guix/config/framework13-system.org

500 lines
15 KiB
Org Mode
Raw Normal View History

2024-01-04 17:56:41 +00:00
# -*- mode: org; coding: utf-8; -*-
#+title: a GUIX system config - Framework 13 AMD
#+property: header-args :tangle framework13-system.scm
A semi-literate config for GUIX running on a Framework 13 AMD laptop
- generate config with =org-babel-tangle= (bound to =C-c C-v t=)
- rebuild with =guix system reconfigure framework13.scm= (or similar)
* header
generate a header and timestamp if required
#+name: timestamp
#+BEGIN_SRC sh :results output code :tangle no
echo ";; -*- mode: scheme; coding: utf-8; -*-
;;
;; tangled from framework13-system.org on `date --rfc-3339 seconds`)"
#+end_src
#+begin_src scheme :noweb yes
<<timestamp()>>
#+end_src
* modules
#+begin_src scheme
(use-modules (gnu)
(gnu packages)
(guix modules)
(gnu system nss)
(gnu system setuid)
(gnu packages shells)
(gnu packages linux)
(gnu packages xdisorg)
2024-02-17 22:11:41 +00:00
(gnu packages display-managers)
2024-01-17 14:36:03 +00:00
(gnu packages emacs-xyz))
2024-01-04 17:56:41 +00:00
#+end_src
2024-02-08 10:13:13 +00:00
Include non-free linux kernel, modules and firmware from the [[https://gitlab.com/nonguix/nonguix/][nonguix channel]] (aka “The GUIX Channel That Shall Not Be Named”)
2024-01-04 17:56:41 +00:00
#+begin_src scheme
2024-01-17 14:36:03 +00:00
(use-modules (nongnu packages linux)
2024-01-04 17:56:41 +00:00
(nongnu system linux-initrd))
#+end_src
** service modules
#+begin_src scheme
2024-01-22 14:56:59 +00:00
(use-service-modules cups
2024-02-10 16:02:20 +00:00
sddm
2024-01-04 17:56:41 +00:00
desktop
networking
ssh
xorg
samba
sound
2024-01-23 16:18:56 +00:00
mail
vpn)
2024-01-04 17:56:41 +00:00
#+end_src
** package modules
#+begin_src scheme
(use-package-modules admin
certs
package-management
ssh
2024-01-22 14:29:47 +00:00
tls
vpn)
2024-01-04 17:56:41 +00:00
#+end_src
* kernel corruption
2024-01-31 08:22:05 +00:00
Some kernel corruption may be required to enable WIFI. Since the non-free kernel from nonguix prior to 6.7.2 doesnt include the driver for RZ616/MT7922 adapter by default it needs to be added explicitly. Defined here and used in the =operating-system= declaration below. (see also commit [[https://gitlab.com/nonguix/nonguix/-/commit/3857d86267284000dc48660a5dfd56cb2a8cf004][3857d862]] for the addition of =nonguix-extra-linux-options=)
2024-01-04 17:56:41 +00:00
#+begin_src scheme
2024-02-08 13:07:46 +00:00
(define-public linux-FWL13
2024-01-21 11:27:48 +00:00
(corrupt-linux linux-libre-6.7
2024-02-08 13:07:46 +00:00
#:name "linux-fwl13"
2024-01-04 17:56:41 +00:00
#:configs '("CONFIG_MT7921E=m")))
#+end_src
* operating-system
The =operating-system= declaration
#+begin_src scheme
(operating-system
(host-name "zxxcxxz")
(locale "en_GB.utf8")
(timezone "Europe/Amsterdam")
#+end_src
2024-02-08 10:13:13 +00:00
hosts file for local & LAN name resolving and persistent =/etc/hosts= (maybe convert to =hosts-service-type=)
2024-02-01 11:22:52 +00:00
2024-02-01 08:08:20 +00:00
#+BEGIN_SRC scheme :session
(hosts-file (local-file "hosts.conf"))
#+END_SRC
2024-01-04 17:56:41 +00:00
** keyboard layout
Layout is qwerty, CAPS_LOCK is CTRL, Ctrl-Fn-Meta-super to left of SPACE. The =keyboard-layout= declared here can be used for boot, console and Xorg
#+begin_src scheme
(keyboard-layout (keyboard-layout
"us" "altgr-intl"
#:options '("ctrl:nocaps"
"altwin:swap_lalt_lwin")))
#+end_src
** kernel
A custom kernel is configured above, kernel arguments are declared here.
