode 100644 index 17b00666..00000000 --- a/tw/home/common.scm +++ /dev/null @@ -1,224 +0,0 @@ -(define-module (tw home common) - #:use-module (ice-9 string-fun) - #:use-module (gnu) - #:use-module (gnu home services) - #:use-module (gnu home services shells) - #:use-module (gnu home services shepherd) - #:use-module (gnu home services ssh) - #:use-module (guix gexp) - #:use-module (tw packages shell) - #:use-module (tw system common)) - -(use-package-modules admin compression curl databases disk dns file finance - gnupg graphviz imagemagick less linux lisp maths - password-utils pretty-print pv python python-xyz rsync - shells shellutils ssh textutils tmux version-control - video vim web) - -(define-public common-packages - (list - curl dos2unix fdupes file git gnupg gnuplot graphviz hledger imagemagick jq - less lesspipe net-tools openssh password-store pass-otp pv python - python-ipython recutils rsync sbcl smartmontools source-highlight tmux tree - xxd zip unzip - get-iplayer ffmpeg atomicparsley yt-dlp - - ;; Install only bind-utils like dig, not the full suite. - (list isc-bind "utils") - - ;; Ranger can do code highlighting using python-pygments and - ;; image previews in kitty using python-pillow. - ranger python-pygments python-pillow mediainfo python-pdftotext - - ;; Shell - zsh zsh-autosuggestions zsh-history-substring-search - zsh-syntax-highlighting zsh-completions)) - -(export gnupg-services) ; there doesn't seem to be a `define*-public' macro -(define* (gnupg-services #:key gui-pinentry?) - (list - (simple-service 'gnupg-config home-files-service-type - `(;; GnuPG config files must be in ~/.local/share/gnupg, not ~/.config, - ;; so we can't use `home-xdg-configuration-files-service-type'. - (".local/share/gnupg/gpg.conf" ,(local-file "files/gpg.conf")) - (".local/share/gnupg/gpg-agent.conf" - ,(mixed-text-file "gpg-agent.conf" "\ -pinentry-program " (if gui-pinentry? - (file-append pinentry-rofi "/bin/pinentry-rofi") - (file-append pinentry-tty "/bin/pinentry-tty")) " -# Needed if spawning lots of parallel gpg --decrypt processes. https://dev.gnupg.org/T3530 -auto-expand-secmem -")))) - - (simple-service 'gnupg-agent home-shepherd-service-type - (list - (shepherd-service - (documentation "GPG agent; caches key passwords.") - (provision '(gpg-agent)) - (start #~(lambda _ - (invoke #$(file-append gnupg "/bin/gpg-agent") - "--daemon" "--no-detach"))) - (stop #~(lambda _ - (invoke "gpg-connect-agent" "killagent" "/bye")))))))) - -(define (wireguardify host) - (string-replace-substring host ".twilken.net" ".wg")) - -(define (make-own-ssh-host host port) - (openssh-host (name host) (port port) (user "timo"))) - -(define-public common-services - (list - (service home-zsh-service-type - (home-zsh-configuration - (zshrc (list (local-file "files/zshrc") - (local-file "files/prompt.zsh"))))) - - (simple-service 'common-config home-xdg-configuration-files-service-type - `(("git/config" ,(local-file "files/gitconfig")) - ("htop/htoprc" ,(local-file "files/htoprc")) - ("lesskey" ,(local-file "files/lesskey")) - ("ranger/rc.conf" ,(local-file "files/ranger.conf")) - ("tmux/tmux.conf" ,(local-file "files/tmux.conf")) - ("user-dirs.locale" ,(plain-file "user-dirs.locale" "C")) ; Not sure if this is needed. Arch has it. - ("user-dirs.dirs" ,(local-file "files/user-dirs.dirs")))) - - (simple-service 'common-scripts home-files-service-type - ;; With #:recursive? #t, Guix keeps the files' permission bits, i.e. makes them executable. - `((".local/bin/ppscm" ,(local-file "files/ppscm" #:recursive? #t)))) ; pretty-print scheme files - - (simple-service 'common-environment home-environment-variables-service-type - `(;; Path to my own package definitions. If invoking `guix home' - ;; afresh, this needs to be set manually to find these packages. - ("GUIX_PACKAGE_PATH" . "$HOME/src/guix-decls") - - ;; Prepend my own binaries to $PATH. These should probably all - ;; be managed through `home-files-service-type'. - ("PATH" . "$HOME/.local/bin${PATH:+:}$PATH") - - ;; Default terminal-related applications (except Emacs, which is separate). - ("PAGER" . "less") - ;; Guix force-overrides $LESS by default, so force-force it to do what I - ;; want instead. `less' reads the `lesskey' file configured above. - ("GUIX_PAGER" . "env -u LESS less") - ;; To make LESS_TERMCAP_* variables (set in lesskey) apply to man pages in kitty. - ("GROFF_NO_SGR" . "1") - - ;; Shell history -- primarily for zsh, but Emacs' eshell uses this too. - ("HISTSIZE" . "10000000") - - ;; ("NVIM_TUI_ENABLE_CURSOR_SHAPE" . "1") - ("LEDGER_FILE" . "$HOME/sync/ledger/ledger.journal") - ("GTAGSLABEL" . "pygments") - - ;; Disable at-spi-dbus-launcher accessibility service. - ("NO_AT_BRIDGE" . "1") - - ;; Auto-compilation is annoying and creates a bunch of files that are never cleaned up. - ("GUILE_AUTO_COMPILE" . "0") - - ;; For some reason, Guix doesn't seem to add these paths automatically. - ("GUILE_LOAD_PATH" . - ,(string-append - "$GUIX_PACKAGE_PATH:" - "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0" - "${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH")) - ("GUILE_LOAD_COMPILED_PATH" . - ,(string-append - "$XDG_CONFIG_HOME/guix/current/lib/guile/3.0/site-ccache:" - "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0" - "${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH")))) - - ;; XDG basedir spec compliance for various programs - ;; See: https://wiki.archlinux.org/index.php/XDG_Base_Directory for a list of programs. - ;; The `home-xdg-base-directories' service (enabled by default) sets $XDG_* variables for us. - (simple-service 'xdg-spec-compliance home-environment-variables-service-type - '(("ANDROID_EMULATOR_HOME" . "$XDG_DATA_HOME/android-emulator") - ("ASPELL_CONF" . "per-conf $XDG_CONFIG_HOME/aspell/aspell.conf; home-dir $XDG_DATA_HOME/aspell") - ("BUP_DIR" . "$XDG_DATA_HOME/bup") - ("CARGO_HOME" . "$XDG_DATA_HOME/cargo") - ("DSHGROUP_PATH" . "$XDG_DATA_HOME/dsh/group:/etc/dsh/group") - ("ELECTRUMDIR" . "$XDG_DATA_HOME/electrum") - ("FG_HOME" . "$XDG_DATA_HOME/fgfs") - ("GETIPLAYERUSERPREFS" . "$XDG_DATA_HOME/get_iplayer") - ("GNUPGHOME" . "$XDG_DATA_HOME/gnupg") - ("GTK2_RC_FILES" . "$XDG_CONFIG_HOME/gtk-2.0/gtkrc") - ("ICEAUTHORITY" . "$XDG_CACHE_HOME/ICEauthority") - ("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc") - ("IPYTHONDIR" . "$XDG_CONFIG_HOME/ipython") - ("JUPYTER_CONFIG_DIR" . "$XDG_CONFIG_HOME/jupyter") - ;; KONAN_DATA_DIR=~/.konan by default; grows to multiple GiB. - ;; https://discuss.kotlinlang.org/t/change-konan-folder-location/18309 - ("KONAN_DATA_DIR" . "$XDG_CACHE_HOME/konan") - ("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc") - ("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/password-store") - ("PLTUSERHOME" . "$XDG_DATA_HOME/racket") - ("PYLINTHOME" . "$XDG_CACHE_HOME/pylint") - ("PYLINTRC" . "$XDG_CONFIG_HOME/pylint/pylintrc") - ("RECOLL_CONFDIR" . "$XDG_CONFIG_HOME/recoll") - ("RLWRAP_HOME" . "$XDG_DATA_HOME/rlwrap") - ("STACK_ROOT" . "$XDG_DATA_HOME/stack") - ("TMUX_TMPDIR" . "$XDG_RUNTIME_DIR") - ("WEECHAT_HOME" . "$XDG_CONFIG_HOME/weechat") - ("XCOMPOSECACHE" . "$XDG_CACHE_HOME/X11/XCompose") - ("XCOMPOSEFILE" . "$XDG_CONFIG_HOME/X11/XCompose") - ("ZDOTDIR" . "$XDG_CONFIG_HOME/zsh") - ("_JAVA_OPTIONS" . - "$_JAVA_OPTIONS${_JAVA_OPTIONS:+ }-Djava.util.prefs.userRoot=$XDG_CONFIG_HOME/java"))) - - (service home-openssh-service-type - (home-openssh-configuration - (hosts - ;; Earlier rules take precedence over later ones. - `(,(openssh-host (name "*.srcf.net") (user "tw466")) - ;; My own machines - ,@(map make-own-ssh-host (map car %ssh-ports) (map cdr %ssh-ports)) - ,@(map make-own-ssh-host (map (compose wireguardify car) %ssh-ports) (map cdr %ssh-ports)) - ,(openssh-host (name "*.fritz.box") (proxy-command "ssh -v -W '[%h]:%p' lud.twilken.net")) - ;; Git hosts - ,@(map (lambda (host) (openssh-host (name host) (user "git"))) - '("github.com" "ssh.github.com" "bitbucket.org")) - ,(openssh-host (name "gitlab.cern.ch") (port 7999) (user "git") (proxy-command "none")) - ;; BitBucket apparently only supports ssh-rsa. - ,(openssh-host - (name "bitbucket.org") - (host-key-algorithms '("+ssh-rsa")) - (accepted-key-types '("+ssh-rsa"))) - ;; CERN stuff - ,(openssh-host (name "lxplus.cern.ch") (proxy-command "none")) ; avoid ProxyJump loops - ,(openssh-host - (name "twilkendesktop.cern.ch") - (port 22022) - (forward-x11? #t) - (extra-content "GSSAPIDelegateCredentials yes")) - ,@(map (lambda (spec) - (openssh-host (name (car spec)) (user (cdr spec)) - (identity-file "~/.local/share/ssh-keys/alicern_id_rsa"))) - '(("alimonitor.cern.ch" . "alibuild") - ("alinsure.cern.ch" . "alibuild") - ("alibuildmac*.cern.ch" . "alibuild") - ("aido*osx*.cern.ch" . "alibuild") - ("alibuild*.cern.ch" . "root") - ("alissandra*.cern.ch" . "root") - ("alimesos*.cern.ch" . "root") - ("alientest*.cern.ch" . "root") - ("aliflow*.cern.ch" . "root") - ("alijenkins*.cern.ch" . "root"))) - ,(openssh-host - (name "*.cern.ch") - (user "twilken") - (identity-file "~/.local/share/ssh-keys/cern_id_rsa") - (proxy-command "ssh -v -W '[%h]:%p' -l twilken lxplus.cern.ch") - (extra-content "\ - # Kerberos authentication - GSSAPIAuthentication yes - GSSAPIDelegateCredentials no - PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive -")) - ;; Default SSH key. This isn't in ~/.ssh as `home-openssh-service-type' - ;; manages that and might delete keys there. - ,(openssh-host - (name "*") - (identity-file "~/.local/share/ssh-keys/id_rsa") - ;; Remote servers probably don't know about xterm-kitty. - (extra-content "SetEnv TERM=xterm-256color")))))))) diff --git a/tw/home/lap.scm b/tw/home/lap.scm index 68b9f2d3..424d64a8 100644 --- a/tw/home/lap.scm +++ b/tw/home/lap.scm @@ -24,7 +24,7 @@ #:use-module (guix gexp) #:use-module ((nongnu packages messaging) #:select (signal-desktop zoom)) - #:use-module (tw home common) + #:use-module (tw home) #:use-module (tw home emacs) #:use-module (tw packages alice) #:use-module (tw packages catppuccin) diff --git a/tw/home/lud.scm b/tw/home/lud.scm deleted file mode 100644 index 44cd0c2b..00000000 --- a/tw/home/lud.scm +++ /dev/null @@ -1,11 +0,0 @@ -(define-module (tw home lud) - #:use-module (gnu home) - #:use-module (tw home common) - #:use-module (tw home emacs)) - -(home-environment - ;; These packages will show up in the home profile, under ~/.guix-home/profile. - (packages (append common-packages emacs-packages)) - ;; To search for available home services, run 'guix home search KEYWORD'. - (services (append (gnupg-services #:gui-pinentry? #f) - common-services