radix/buer.scm

#|Modules|#
(use-modules
 #|GNU  |# (gnu) (gnu artwork) (gnu services) (gnu system nss)
 #|Guix |# (guix gexp) (guix packages) (guix records)
 #|Misc |# (ice-9 match)
 #|Radix|# (radix packages linux) (radix services linux) (radix system setuid)
           (radix utils) (radix config secrets))

(use-service-modules
 #|A|# admin
 #|C|# configuration
 #|D|# desktop
 #|L|# linux
 #|M|# mcron
 #|N|# networking
 #|S|# sound sysctl shepherd)

(use-package-modules
 #|A|# admin
 #|B|# base bash
 #|C|# certs compression curl
 #|F|# file
 #|G|# gawk glib guile guile-xyz
 #|L|# less linux
 #|M|# man maths
 #|P|# pulseaudio
 #|T|# texinfo text-editors tmux
 #|V|# vpn)

(define* (permit #:key (persist #f)
                       (keepenv #f)
                       (nopass #f)
                       (group "wheel")
                       (commands '("")))
  (format #f "~{~a~%~}"
    (map (lambda (command)
           (match (string-split command #\space)
             ((command . args)
              (format #f
                "permit ~:[~;persist ~]~
                        ~:[~;keepenv ~]~
                        ~:[~;nopass ~]:~a~:[ cmd ~a args~{ ~a~}~;~]"
                persist keepenv nopass group (string-null? command) command args))))
         commands)))

#|Mcron jobs|#
(define garbage-collector-job
  #~(job "5 0 * * *" "guix gc --optimize -F 5G"))

#|Kernel modules configuration|#
(define modprobe-thinkfan-config
  (plain-file "thinkfan.conf"
              "options thinkpad_acpi experimental=1 fan_control=1"))

#|etc files|#
(define thinkfan-config
  (plain-file "thinkfan.conf"
    (format #f "~@{~a~%~}"
      "fans:"
      "- tpacpi: /proc/acpi/ibm/fan"

      "sensors:"
      "  - hwmon: /sys/devices/platform/coretemp.0/hwmon"
      "    indices: [1,2,3]"

      "levels:"
      "  - [0,                       0,   35]"
      "  - [1,                      30,   40]"
      "  - [2,                      35,   45]"
      "  - [3,                      40,   50]"
      "  - [4,                      45,   55]"
      "  - [5,                      50,   60]"
      "  - [6,                      55,   65]"
      "  - [7,                      60,   70]"
      "  - [\"level full-speed\",   65,  260]")))

(define doas-config
  (plain-file "doas.conf"
    (format #f "~@{~a~%~}"
      "permit setenv { GUILE_LOAD_PATH } :wheel"
      (permit #:keepenv #t 
              #:commands '("kak" "emacsclient"))
      (permit #:nopass #t
              #:commands '("halt" "reboot" "guix pull" "herd status"))
      (permit #:nopass #t
              #:commands
              (flatmap (lambda (service-name action)
                         (format #f "herd ~a ~a" action service-name))
                      '("thinkfan" "wpa-supplicant")
                      '("doc" "stop" "start" "status" "restart"))))))

#|Operating system definition|#
(operating-system
 (host-name "buer")
 (timezone "America/Sao_Paulo")
 (locale "en_US.utf8")

 (keyboard-layout
  (keyboard-layout "us,br"
                   #:options '("grp:menu_switch"
                               "parens:swap_brackets"
                               "caps:swapescape")))

 (bootloader
  (bootloader-configuration
   (bootloader grub-bootloader)
    (targets '("/dev/sda"))
    (theme (grub-theme
            (image (file-append %artwork-repository
                                "/backgrounds/guix-silver-checkered-16-9.svg"))
            (resolution '(1280 . 720))
            (gfxmode '("1280x720x32"))))))

 (kernel linux-libre-6.4)
 (kernel-arguments '("modprobe.blacklist=usbmouse,usbkbd"
                     "thinkpad_acpi.fan_control=1"
                     "loglevel=5"
                     "quiet"))

