123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546 |
- ;; Copyright © 2021 Joshua Branson <jbranso@dismail.de>
- ;; This is an operating system configuration template
- ;; for a "basic desktop" setup using the sway window manager
- ;;
- ;;
- ;; I am trying to make my computer a LIFE computer.
- ;; This means that it would NOT run any graphical program.
- ;;
- ;; gnucode │ hey guix!
- ;; gnucode │ I'm wanting to try to run guix from a console for a while...Essentially I would just start emacs after I login.
- ;; gnucode │ But I think I would be tempted to give up this experiment after a few days...Is there someway that I could give a friend my "sudo" password and force myself to only use the console for a while? ie: make it impossible for me on "Guix System" to run X or wayland?
- ;; guixy │ gnucode: If it's a guix system, use the base services.
- ;; guixy │ Don't include any desktop services
- ;; gnucode │ guixy: thanks! That's a great way to do it!
- ;; guixy │ gnucode: I've been trying to get startx to work from that setup for a while now. I probably would have had more success if I understood x a little better.
- ;; guixy │ gnucode: But if you can get a user-run startx to work let me know :)
- ;; gnucode │ guixy: I would reccomend just running sway with %desktop-services.
- ;; gnucode │ guixy: I know it is possible to use %base-services and get a user-run startx. BUT I think you have to define various programs to be setuid, which %desktop-services does for you.
- ;; guixy │ s/package-location/source-location
- ;; guixy │ gnucode: Then you'd be good as long as those programs aren't setuid.
- ;; guixy │ And you can control setuid in config.scm
- ;; gnucode │ guixy: I'm actually tempted to make my laptop NOT have a sound server...I'm going really old school. :)
- ;; gnucode │ BUT thanks for mentioning that I can just make various programs NOT setuid. I hadn't thought of that.
- (add-to-load-path (dirname (current-filename)))
- (use-modules
- (gnu)
- (guix)
- ;;(guile-web)
- (srfi srfi-1)
- ;;(secret nginx)
- ;;(secret hostfile)
- ;; (sway-service)
- ;;(endlessh-service)
- ;;(services myvpn)
- ;;(opensmtpd-records)
- ((gnu services mail)
- #:hide (opensmtpd-configuration
- opensmtpd-configuration?
- opensmtpd-service-type
- %default-opensmtpd-config-file)))
- (use-service-modules
- admin
- avahi
- base
- databases
- desktop
- dict
- linux
- ;;mail
- mcron
- networking
- sound
- ssh
- sysctl
- xorg
- vpn
- virtualization
- web)
- (use-package-modules base databases perl geo idutils ;;gnome
- package-management
- )
- (define mbsync-every-5-minutes
- ;; Every 5 minutes
- ;; The job's action is a shell command.
- #~(job "*/5 * * * *" ;Vixie cron syntax
- "mbsync -c /home/joshua/.mbsyncrc -a"
- #:user "joshua"))
- (define %15-minutes (* 15 60))
- ;;I do not use zile. So no need to have it.
- (define %my-base-packages
- (remove (lambda (package)
- (member (package-name package)
- (list "zile")))
- (cons* postgresql %base-packages)))
- (define (auto-login-to-tty config tty user)
- (if (string=? tty (mingetty-configuration-tty config))
- (mingetty-configuration
- (inherit config)
- (auto-login user))
- config))
- (define %current-directory "/home/joshua/prog/gnu/guix/guix-config/")
- ;; allegedly %desktop-services now contains network-manager-applet...? Can I remove that?
- (define %my-desktop-services
- (modify-services %desktop-services
- (delete bluetooth-service)
- ;;elogind-service
- (delete gdm-service-type)
- (delete geoclue-service)
- ;; I customize my pulseaudio-service down below,
- ;; so I need to remove it here.
- ;;
- ;; I would prefer to instead of copying the file, just modify the default script
- ;; certainly guile can take the default script, change a line, and pass back
- ;; the modified file.
- ;;
- ;; This bit of code lets me change the input and out speakers and microphones for my laptop
- ;; so that I can use the nice headset that I have.