emacs-services))) diff --git a/tw/home/server.scm b/tw/home/server.scm new file mode 100644 index 00000000..95d860e5 --- /dev/null +++ b/tw/home/server.scm @@ -0,0 +1,11 @@ +(define-module (tw home lud) + #:use-module (gnu home) + #:use-module (tw home) + #:use-module (tw home emacs)) + +(home-environment + ;; These packages will show up in the home profile, under ~/.guix-home/profile. + (packages (append common-packages emacs-packages)) + ;; To search for available home services, run 'guix home search KEYWORD'. + (services (append (gnupg-services #:gui-pinentry? #f) + common-services emacs-services))) diff --git a/tw/system.scm b/tw/system.scm new file mode 100644 index 00000000..8734885b --- /dev/null +++ b/tw/system.scm @@ -0,0 +1,191 @@ +(define-module (tw system) + #:use-module (ice-9 format) + #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) + #:use-module ((srfi srfi-1) + #:select (fold fold-right)) + #:use-module (gnu) + #:use-module (gnu services) + #:use-module (gnu system) + #:use-module (gnu system keyboard) + #:use-module (guix gexp)) + +(use-package-modules admin avahi certs disk file-systems linux lsof man + moreutils python rsync search shells version-control vpn) +(use-service-modules mcron monitoring networking ssh vpn) + +(define-public %base-system-packages + (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales + hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate + moreutils nss-certs nss-mdns python rsync strace wireguard-tools + %base-packages)) + +(define-public %british-keyboard + (keyboard-layout + "gb" #:options '("caps:swapescape" + "parens:swap_brackets" + "terminate:ctrl_alt_bksp" + "compose:rctrl" + "keypad:oss" + "kpdl:kposs"))) + +(define-public %sudoers-file + (plain-file "sudoers" + (string-append + (plain-file-content %sudoers-specification) + ;; Let the "guixdeploy" user do anything as root, without a + ;; password required. "guix deploy" needs this, so that it can + ;; reconfigure the system without logging in as root. + ;; See: '(guix)Invoking guix deploy' info node. + "guixdeploy ALL = NOPASSWD: ALL\n"))) + +;; This is used for the servers, and also by (tw home) to generate the +;; appropriate ~/.ssh/config. +(define-public %ssh-ports + '(("lud.twilken.net" . 22022) + ("vin.twilken.net" . 22022) + ("pi3.twilken.net" . 51022))) + +(define-public (server-base-services host-name) + (cons* + ;; SSH login, allowing access only for me. To give more public keys + ;; access, extend `openssh-service-type'. + (service openssh-service-type + (openssh-configuration + (port-number (assoc-ref %ssh-ports host-name)) + (password-authentication? #f) + (accepted-environment '("LANG" "LC_*")) + (authorized-keys + `(("timo" + ,(local-file "system/files/timo.pub") + ,(local-file "system/files/timo-phone-gpg.pub")))))) + + ;; Prometheus node exporter + (service prometheus-node-exporter-service-type + (prometheus-node-exporter-configuration + (web-listen-address + (string-replace-substring + (car ; get the IPv4 address + (wireguard-peer-allowed-ips + (assoc-ref %wireguard-peers host-name))) + "/32" ":9100")))) + + (simple-service 'disk-maintenance mcron-service-type + (list #~(job "0 2 * * *" "guix gc -d 2w") + #~(job "0 4 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + ;; Network setup + (service dhcp-client-service-type) + (service ntp-service-type) + (wireguard-service host-name) + + ;; Delete the annoying message on SSH login. Beware when setting up a new + ;; host, as `allow-empty-passwords' will