diff --git a/modules/freya/system.scm b/modules/freya/system.scm index 2867e7b..ff4acbf 100644 --- a/modules/freya/system.scm +++ b/modules/freya/system.scm @@ -38,6 +38,238 @@ #:use-module (freya packages networking) #:use-module (freya packages virtualization)) + +(define-public %freya-user-accounts + (cons* (user-account + (name "freya") + (comment "Freya Murphy") + (group "users") + (home-directory "/home/freya") + (shell (file-append zsh "/bin/zsh")) + (supplementary-groups '("wheel" + "audio" + "lp" + "docker" + "plugdev" + "libvirt" + "kvm" + "netdev" + "video" + "tty"))) + %base-user-accounts)) + + +(define-public %freya-base-packages + (append + + ;; append guix and nonguix base packages + (specifications->packages (list ; video audio + "mesa" + "mesa-utils" + + ; firmware + "sof-firmware" + "amd-microcode" + "v4l2loopback-linux-module" + + ; terrminal + "alsa-utils" + "vim" + "neovim" + + ; basic utils + "curl" + "htop" + "git" + "zsh" + "opendoas" + "linux-pam" + "bind:utils" + "unzip" + "p7zip" + "acpi" + "tree" + "rlwrap" + "netcat" + "ripgrep" + "ncurses" + "jq" + "openssl")) + + ;; append certs + (list freya-ca-certs) + + ;; append guix base packages + %base-packages)) + + +(define-public %freya-packages + (append + + ;; append guix and nonguix packages + (specifications->packages (list ; gtk + "wxwidgets" + "gtk+" + "dconf" + "gnome-themes-extra" + "adwaita-icon-theme" + "hicolor-icon-theme" + + ; wayland x11 + "wl-clipboard" + "libx11" + "xorg-server-xwayland" + "xf86-video-qxl" + + ; video audio + "glu" + "libglvnd" + "vulkan-loader" + "vulkan-validationlayers" + "vulkan-tools" + "vulkan-headers" + "spirv-tools" + "spirv-headers" + "sdl2" + "openal" + "freealut" + + ; xdg + "xdg-utils" + "xdg-desktop-portal" + + ; system daemons + "docker" + "containerd" + "avahi" + "gnupg" + "light" + "brightnessctl" + "wireguard-tools" + "libpcap" + + ; fonts + "font-fira-mono" + "font-google-noto-sans-cjk" + "font-jetbrains-mono" + "font-dejavu" + + ; misc + "qemu")) + + ;; append custom packages + (list ; qt + qt5-styleplugins + qt6gtk2 + + ; bluetooth + bluez-new + + ; pactl + pulseaudio-new + + ; system + virt-manager-ovmf) + + ;; append freya base backages + %freya-base-packages)) + + +(define-public %freya-base-services + (append + + (list ; pam + (service pam-limits-service-type) + ; openssh + (service openssh-service-type)) + + ; base guix desktop services + (modify-services %desktop-services + (guix-service-type config => + (guix-configuration + (inherit config) + (substitute-urls + (append (list "https://substitutes.nonguix.org") + %default-substitute-urls)) + (authorized-keys + (append (list (local-file "../../certs/non-guix.pub")) + %default-authorized-guix-keys)))) + (udev-service-type config => + (udev-configuration + (inherit config))) + (delete pulseaudio-service-type) + (delete gdm-service-type) + (delete avahi-service-type) + (delete alsa-service-type) + (delete screen-locker-service-type)))) + + +(define-public %freya-services + (append + %freya-base-services + (list ; nix + (service nix-service-type) + + ; wirerguard + (simple-service 'wireguard-module + kernel-module-loader-service-type + '("wireguard")) + + ; printing + (service cups-service-type + (cups-configuration + (web-interface? #t))) + (service avahi-service-type + (avahi-configuration + (publish? #f) + (publish-workstation? #f))) + + ; docker + (service docker-service-type) + (service containerd-service-type) + + ; libvirt + (service libvirt-service-type + (libvirt-configuration + (libvirt libvirt-ovmf) + (unix-sock-group "libvirt") + (tls-port "16555"))) + (service virtlog-service-type) + (service spice-vdagent-service-type) + + ; audio + (service bluetooth-service-type + (bluetooth-configuration + (bluez bluez-new) + (experimental #t) + (fast-connectable? #t))) + + ; yubikey + (service pcscd-service-type) + (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))))) + + +(define-public %freya-setuid-programs + (append (list ; doas + (file-like->setuid-program + (file-append + (specification->package "opendoas") + "/bin/doas"))) + ; base setuid programs + %setuid-programs)) + + +(define-public %freya-file-systems + (cons* + ; /tmp + (file-system + (mount-point "/tmp") + (device "none") + (type "tmpfs") + (check? #f)) + %base-file-systems)) + + (define-public base-operating-system (operating-system (kernel linux-6.11) @@ -48,196 +280,12 @@ (timezone "America/New_York") (keyboard-layout (keyboard-layout "us")) (host-name "ThisWillChange") - - (users (cons* (user-account - (name "freya") - (comment "Freya Murphy") - (group "users") - (home-directory "/home/freya") - (shell (file-append zsh "/bin/zsh")) - (supplementary-groups '("wheel" - "audio" - "lp" - "docker" - "plugdev" - "libvirt" - "kvm" - "netdev" - "video" - "tty"))) - %base-user-accounts)) - - (packages (append (specifications->packages (list ; gtk - "wxwidgets" - "gtk+" - "dconf" - "gnome-themes-extra" - "adwaita-icon-theme" - "hicolor-icon-theme" - - ; wayland x11 - "wl-clipboard" - "libx11" - "xorg-server-xwayland" - "xf86-video-qxl" - - ; video audio - "mesa" - "mesa-utils" - "glu" - "libglvnd" - "vulkan-loader" - "vulkan-validationlayers" - "vulkan-tools" - "vulkan-headers" - "spirv-tools" - "spirv-headers" - "sdl2" - "openal" - "freealut" - - ; xdg - "xdg-utils" - "xdg-desktop-portal" - - ; firmware - "sof-firmware" - "amd-microcode" - "v4l2loopback-linux-module" - - ; needed programs - "qemu" - "alsa-utils" - "neovim" - - ; basic utils - "curl" - "htop" - "git" - "zsh" - "opendoas" - "linux-pam" - "bind:utils" - "unzip" - "p7zip" - "acpi" - "tree" - "rlwrap" - "netcat" - "ripgrep" - "ncurses" - "jq" - "openssl" - - ; system daemons - "docker" - "containerd" - "avahi" - "gnupg" - "light" - "brightnessctl" - "wireguard-tools" - "libpcap" - - ; fonts - "font-fira-mono" - "font-google-noto-sans-cjk" - "font-jetbrains-mono" - "font-dejavu")) - (list ; qt - qt5-styleplugins - qt6gtk2 - - ; bluetooth - bluez-new - - ; pactl - pulseaudio-new - - ; system - virt-manager-ovmf - freya-ca-certs) - %base-packages)) - - (services - (append (list - ; system - (service nix-service-type) - (service pam-limits-service-type) - (service openssh-service-type) - ; networking - (simple-service 'wireguard-module - kernel-module-loader-service-type - '("wireguard")) - ; printing - (service cups-service-type - (cups-configuration - (web-interface? #t))) - (service avahi-service-type - (avahi-configuration - (publish? #f) - (publish-workstation? #f))) - ; docker - (service docker-service-type) - (service containerd-service-type) - ; vms - (service libvirt-service-type - (libvirt-configuration - (libvirt libvirt-ovmf) - (unix-sock-group "libvirt") - (tls-port "16555"))) - (service virtlog-service-type) - (service spice-vdagent-service-type) - ; audio - (service bluetooth-service-type - (bluetooth-configuration - (bluez bluez-new) - (experimental #t) - (fast-connectable? #t))) - ; yubikey - (service pcscd-service-type) - (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))) - - (modify-services %desktop-services - (guix-service-type config => - (guix-configuration - (inherit config) - (substitute-urls - (append (list "https://substitutes.nonguix.org") - %default-substitute-urls)) - (authorized-keys - (append (list (local-file "../../certs/non-guix.pub")) - %default-authorized-guix-keys)))) - (udev-service-type config => - (udev-configuration - (inherit config))) - (delete pulseaudio-service-type) - (delete gdm-service-type) - (delete avahi-service-type) - (delete alsa-service-type) - (delete screen-locker-service-type)))) - + (users %freya-user-accounts) + (packages %freya-packages) + (services %freya-services) (name-service-switch %mdns-host-lookup-nss) - - (setuid-programs - (append (list (file-like->setuid-program - (file-append - swaylock-effects-new - "/bin/swaylock")) - (file-like->setuid-program - (file-append - (specification->package "opendoas") - "/bin/doas"))) - (delete sudo %setuid-programs))) - - (file-systems (cons* - (file-system - (mount-point "/tmp") - (device "none") - (type "tmpfs") - (check? #f)) - %base-file-systems)) - + (setuid-programs %freya-setuid-programs) + (file-systems %freya-file-systems) (bootloader (bootloader-configuration (bootloader uefi-uki-bootloader) (targets (list "/boot/efi")) diff --git a/systems/installer.scm b/systems/installer.scm new file mode 100644 index 0000000..0fa161c --- /dev/null +++ b/systems/installer.scm @@ -0,0 +1,111 @@ +; base system for creating installer images + +(use-modules (freya system) + (gnu packages disk) + (gnu packages linux) + (gnu packages cryptsetup) + (gnu packages file-systems) + (gnu services shepherd) + (guix modules) + (gnu)) + +; copy over installer disk utilites + +(define %installer-disk-utilities + (list parted gptfdisk ddrescue + lvm2-static + cryptsetup mdadm + dosfstools + btrfs-progs + e2fsprogs + f2fs-tools + jfsutils + xfsprogs)) + +; copy over cow store + +(define %backing-directory + ;; Sub-directory used as the backing store for copy-on-write. + "/tmp/guix-inst") + +(define cow-store-service-type + (shepherd-service-type + 'cow-store + (lambda _ + (define (import-module? module) + ;; Since we don't use deduplication support in 'populate-store', don't + ;; import (guix store deduplication) and its dependencies, which + ;; includes Guile-Gcrypt. + (and (guix-module-name? module) + (not (equal? module '(guix store deduplication))))) + + (shepherd-service + (requirement '(root-file-system user-processes)) + (provision '(cow-store)) + (documentation + "Make the store copy-on-write, with writes going to \ +the given target.") + + ;; This is meant to be explicitly started by the user. + (auto-start? #f) + + (modules `((gnu build install) + ,@%default-modules)) + (start + (with-imported-modules (source-module-closure + '((gnu build install)) + #:select? import-module?) + #~(case-lambda + ((target) + (mount-cow-store target #$%backing-directory) + target) + (else + ;; Do nothing, and mark the service as stopped. + #f)))) + (stop #~(lambda (target) + ;; Delete the temporary directory, but leave everything + ;; mounted as there may still be processes using it since + ;; 'user-processes' doesn't depend on us. The 'user-file-systems' + ;; service will unmount TARGET eventually. + (delete-file-recursively + (string-append target #$%backing-directory)))))) + (description "Make the store copy-on-write, with writes going to \ +the given target."))) + +(define (cow-store-service) + "Return a service that makes the store copy-on-write, such that writes go to +the user's target storage device rather than on the RAM disk." + ;; See for the initial report. + (service cow-store-service-type 'mooooh!)) + +; installer system + +(operating-system + (inherit base-operating-system) + (host-name "installer") + + (file-systems + (append %base-live-file-systems + %base-file-systems)) + + (users (list (user-account + (name "root") + (group "root") + (supplementary-groups '("wheel")) ; allow use of sudo + (password "") + (comment "root")))) + + (pam-services + ;; Explicitly allow for empty passwords. + (base-pam-services #:allow-empty-passwords? #t)) + + (packages (append %installer-disk-utilities + %freya-base-packages)) + + (services (append %freya-base-services + (list (cow-store-service)))) + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/sda"))))) + diff --git a/systems/kaworu.scm b/systems/kaworu.scm index 254d09b..f254f6f 100644 --- a/systems/kaworu.scm +++ b/systems/kaworu.scm @@ -6,13 +6,13 @@ (host-name "kaworu") (mapped-devices (list (mapped-device - (source (uuid - "89257280-202b-4565-b832-89f160d5e4e2")) + (source (uuid + "89257280-202b-4565-b832-89f160d5e4e2")) (target "cryptroot") (type luks-device-mapping)))) (file-systems (cons* (file-system - (mount-point "/") + (mount-point "/") (device "/dev/mapper/cryptroot") (type "btrfs") (dependencies mapped-devices)) @@ -20,4 +20,5 @@ (mount-point "/boot/efi") (device (uuid "099A-D668" 'fat32)) - (type "vfat")) %base-file-systems))) + (type "vfat")) + %freya-file-systems))) diff --git a/systems/shinji.scm b/systems/shinji.scm index 0b8378b..d5333fd 100644 --- a/systems/shinji.scm +++ b/systems/shinji.scm @@ -2,28 +2,23 @@ (gnu)) (operating-system - (inherit base-operating-system) - (host-name "shinji") + (inherit base-operating-system) + (host-name "shinji") - (kernel-arguments (append (list "intel_iommu=on") - %default-kernel-arguments)) + (mapped-devices (list (mapped-device + (source (uuid + "5c5dcb22-62b1-41af-9116-b8fdfba83ca2")) + (target "cryptroot") + (type luks-device-mapping)))) - (initrd-modules (cons* "vfio_pci" "vfio" "vfio_iommu_type1" - %base-initrd-modules)) - - (mapped-devices (list (mapped-device - (source (uuid - "5c5dcb22-62b1-41af-9116-b8fdfba83ca2")) - (target "cryptroot") - (type luks-device-mapping)))) - - (file-systems (cons* (file-system - (mount-point "/") - (device "/dev/mapper/cryptroot") - (type "btrfs") - (dependencies mapped-devices)) - (file-system - (mount-point "/boot/efi") - (device (uuid "AD5A-4DF3" - 'fat32)) - (type "vfat")) %base-file-systems))) + (file-systems (cons* (file-system + (mount-point "/") + (device "/dev/mapper/cryptroot") + (type "btrfs") + (dependencies mapped-devices)) + (file-system + (mount-point "/boot/efi") + (device (uuid "AD5A-4DF3" + 'fat32)) + (type "vfat")) + %freya-file-systems)))