 (file-systems
  (cons* (file-system
          (device (file-system-label "guix-root"))
          (mount-point "/")
          (type "ext4"))
         (file-system
          (device (file-system-label "HOME")) ;doas e2label /dev/sda5 home
          (mount-point "/home")
          (type "ext4"))
         %base-file-systems))

 (swap-devices
  (list (swap-space
         (target (file-system-label "swap")))))

 (users
  (cons (user-account
         (name "radio")
         (password %radio-password)
         (group "users")
         (supplementary-groups `("audio" "input" "video" "wheel")))
        %base-user-accounts))

 #|System level packages|#
 (packages
  (list #|admin       |# htop inetutils isc-dhcp opendoas shadow
        #|base        |# bash coreutils diffutils findutils grep patch sed tar
                         which
        #|certs       |# nss-certs
        #|compression |# bzip2 gzip lzip unzip xz
        #|curl        |# curl
        #|file        |# file
        #|gawk        |# gawk
        #|glib        |# dbus
        #|guile       |# guile-3.0-latest guile-colorized guile-irregex
                         guile-reader guile-readline
        #|less        |# less
        #|linux       |# acpi alsa-lib alsa-plugins alsa-utils e2fsprogs
                         eudev fuse inetutils inotify-tools iproute kbd kmod
                         lm-sensors procps psmisc thinkfan-next usbutils
                         util-linux
        #|man         |# man-db mandoc man-pages
        #|math        |# libqalculate
        #|pulseaudio  |# pulseaudio
        #|texinfo     |# info-reader
        #|text-editors|# kak-lsp kakoune
        #|tmux        |# tmux
        #|vpn         |# wireguard-tools))

 #|Do not generate a sudoers file|#
 (sudoers-file #f)

 #|Run some programs from each package with file owner privileges|#
 (setuid-programs
  (map-setuid-programs
   (shadow     '("passwd" "chfn" "sg" "su" "newgrp" "newuidmap" "newgidmap"))
   (inetutils  '("ping" "ping6"))
   (opendoas   '("doas"))
   (fuse       '("fusermount"))
   (util-linux '("mount" "umount"))))
 
 #|Allow resolution of '.local' host names with mDNS|#
 (name-service-switch %mdns-host-lookup-nss)

 #|System services|#
 (services
  (list #|TTY services|#
        (service virtual-terminal-service-type)
        (service console-font-service-type
                 (associate-right
                  (%default-console-font '("tty1" "tty2"))))
        (service agetty-service-type
                 (agetty-configuration
                  (extra-options '("-L"))
                  (term "vt100")
                  (tty #f)))
        (service mingetty-service-type
                 (mingetty-configuration (tty "tty1")))
        (service mingetty-service-type
                 (mingetty-configuration (tty "tty2")))

        #|Login services|#
        (service login-service-type)
        (service elogind-service-type)

        #|Log services|#
        (service rottlog-service-type)
        (service syslog-service-type
                 (syslog-configuration
                  (syslogd (file-append inetutils "/libexec/syslogd"))
                  (config-file %default-syslog.conf)))
        (service log-cleanup-service-type
                 (log-cleanup-configuration
                  (directory "/var/log/guix/drvs")
                  (expiry (* 3 30 24 3600))))

        #|Guix services|#
        (service guix-service-type
                 (guix-configuration
                  (build-accounts 16)
                  (extra-options '("--max-jobs=8" "--cores=4"))))

        #|Mcron service|#
        (simple-service 'mcron-jobs mcron-service-type
                        (list garbage-collector-job))

        #|Device management services|#
        (service udev-service-type
                 (udev-configuration
                  (udev eudev)
                  (rules (list lvm2 fuse alsa-utils crda))))

        #|Sound services|#
        (service alsa-service-type)