block login and sudo execution for + ;; all Guix-declared users (as these have no initial password). + (modify-services %base-services + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f)))))) + +(define-public %server-base-user-accounts + (cons* (user-account + (name "timo") + (comment "Timo Wilken") + (group "users") + (home-directory "/home/timo") + (supplementary-groups '("wheel" "netdev" "audio" "video")) + (shell (file-append zsh "/bin/zsh"))) + (user-account ; needs a matching sudoers entry + (system? #t) + (name "guixdeploy") + (comment "Guix-deploy access") + (group "root") + (home-directory "/var/empty") + (create-home-directory? #f)) + %base-user-accounts)) + +(define %wireguard-peers + `(("lap.twilken.net" . + ,(wireguard-peer + (name "lap.wg") + (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") + (preshared-key "/etc/wireguard/lap.psk") + (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) + ("lud.twilken.net" . + ,(wireguard-peer + (name "lud.wg") + (endpoint "lud.twilken.net:58921") + (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") + (preshared-key "/etc/wireguard/lud.psk") + (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) + ("vin.twilken.net" . + ,(wireguard-peer + (name "vin.wg") + (endpoint "vin.twilken.net:58921") + (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") + (preshared-key "/etc/wireguard/vin.psk") + (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) + ("fp4.twilken.net" . + ,(wireguard-peer + (name "fp4.wg") + (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") + (preshared-key "/etc/wireguard/fp4.psk") + (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) + ("pi3.twilken.net" . + ,(wireguard-peer + (name "pi3.wg") + (endpoint "pi3.twilken.net:58922") + (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") + (preshared-key "/etc/wireguard/pi3.psk") + (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) + +(define-public %wireguard-etc-hosts + (let ((basic-hosts-file "\ +# This file was generated from your Guix configuration. +# Any changes will be lost upon reboot or reconfiguration. +127.0.0.1 localhost +255.255.255.255 broadcasthost +::1 localhost ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts +")) + (plain-file + "hosts" + (fold (lambda (peer hosts-file) + (apply string-append hosts-file + (map (lambda (allowed-ip-cidr) + (format #f "~16a~a~%" + (car (string-split allowed-ip-cidr #\/)) + (wireguard-peer-name peer))) + (wireguard-peer-allowed-ips peer)))) + basic-hosts-file + (map cdr %wireguard-peers))))) + +(define-public (wireguard-service host-name) + (let ((own-peer (assoc-ref %wireguard-peers host-name))) + (service wireguard-service-type + (wireguard-configuration + (addresses + (map (lambda (cidr) + (let ((ipv4 (string-match "/32$" cidr)) + (ipv6 (string-match "/128$" cidr))) + (cond + (ipv4 (regexp-substitute #f ipv4 'pre "/24")) + (ipv6 (regexp-substitute #f ipv6 'pre "/64")) + (#t cidr)))) + (wireguard-peer-allowed-ips own-peer))) + (port + (let ((endpoint (wireguard-peer-endpoint own-peer))) + (if endpoint + (string->number (cadr (string-split endpoint #\:))) + 58921))) + (private-key "/etc/wireguard/private.key") + (peers (delq own-peer (map cdr %wireguard-peers))))))) diff --git a/tw/system/common.scm b/tw/system/common.scm deleted file mode 100644 index 1eb48c52..00000000 --- a/tw/system/common.scm +++ /dev/null @@ -1,191 +0,0 @@ -(define-module (tw system common) - #:use-module (ice-9 format) - #:use-module (ice-9 regex) - #:use-module (ice-9 