- ;;(service pulseaudio-service-type
- ;; (pulseaudio-configuration
- ;; (script-file
- ;; (local-file
- ;; (string-append %current-directory "/pulse/default.pa")))))
- (pulseaudio-service-type config =>
- (pulseaudio-configuration
- (inherit config)
- (script-file
- (local-file
- (string-append %current-directory "/pulse/default.pa")))))
- ;;(delete network-manager-service-type)
- (mingetty-service-type config =>
- (auto-login-to-tty config "tty2" "joshua"))
- (guix-service-type config =>
- (guix-configuration
- (inherit config)
- (max-silent-time %15-minutes)
- ;; TODO would this work? it would be like adding --fallback by default.
- ;; (fallback #t)
- ;;(timeout %15-minutes)
- ;; ok specifying the --fallback breaks the daemon. weird.
- ;; (extra-options '("--fallback"))
- ;; I have two CPUs...
- (discover? #t)
- (extra-options '("--max-jobs=2"))
- ))
- ;; (network-manager-service-type config =>
- ;; (network-manager-configuration
- ;; (inherit config)
- ;; ;;(dns "none") ;;DO NOT update resolve.conf
- ;; ;;(vpn-plugins (list network-manager-openvpn))
- ;; ))
- ;; ;; <dstolfa> jab`: you can also check `sysctl kernel.unprivileged_bpf_disabled`,
- ;; ;; if that returns 1, that means it only works with root
- (sysctl-service-type config =>
- (sysctl-configuration
- (settings (append '(
- ("vm.swappiness" . "30")
- ;;disable ipv6
- ("net.ipv6.conf.all.disable_ipv6" . "1")
- ("net.ipv6.conf.all.disable_policy" . "1")
- ("net.ipv6.conf.default.disable_ipv6" . "1")
- ("net.ipv6.conf.default.disable_policy" . "1")
- ("net.ipv6.conf.enp0s10.disable_ipv6" . "1")
- ("net.ipv6.conf.enp0s10.disable_policy" . "1")
- ("net.ipv6.conf.lo.disable_ipv6" . "1")
- ("net.ipv6.conf.lo.disable_policy" . "1")
- ;; disable ebpf in kernel virtual machine
- ("sysctl kernel.unprivileged_bpf_disabled" . "1")
- )
- %default-sysctl-settings))))
- ))
- (operating-system
- (host-name "winky")
- ;;(hosts-file (local-file (string-append %current-directory "my-hosts-file")))
- ;;(host-file (text-file* "hosts" "::1 localhost dobby\n"))
- ;;(host-file (text-file "hosts" "::1 localhost dobby\n"))
- (hosts-file
- (plain-file "hosts"
- (string-append
- "127.0.0.1 localhost dobby\n"
- "127.0.0.1 localhost dobby\n"
- "127.0.0.1 www.norm.com norm.com norm\n"
- "127.0.0.1 www.test.com test.com test\n"
- "127.0.0.1 guile.web.server.com guile.web.com www.date.com date.com\n"
- "127.0.0.1 local.gnucode.me\n"
- ;; this is my guix linode server
- "45.56.66.20 locke-lamora lamora locke\n"
- "46.23.94.164 sam\n" ;; my openBSD.amsterdam vm
- "127.0.0.1 local.propernaming.org"
- ;;%other-hosts-file-lines
- "::1 localhost dobby"
- )))
- (timezone "America/Indiana/Indianapolis")
- (locale "en_US.utf8")
- ;;(initrd-modules (list "e1000e" "i915" %base-initrd-modules))
- ;; when I reboot, does cat /proc/cmdline still show that I blacklisted:
- ;; modprobe.blacklist=usbmouse,usbkbd ?
- (kernel-arguments (append
- (list "modprobe.blacklist=pcspkr")
- %default-kernel-arguments))
- (keyboard-layout (keyboard-layout "us" "dvorak"
- #:model "thinkpad"
- #:options '("ctrl:swapcaps")))
- ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
- ;; target hard disk, and "my-root" is the label of the target
- ;; root file system.
- (bootloader (bootloader-configuration
- (bootloader grub-bootloader)
- (keyboard-layout keyboard-layout)
- (targets (list "/dev/sda"))
- (menu-entries
- (list
- (menu-entry
- (label "Debian 10")
- (linux "/boot/vmlinuz-4.19.0-8-amd64")
- (linux-arguments '("root=/dev/sda3" "quiet"
- ;; [KNL,x86] Disable symmetric multithreading (SMT).