        #|Network services|#
        (service static-networking-service-type
                 (list (static-networking
                        (addresses
                         (list (network-address (device "lo")
                                                (value "127.0.0.1/8"))))
                        (provision '(loopback)))))
        (service wpa-supplicant-service-type
                 (wpa-supplicant-configuration
                  (config-file "/etc/wpa_supplicant.conf")
                  (interface "wlp2s0")
                  (extra-options '("-B"))))
        (service dhcp-client-service-type
                 (dhcp-client-configuration
                  (interfaces 'all)))

        #|Thinkfan services|#
        (simple-service 'thinkfan-config etc-service-type
        `(("modprobe.d/thinkfan.conf" ,modprobe-thinkfan-config)
          ("thinkfan.conf"            ,thinkfan-config)))
        (service thinkfan-service-type
                 (thinkfan-configuration
                  (config-file thinkfan-config)
                  (respawn? #f)))

        #|Doas config service|#
        (simple-service 'doas-config etc-service-type
        `(("doas.conf" ,doas-config)))

        #|Special file services|#
        (service special-files-service-type
        `(("/bin/sh"      ,(file-append bash      "/bin/bash"))
          ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))

        #|Miscellaneous services|#
        (service urandom-seed-service-type)
        (service nscd-service-type)
        (service sysctl-service-type
                 (sysctl-configuration
                  (sysctl (file-append procps "/sbin/sysctl"))
                  (settings '(("fs.protected_hardlinks" . "1")
                              ("fs.protected_symlinks"  . "1"))))))))
Merge radix and radix-config repositories 2023-08-05 22:21:37 +00:00			`#\|Modules\|#`
			`(use-modules`
			`#\|GNU \|# (gnu) (gnu artwork) (gnu services) (gnu system nss)`
			`#\|Guix \|# (guix gexp) (guix packages) (guix records)`
			`#\|Misc \|# (ice-9 match)`
			`#\|Radix\|# (radix packages linux) (radix services linux) (radix system setuid)`
			`(radix utils) (radix config secrets))`

			`(use-service-modules`
			`#\|A\|# admin`
			`#\|C\|# configuration`
			`#\|D\|# desktop`
			`#\|L\|# linux`
			`#\|M\|# mcron`
			`#\|N\|# networking`
			`#\|S\|# sound sysctl shepherd)`

			`(use-package-modules`
			`#\|A\|# admin`
			`#\|B\|# base bash`
			`#\|C\|# certs compression curl`
			`#\|F\|# file`
			`#\|G\|# gawk glib guile guile-xyz`
			`#\|L\|# less linux`
			`#\|M\|# man maths`
			`#\|P\|# pulseaudio`
			`#\|T\|# texinfo text-editors tmux`
			`#\|V\|# vpn)`

			`(define* (permit #:key (persist #f)`
			`(keepenv #f)`
			`(nopass #f)`
			`(group "wheel")`
			`(commands '("")))`
			`(format #f "~{~a~%~}"`
			`(map (lambda (command)`
			`(match (string-split command #\space)`
			`((command . args)`
			`(format #f`
			`"permit ~:[~;persist ~]~`
			`~:[~;keepenv ~]~`
			`~:[~;nopass ~]:~a~:[ cmd ~a args~{ ~a~}~;~]"`
			`persist keepenv nopass group (string-null? command) command args))))`
			`commands)))`

			`#\|Mcron jobs\|#`
			`(define garbage-collector-job`
			`#~(job "5 0 * * *" "guix gc --optimize -F 5G"))`

			`#\|Kernel modules configuration\|#`
			`(define modprobe-thinkfan-config`
			`(plain-file "thinkfan.conf"`
			`"options thinkpad_acpi experimental=1 fan_control=1"))`

			`#\|etc files\|#`
			`(define thinkfan-config`
			`(plain-file "thinkfan.conf"`
			`(format #f "~@{~a~%~}"`
			`"fans:"`
			`"- tpacpi: /proc/acpi/ibm/fan"`

			`"sensors:"`
			`" - hwmon: /sys/devices/platform/coretemp.0/hwmon"`
			`" indices: [1,2,3]"`