string-fun) - #:use-module ((srfi srfi-1) - #:select (fold fold-right)) - #:use-module (gnu) - #:use-module (gnu services) - #:use-module (gnu system) - #:use-module (gnu system keyboard) - #:use-module (guix gexp)) - -(use-package-modules admin avahi certs disk file-systems linux lsof man - moreutils python rsync search shells version-control vpn) -(use-service-modules mcron monitoring networking ssh vpn) - -(define-public %base-system-packages - (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales - hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate - moreutils nss-certs nss-mdns python rsync strace wireguard-tools - %base-packages)) - -(define-public %british-keyboard - (keyboard-layout - "gb" #:options '("caps:swapescape" - "parens:swap_brackets" - "terminate:ctrl_alt_bksp" - "compose:rctrl" - "keypad:oss" - "kpdl:kposs"))) - -(define-public %sudoers-file - (plain-file "sudoers" - (string-append - (plain-file-content %sudoers-specification) - ;; Let the "guixdeploy" user do anything as root, without a - ;; password required. "guix deploy" needs this, so that it can - ;; reconfigure the system without logging in as root. - ;; See: '(guix)Invoking guix deploy' info node. - "guixdeploy ALL = NOPASSWD: ALL\n"))) - -;; This is used for the servers, and also by (tw home common) to generate the -;; appropriate ~/.ssh/config. -(define-public %ssh-ports - '(("lud.twilken.net" . 22022) - ("vin.twilken.net" . 22022) - ("pi3.twilken.net" . 51022))) - -(define-public (server-base-services host-name) - (cons* - ;; SSH login, allowing access only for me. To give more public keys - ;; access, extend `openssh-service-type'. - (service openssh-service-type - (openssh-configuration - (port-number (assoc-ref %ssh-ports host-name)) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" - ,(local-file "files/timo.pub") - ,(local-file "files/timo-phone-gpg.pub")))))) - - ;; Prometheus node exporter - (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address - (string-replace-substring - (car ; get the IPv4 address - (wireguard-peer-allowed-ips - (assoc-ref %wireguard-peers host-name))) - "/32" ":9100")))) - - (simple-service 'disk-maintenance mcron-service-type - (list #~(job "0 2 * * *" "guix gc -d 2w") - #~(job "0 4 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - ;; Network setup - (service dhcp-client-service-type) - (service ntp-service-type) - (wireguard-service host-name) - - ;; Delete the annoying message on SSH login. Beware when setting up a new - ;; host, as `allow-empty-passwords' will block login and sudo execution for - ;; all Guix-declared users (as these have no initial password). - (modify-services %base-services - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f)))))) - -(define-public %server-base-user-accounts - (cons* (user-account - (name "timo") - (comment "Timo Wilken") - (group "users") - (home-directory "/home/timo") - (supplementary-groups '("wheel" "netdev" "audio" "video")) - (shell (file-append zsh "/bin/zsh"))) - (user-account ; needs a matching sudoers entry - (system? #t) - (name "guixdeploy") - (comment "Guix-deploy access") - (group "root") - (home-directory "/var/empty") - (create-home-directory? #f)) - %base-user-accounts)) - -(define %wireguard-peers - `(("lap.twilken.net" . - ,(wireguard-peer - (name "lap.wg") - (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") - (preshared-key "/etc/wireguard/lap.psk") - (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) - ("lud.twilken.net" . - ,(wireguard-peer - (name "lud.wg") - (endpoint "lud.twilken.net:58921") - (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") - (preshared-key "/etc/wireguard/lud.psk") - (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) - ("vin.twilken.net" . - ,(wireguard-peer - (name "vin.wg") - (endpoint "vin.twilken.net:58921") - (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") - (preshared-key "/etc/wireguard/vin.psk") - (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) - ("fp4.twilken.net" . - ,(wireguard-peer - (name "fp4.wg") - (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") - (preshared-key "/etc/wireguard/fp4.psk") - (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) - ("pi3.twilken.net" . - ,(wireguard-peer - (name "pi3.wg") - (endpoint "pi3.twilken.net:58922") - (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") - (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) - -(define-public %wireguard-etc-hosts - (let ((basic-hosts-file "\ -# This file was generated from your Guix configuration. -# Any changes will be lost upon reboot or reconfiguration. -127.0.0.1 localhost -255.255.255.255 broadcasthost -::1 localhost ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -ff02::3 ip6-allhosts -")) - (plain-file - "hosts" - (fold (lambda (peer hosts-file) - (apply string-append hosts-file - (map (lambda (allowed-ip-cidr) - (format #f "~16a~a~%" - (car (string-split allowed-ip-cidr #\/)) - (wireguard-peer-name peer))) - (wireguard-peer-allowed-ips peer)))) - basic-hosts-file - (map cdr %wireguard-peers))))) - -(define-public (wireguard-service host-name) - (let ((own-peer (assoc-ref %wireguard-peers host-name))) - (service wireguard-service-type - (wireguard-configuration - (addresses - (map (lambda (cidr) - (let ((ipv4 (string-match "/32$" cidr)) - (ipv6 (string-match "/128$" cidr))) - (cond - (ipv4 (regexp-substitute #f ipv4 'pre "/24")) - (ipv6 (regexp-substitute #f ipv6 'pre "/64")) - (#t cidr)))) - (wireguard-peer-allowed-ips own-peer))) - (port - (let ((endpoint (wireguard-peer-endpoint own-peer))) - (if endpoint - (string->number (cadr (string-split endpoint #\:))) - 58921))) - (private-key "/etc/wireguard/private.key") - (peers (delq own-peer (map cdr %wireguard-peers))))))) diff --git a/tw/system/lap.scm b/tw/system/lap.scm index 29d59843..de879e9e 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -17,7 +17,7 @@ #:use-module (nongnu packages scanner) #:use-module (nongnu system linux-initrd) #:use-module (nonguix licenses) - #:use-module (tw system common)) + #:use-module (tw system)) (use-package-modules android certs cups disk docker file-systems gnome kerberos linux mtools pulseaudio search shells wm xorg) diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 0e32305b..f4827f8a 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -5,7 +5,7 @@ #:use-module (gnu system nss) #:use-module (guix gexp) #:use-module (tw packages php) - #:use-module (tw system common)) + #:use-module (tw system)) (use-package-modules admin bash certs databases linux man php python rsync shells tor video) diff --git a/tw/system/vin.scm b/tw/system/vin.scm index b6275b5a..3a5a6b62 100644 --- a/tw/system/vin.scm +++ b/tw/system/vin.scm @@ -4,7 +4,7 @@ #:use-module (gnu system locale) #:use-module (gnu system nss) #:use-module (guix gexp) - #:use-module (tw system common)) + #:use-module (tw system)) ;; The device's BIOS does not support UEFI, sadly. It also doesn't recognise ;; NVME devices, so we can only use SATA hard disks, not the M.2 SSD. -- cgit v1.2.3