- ;; Force disable SMT, cannot be undone via the sysfs control file.
- ;; "nosmt=force"
- ;; this is not necessary for me because my processor doesn't support it.
- ;; cat /sys/devices/system/cpu/smt/control --> notsupported
- ;; https://serverfault.com/questions/235825/disable-hyperthreading-from-within-linux-no-access-to-bios
- ; "iomem=relaxed"
- ; the above is useful when I reflash retroboot. retroboot.org
- ))
- (initrd "/boot/initrd.img-4.19.0-8-amd64"))))))
- (file-systems
- (cons*
- (file-system
- (mount-point "/")
- (device
- (uuid "4bf80701-e54e-44eb-817f-b2f52f5af80e"
- 'ext4))
- (type "ext4"))
- ;;(file-system
- ;; (mount-point "/mnt/debian")
- ;; (device "/dev/sda3")
- ;; (type "ext4"))
- %base-file-systems))
- (users (cons* (user-account
- (name "joshua")
- (comment "Joshua Branson")
- (group "users")
- (home-directory "/home/joshua")
- (supplementary-groups
- '("audio" "kvm" "netdev" "video" "wheel"
- ;;"wireshark"
- )))
- ;; I was using this as an account to try to update the video of guix's front page.
- ;; (user-account
- ;; (name "hermione")
- ;; (comment "Hermione Granger")
- ;; (group "users")
- ;; (home-directory "/home/hermione")
- ;; (supplementary-groups
- ;; '("audio" "video")))
- ;;(user-group (name "wireshark"))
- %base-user-accounts))
- ;; (skeletons (cons*
- ;; `(".config/termite/config")
- ;; %default-skeletons))
- ;; Globally-installed packages.
- (packages (append (map specification->package
- '("sway" "nss-certs" ;;"nix"
- ))
- %my-base-packages
- ))
- ;; Add services to the baseline: a DHCP client and
- ;; an SSH server.
- (services
- (cons*
- (service dicod-service-type)
- ;; (service dhcp-client-service-type)
- ;; I could use getmail... service type... I do not believe that
- ;; the getmail service synchrozies between the maildir and remote service
- ;; (service getmail-service-type (getmail-configuration
- ;; (getmail-configuration-file (getmail-retriever-configuration
- ;; (server "jbranso@dismail.de") (username "jbranso@dismail.de")
- ;; ;; this is the SSL/TLS port STARTTLS Port is 143 (port 993)
- ;; (password "some password here") ;; This is what I should use
- ;; (password-command)) (getmail-destination-configuration (type
- ;; "Maildir") (path "/home/joshua/.mail/dismail.de/")))))
- ;; https://lists.gnu.org/archive/html/help-guix/2016-08/msg00061.html
- ;; https://help.ubuntu.com/community/Dovecot
- ;;https://help.ubuntu.com/community/DovecotLDAP
- (dovecot-service #:config
- (dovecot-configuration
- (mail-location "maildir:~/.mail/dismail.de:LAYOUT=fs")
- (listen '("127.0.0.1"))
- ;; this will change a login of "joshua" to a login of "joshua@dismail.de"
- ;;(auth-default-realm "dismail.de")
- ;; I do not need ssl support in a locally running dovecot. :)
- (ssl? "no")
- ;; I have find this useful if dovecot cannot find
- ;; my mail
- (mail-debug? #t)
- ;;currently the only way to login to dovecot is to use
- ;; joshua and my regular user password
- ;; joshua@dismail.de fails and
- ;; jbranso@dismial.de fails.