			`"levels:"`
			`" - [0, 0, 35]"`
			`" - [1, 30, 40]"`
			`" - [2, 35, 45]"`
			`" - [3, 40, 50]"`
			`" - [4, 45, 55]"`
			`" - [5, 50, 60]"`
			`" - [6, 55, 65]"`
			`" - [7, 60, 70]"`
			`" - [\"level full-speed\", 65, 260]")))`

			`(define doas-config`
			`(plain-file "doas.conf"`
			`(format #f "~@{~a~%~}"`
			`"permit setenv { GUILE_LOAD_PATH } :wheel"`
			`(permit #:keepenv #t`
			`#:commands '("kak" "emacsclient"))`
			`(permit #:nopass #t`
			`#:commands '("halt" "reboot" "guix pull" "herd status"))`
			`(permit #:nopass #t`
			`#:commands`
			`(flatmap (lambda (service-name action)`
			`(format #f "herd ~a ~a" action service-name))`
			`'("thinkfan" "wpa-supplicant")`
			`'("doc" "stop" "start" "status" "restart"))))))`

			`#\|Operating system definition\|#`
			`(operating-system`
			`(host-name "buer")`
			`(timezone "America/Sao_Paulo")`
			`(locale "en_US.utf8")`

			`(keyboard-layout`
			`(keyboard-layout "us,br"`
			`#:options '("grp:menu_switch"`
			`"parens:swap_brackets"`
			`"caps:swapescape")))`

			`(bootloader`
			`(bootloader-configuration`
			`(bootloader grub-bootloader)`
			`(targets '("/dev/sda"))`
			`(theme (grub-theme`
			`(image (file-append %artwork-repository`
			`"/backgrounds/guix-silver-checkered-16-9.svg"))`
			`(resolution '(1280 . 720))`
			`(gfxmode '("1280x720x32"))))))`

			`(kernel linux-libre-6.4)`
			`(kernel-arguments '("modprobe.blacklist=usbmouse,usbkbd"`
			`"thinkpad_acpi.fan_control=1"`
			`"loglevel=5"`
			`"quiet"))`

			`(file-systems`
			`(cons* (file-system`
			`(device (file-system-label "guix-root"))`
			`(mount-point "/")`
			`(type "ext4"))`
			`(file-system`
			`(device (file-system-label "HOME")) ;doas e2label /dev/sda5 home`
			`(mount-point "/home")`
			`(type "ext4"))`
			`%base-file-systems))`

			`(swap-devices`
			`(list (swap-space`
			`(target (file-system-label "swap")))))`

			`(users`
			`(cons (user-account`
			`(name "radio")`
			`(password %radio-password)`
			`(group "users")`
			(supplementary-groups `("audio" "input" "video" "wheel")))
			`%base-user-accounts))`

			`#\|System level packages\|#`
			`(packages`
			`(list #\|admin \|# htop inetutils isc-dhcp opendoas shadow`
			`#\|base \|# bash coreutils diffutils findutils grep patch sed tar`
			`which`
			`#\|certs \|# nss-certs`
			`#\|compression \|# bzip2 gzip lzip unzip xz`
			`#\|curl \|# curl`
			`#\|file \|# file`
			`#\|gawk \|# gawk`
			`#\|glib \|# dbus`
			`#\|guile \|# guile-3.0-latest guile-colorized guile-irregex`
			`guile-reader guile-readline`
			`#\|less \|# less`
			`#\|linux \|# acpi alsa-lib alsa-plugins alsa-utils e2fsprogs`
			`eudev fuse inetutils inotify-tools iproute kbd kmod`
			`lm-sensors procps psmisc thinkfan-next usbutils`
			`util-linux`
			`#\|man \|# man-db mandoc man-pages`
			`#\|math \|# libqalculate`
			`#\|pulseaudio \|# pulseaudio`
			`#\|texinfo \|# info-reader`
			`#\|text-editors\|# kak-lsp kakoune`
			`#\|tmux \|# tmux`
			`#\|vpn \|# wireguard-tools))`

