tw/system/vin.scm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

(define-module (tw system vin)
  #:use-module (gnu)
  #:use-module (gnu bootloader grub)
  #:use-module (gnu system locale)
  #:use-module (gnu system nss)
  #:use-module (guix gexp)
  #:use-module (tw system common))

(use-package-modules admin bash certs databases linux man rsync shells video)
(use-service-modules mcron monitoring networking pm ssh vpn)

;; The device's BIOS does not support UEFI, sadly.  It also doesn't recognise
;; NVME devices, so we can only use SATA hard disks, not the M.2 SSD.
;; /dev/sda1 is the https://en.wikipedia.org/wiki/BIOS_boot_partition for grub.
(define grub-boot-disk                ; must contain a BIOS boot partition
  "/dev/disk/by-id/wwn-0x5000cca39dd469de")   ; this is /dev/sda, usually
(define guixsd-root-partition         ; /dev/sda2, 500 GB
  (uuid "86970883-b074-4673-a993-193287432352" 'btrfs))
(define backups-partition             ; /dev/sdb1, 1000 GB
  (uuid "383ee9c7-b17e-43c9-9c39-447d63e22b94" 'btrfs))

(define-public %vin-system
  (operating-system
    (host-name "vin.twilken.net")
    (timezone "Europe/Paris")
    (locale "en_GB.utf8")
    (locale-definitions
     (list (locale-definition (name "en_GB.utf8") (source "en_GB"))
           (locale-definition (name "de_DE.utf8") (source "de_DE"))
           (locale-definition (name "fr_FR.utf8") (source "fr_FR"))
           (locale-definition (name "en_US.utf8") (source "en_US"))))

    (hosts-file %wireguard-etc-hosts)
    ;; Allow resolution of '.local' host names with mDNS.
    (name-service-switch %mdns-host-lookup-nss)

    ;; Choose UK English console keyboard layout.
    (keyboard-layout %british-keyboard)

    ;; Packages installed system-wide.  Users can also install packages
    ;; under their own account: use 'guix search KEYWORD' to search
    ;; for packages and 'guix install PACKAGE' to install a package.
    (packages
     (append (list
              ;; For eventual backup scripts?
              btrfs-progs rsync)
             %common-system-packages
             %base-packages))

    ;; Below is the list of system services.  To search for available
    ;; services, run 'guix system search KEYWORD' in a terminal.
    (services
     (append
      (list (service openssh-service-type
              (openssh-configuration
               (port-number 22022)
               (password-authentication? #f)
               (accepted-environment '("LANG" "LC_*"))
               (authorized-keys
                `(("timo" ,(local-file "files/timo.pub"))))))

            (service dhcp-client-service-type)

            (service ntp-service-type)

            (simple-service 'cronjobs mcron-service-type
              (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G")
                    #~(job "0 22 * * *"  ; after guix gc
                           (string-append #$(file-append util-linux "/sbin/fstrim")
                                          " --fstab --verbose"))))

            ;; Prometheus node exporter
            (service prometheus-node-exporter-service-type
              (prometheus-node-exporter-configuration
               (web-listen-address "10.0.0.3:9100")))

            (wireguard-service 'vin))

      (modify-services %base-services
        (login-service-type
         config =>
         (login-configuration
          (inherit config)
          (motd (plain-file "no-motd" ""))
          (allow-empty-passwords? #f))))))

    ;; The list of user accounts ('root' is implicit).
    (users
     (cons* (user-account
             (name "timo")
             (comment "Timo Wilken")
             (group "users")
             (home-directory "/home/timo")
             (supplementary-groups '("wheel" "netdev" "audio" "video"))
             (shell (file-append zsh "/bin/zsh")))
            %base-user-accounts))

    ;; Use the non-UEFI/legacy BIOS variant of GRUB with the boot header
    ;; installed on the system/root disk.
    (bootloader
     (bootloader-configuration
      (bootloader grub-bootloader)
      (targets (list grub-boot-disk))
      (keyboard-layout keyboard-layout)))

    ;; The list of file systems that get "mounted".  The unique
    ;; file system identifiers there ("UUIDs") can be obtained
    ;; by running 'blkid' in a terminal.
    (file-systems
     (cons* (file-system   ; this is the smaller (500 GB) disk
              (mount-point "/")
              (device guixsd-root-partition)
              (flags '(no-atime))
              (options (alist->file-system-options
                        '(("compress" . "zstd"))))
              (type "btrfs"))
            (file-system   ; this is the bigger (1000 GB) disk
              (mount-point "/var/backups")
              (create-mount-point? #t)
              (device backups-partition)
              (flags '(no-atime))
              (options (alist->file-system-options
                        '(("compress" . "zstd"))))
              (type "btrfs"))
            %base-file-systems))))

%vin-system