- (protocols
- (list (protocol-configuration
- (name "imap")
- (mail-max-userip-connections 1))))
- (services (list
- (service-configuration
- (kind "imap")
- (client-limit 1)))) ))
- ;; enable gpg
- ;;
- ;; GPG_TTY=$(tty)
- ;; export GPG_TTY
- ;; # start the gpg agent
- ;; gpgconf --kill gpg-agent # (just in case it’s already running)
- ;; eval $(gpg-agent --daemon) # start the gpg-agent
- ;; (service gpg-agent-service-type)
- ;; this is a service that will reclaim memory in memory tight situations
- (service earlyoom-service-type
- (earlyoom-configuration
- (prefer-regexp "icecat|chromium|firefox")))
- ;; (service gnome-desktop-service-type)
- ;; (service hurd-vm-service-type
- ;; (hurd-vm-configuration
- ;; ;; hopefully that is 50GB
- ;; ;;(disk-size (* 50000 (expt 2 20)))
- ;; (image "/home/joshua/prog/gnu/guix/hurd/vm/hurd-guix-created-50GB.img")
- ;; (memory-size 4868) ; 5GB
- ;; (options '())
- ;; ))
- ;; (service endlessh-service-type
- ;; (endlessh-configuration
- ;; (port-number 22)
- ;; (log-level 1)))
- (service mcron-service-type
- (mcron-configuration
- (jobs (list mbsync-every-5-minutes))))
- (service nftables-service-type
- (nftables-configuration
- (ruleset
- (local-file (string-append %current-directory "nftables.conf")))))
- (service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name '("date.com"))
- (listen '("date.com"))
- (root "/home/joshua/prog/guile/decent-dating/")
- (locations
- (list
- (nginx-location-configuration
- (uri "/")
- (body '("proxy_pass http://date.com:8082;")))
- (nginx-location-configuration
- (uri "/css/")
- (body '("root /home/joshua/prog/guile/decent-dating/;")))
- (nginx-location-configuration
- (uri "/img/")
- (body '("root /home/joshua/prog/guile/decent-dating/;")))
- )))
- (nginx-server-configuration
- (server-name '("local.gnucode.me"))
- (listen '("local.gnucode.me"))
- (root "/home/joshua/prog/guile/gnucode.me/site/")
- (locations
- (list
- (nginx-location-configuration
- (uri "/form/")
- (body '("proxy_pass http://local.gnucode.me:8081;")))
- (nginx-location-configuration
- (uri "/form/css/")
- (body '("root /home/joshua/prog/guile/;")))
- )))
- ;; (nginx-server-configuration
- ;; (server-name '("local.propernaming.org"))
- ;; (listen '("local.propernaming.org"))
- ;; (root "/home/joshua/prog/guile/propernaming/site/")
- ;; (locations
- ;; (list
- ;; (nginx-location-configuration
- ;; (uri "/css/")
- ;; (body '("root /home/joshua/prog/guile/propernaming/site/;")))
- ;; )))
- ;;%nginx-servers
- ))))
- ;; (service postgresql-service-type
- ;; (postgresql-configuration
- ;; (postgresql postgresql-13)
- ;; ;; this is for zipcode things for my dating site
- ;; (extension-packages (list postgis))))
-
- ;; (let ([interface "wlp2s0"]
- ;; [receive-action (opensmtpd-action-local-delivery-configuration
- ;; (name "receive")
- ;; (method (opensmtpd-maildir-configuration
- ;; (pathname "/home/%{rcpt.user}/Maildir")
- ;; (junk #t)))
- ;; (virtual "vusers"))]
- ;; [smtp.gnucode.me (opensmtpd-pki
- ;; (domain "smtp.gnucode.me")
- ;; (cert "sway.scm")
- ;; (key "sway-service.scm"))])
- ;; (service opensmtpd-service-type
- ;; (opensmtpd-configuration
- ;; (mta-max-deferred 50)
- ;; (queue
- ;; (opensmtpd-queue-configuration
- ;; (compression #t)))
- ;; (smtp
- ;; (opensmtpd-smtp-configuration
- ;; (max-message-size "10M")))
- ;; (srs
- ;; (opensmtpd-srs-configuration
- ;; (ttl-delay "5d")))
- ;; (tables (list
- ;; (opensmtpd-table
- ;; (name "aliases")
- ;; (values
- ;; (list