			`#\|Do not generate a sudoers file\|#`
			`(sudoers-file #f)`

			`#\|Run some programs from each package with file owner privileges\|#`
			`(setuid-programs`
			`(map-setuid-programs`
			`(shadow '("passwd" "chfn" "sg" "su" "newgrp" "newuidmap" "newgidmap"))`
			`(inetutils '("ping" "ping6"))`
			`(opendoas '("doas"))`
			`(fuse '("fusermount"))`
			`(util-linux '("mount" "umount"))))`

			`#\|Allow resolution of '.local' host names with mDNS\|#`
			`(name-service-switch %mdns-host-lookup-nss)`

			`#\|System services\|#`
			`(services`
			`(list #\|TTY services\|#`
			`(service virtual-terminal-service-type)`
			`(service console-font-service-type`
			`(associate-right`
			`(%default-console-font '("tty1" "tty2"))))`
			`(service agetty-service-type`
			`(agetty-configuration`
			`(extra-options '("-L"))`
			`(term "vt100")`
			`(tty #f)))`
			`(service mingetty-service-type`
			`(mingetty-configuration (tty "tty1")))`
			`(service mingetty-service-type`
			`(mingetty-configuration (tty "tty2")))`

			`#\|Login services\|#`
			`(service login-service-type)`
			`(service elogind-service-type)`

			`#\|Log services\|#`
			`(service rottlog-service-type)`
			`(service syslog-service-type`
			`(syslog-configuration`
			`(syslogd (file-append inetutils "/libexec/syslogd"))`
			`(config-file %default-syslog.conf)))`
			`(service log-cleanup-service-type`
			`(log-cleanup-configuration`
			`(directory "/var/log/guix/drvs")`
			`(expiry (* 3 30 24 3600))))`

			`#\|Guix services\|#`
			`(service guix-service-type`
			`(guix-configuration`
			`(build-accounts 16)`
			`(extra-options '("--max-jobs=8" "--cores=4"))))`

			`#\|Mcron service\|#`
			`(simple-service 'mcron-jobs mcron-service-type`
			`(list garbage-collector-job))`

			`#\|Device management services\|#`
			`(service udev-service-type`
			`(udev-configuration`
			`(udev eudev)`
			`(rules (list lvm2 fuse alsa-utils crda))))`

			`#\|Sound services\|#`
			`(service alsa-service-type)`

			`#\|Network services\|#`
			`(service static-networking-service-type`
			`(list (static-networking`
			`(addresses`
			`(list (network-address (device "lo")`
			`(value "127.0.0.1/8"))))`
			`(provision '(loopback)))))`
			`(service wpa-supplicant-service-type`
			`(wpa-supplicant-configuration`
			`(config-file "/etc/wpa_supplicant.conf")`
			`(interface "wlp2s0")`
			`(extra-options '("-B"))))`
			`(service dhcp-client-service-type`
			`(dhcp-client-configuration`
			`(interfaces 'all)))`

			`#\|Thinkfan services\|#`
			`(simple-service 'thinkfan-config etc-service-type`
			`(("modprobe.d/thinkfan.conf" ,modprobe-thinkfan-config)
			`("thinkfan.conf" ,thinkfan-config)))`
			`(service thinkfan-service-type`
			`(thinkfan-configuration`
			`(config-file thinkfan-config)`
			`(respawn? #f)))`

			`#\|Doas config service\|#`
			`(simple-service 'doas-config etc-service-type`
			`(("doas.conf" ,doas-config)))

			`#\|Special file services\|#`
			`(service special-files-service-type`
			`(("/bin/sh" ,(file-append bash "/bin/bash"))
			`("/usr/bin/env" ,(file-append coreutils "/bin/env"))))`

			`#\|Miscellaneous services\|#`
			`(service urandom-seed-service-type)`
			`(service nscd-service-type)`
			`(service sysctl-service-type`
			`(sysctl-configuration`
			`(sysctl (file-append procps "/sbin/sysctl"))`
			`(settings '(("fs.protected_hardlinks" . "1")`
			`("fs.protected_symlinks" . "1"))))))))`