- ;; (cons "webmaster" "root")
- ;; (cons "postmaster" "root")
- ;; (cons "abuse" "root"))))
- ;; (opensmtpd-table
- ;; (name "creds")
- ;; (values
- ;; (list
- ;; (cons "joshua"
- ;; "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))
- ;; (opensmtpd-table
- ;; (name "vdoms")
- ;; (values (list "gnucode.me"
- ;; "gnu-hurd.com")))
- ;; (opensmtpd-table
- ;; (name "vusers")
- ;; (values (list (cons "joshua@gnucode.me" "joshua")
- ;; (cons "jbranso@gnucode.me" "joshua")
- ;; (cons "postmaster@gnucode.me" "joshua"))))))
- ;; (listen-ons
- ;; (list
- ;; ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
- ;; ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
- ;; ;; this listens for email from the outside world
- ;; (opensmtpd-listen-on
- ;; (interface interface)
- ;; (port 25)
- ;; (secure-connection "tls")
- ;; (pki smtp.gnucode.me)
- ;; )
- ;; ;; this lets local users logged into the system via ssh send email
- ;; (opensmtpd-listen-on
- ;; (interface "lo")
- ;; (port 25)
- ;; (secure-connection "tls")
- ;; (pki smtp.gnucode.me))
- ;; (opensmtpd-listen-on
- ;; (interface interface)
- ;; (port 465)
- ;; (secure-connection "smtps")
- ;; (pki smtp.gnucode.me)
- ;; (auth "creds")
- ;; ;;(filter )
- ;; )
- ;; (opensmtpd-listen-on
- ;; (interface interface)
- ;; (port 587)
- ;; (secure-connection "tls-require")
- ;; (pki smtp.gnucode.me)
- ;; (auth "creds")
- ;; ;;(filter )
- ;; )))
- ;; (matches (list
- ;; (opensmtpd-match
- ;; (action (opensmtpd-relay-configuration
- ;; (name "send")))
- ;; (for "for any")
- ;; (from "from any")
- ;; (auth #t))
- ;; (opensmtpd-match
- ;; (action receive-action)
- ;; (from "from any")
- ;; (for "for domain <vdoms>"))
- ;; (opensmtpd-match
- ;; (action receive-action)
- ;; (for "for local"))))
- ;; ;; (filter-chains
- ;; ;; (list
- ;; ;; (opensmtpd-filter-chain
- ;; ;; (name "dropDumbEmails")
- ;; ;; (filter-names (list "nofcrdnsDisconnect"
- ;; ;; "nordnsDisconnect")))))
- ;; ;; (filter-phases
- ;; ;; (list (opensmtpd-filter-phase
- ;; ;; (name "nofcrdnsDisconnect")
- ;; ;; (phase-name "connect")
- ;; ;; (conditions (list "!fcrdns"))
- ;; ;; (decision "disconnect")
- ;; ;; (message "You have not set up forward confirmed DNS."))
- ;; ;; (opensmtpd-filter-phase
- ;; ;; (name "nordnsDisconnect")
- ;; ;; (phase-name "connect")
- ;; ;; (conditions (list "!rdns"))
- ;; ;; (decision "reject")
- ;; ;; (message "You have not set up reverse DNS."))))
- ;; )))
- ;; (service sway-service-type)
-
- ;;Ludo is adding rotlog service to %base-services. (service
- ;;rottlog-service-type)
- ;; make guix system autoupgrade itself once a week!
- ;; this is currently failing...see /var/log/unattended-upgrade.log
- (service unattended-upgrade-service-type
- (unattended-upgrade-configuration
- (schedule "30 01 * * 0")
- (system-expiration (* 3 30 24 3600))))
- (extra-special-file "/usr/bin/perl"
- (file-append perl "/bin/perl"))
- ;; currently does not work so not enabling it.
- ;; (service wireguard-service-type
- ;; (wireguard-configuration
- ;; (private-key "/home/joshua/prog/gnu/guix/guix-config/wireguard-keys/laptop.private.key")
- ;; (peers
- ;; (list
- ;; (wireguard-peer
- ;; (name "my client laptop")
- ;; (endpoint "wireguard.gnucode.me:51820")
- ;; (public-key "9zhoGW8DYr9zJHFbzBZUSBQHWlY6h/9HeoNzrC58dTc=")
- ;; (allowed-ips '("0.0.0.0/0")))))))
- ;; Fedora is including a zram device by default
- (service zram-device-service-type
- (zram-device-configuration
- (size "512M")))
-
- %my-desktop-services)))
|