2024-01-31 10:16:06 +00:00
The =hid_sensor_hub= module needs to be disabled for screen dimming and keyboard backlight to work as expecrted. Some other kernel arguments possibly required for (in)compatability with other features include ="amdgpu.sg_display=0"=, ="acpi_osi=linux" "acpi_backlight=vendor"=
2024-01-04 17:56:41 +00:00
Kernel & driver details
- https://gitlab.com/nonguix/nonguix
- https://www.kernel.org/doc/html/latest/gpu/amdgpu/module-parameters.html
- https://community.frame.work/t/solved-backlight-brightness-issues/36065/13
2024-02-17 22:11:41 +00:00
Using =linux-6.7= from nonguix (which includes =CONFIG_MT7921E= by default as of 6.7.2)
2024-01-04 17:56:41 +00:00
#+begin_src scheme
2024-02-08 13:07:46 +00:00
(kernel linux-6.7) ;; previously (kernel linux-FWL13)
2024-01-04 17:56:41 +00:00
#+end_src
2024-02-08 13:07:46 +00:00
testing [[https://community.frame.work/t/adaptive-backlight-management-abm/41055][Adaptive Backlight Management (ABM)]]
#+BEGIN_SRC scheme
2024-02-10 15:59:21 +00:00
;; (kernel-arguments '("amdgpu.abmlevel=3"))
2024-02-08 13:07:46 +00:00
;; (kernel-arguments '("modprobe.blacklist=hid_sensor_hub")) ;; required prior to 6.7
2024-03-04 21:54:13 +00:00
(kernel-arguments '("splash quiet"))
2024-02-08 13:07:46 +00:00
#+END_SRC
2024-01-04 17:56:41 +00:00
…and required firmware (should be possible to reduce to specifics)
#+begin_src scheme
(firmware (list linux-firmware))
;; (firmware (list amdgpu-firmware
;; amd-microcode
;; realtek-firmware))
#+end_src
** users & groups
#+begin_src scheme
(users (cons* (user-account
(name "zzk")
(comment "zzk")
(group "users")
(home-directory "/home/zzk")
(shell (file-append zsh "/bin/zsh"))
(supplementary-groups '("wheel"
"netdev"
"audio"
"video"
"www-data"
2024-02-07 17:24:32 +00:00
"realtime"
2024-01-04 17:56:41 +00:00
"lp")))
(user-account
(name "www-data")
(group "www-data")
(home-directory "/home/www"))
%base-user-accounts))
#+end_src
#+begin_src scheme
(groups (cons* (user-group
(name "www-data"))
2024-01-17 14:36:03 +00:00
(user-group
(system? #t)
(name "realtime"))
2024-01-04 17:56:41 +00:00
%base-groups))
#+end_src
** sudoers
#+begin_src scheme
(sudoers-file
(plain-file "sudoers"
"root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL"))
#+end_src
** system-wide packages
2024-02-08 10:13:13 +00:00
Packages installed system-wide. Users can also install packages under their own account: use =guix search KEYWORD= to search for packages and =guix install PACKAGE= to install a package.
2024-01-04 17:56:41 +00:00
#+begin_src scheme
(packages
(append (map specification->package
'("emacs"
"emacs-guix"
"emacs-exwm"
"openssh-sans-x"
"nss-certs"
;; xfce
"xfce4-power-manager"
"xfce4-settings"
"xfce4-session"
"xfce4-panel"
;; gnome extras
"gnome-tweaks"
"gvfs"
2024-02-17 22:11:41 +00:00
; sddm
"chili-sddm-theme"
2024-01-22 14:29:47 +00:00
;; vpn
"wireguard-tools"
2024-01-04 17:56:41 +00:00
))
%base-packages))
#+end_src
** system services
Below is the list of enabled system services. To search for any available services, run 'guix system search KEYWORD' in a terminal.
#+begin_src scheme
(services
(append (list
#+end_src
*** SSH
#+begin_src scheme
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #true)
(authorized-keys
`(("zzk" ,(local-file "zzk_rsa.pub"))
("root" ,(local-file "zzk_rsa.pub"))))))
#+end_src
2024-01-17 14:36:03 +00:00
2024-01-04 17:56:41 +00:00
*** mail
use dovecot for local IMAP
#+begin_src scheme
(service dovecot-service-type
(dovecot-configuration
(mail-location "maildir:%h/Maildir:LAYOUT=fs")))
#+end_src
2024-01-17 14:36:03 +00:00
*** iptables
2024-01-23 16:38:27 +00:00
=iptables= configuration to allow SSH on port 22, IMAPS on 993, wireguard (wg0), mDNS and local smb for 192.168.0.0/16
2024-01-17 14:36:03 +00:00
#+BEGIN_SRC scheme :session
(service iptables-service-type
(iptables-configuration
2024-01-24 15:44:22 +00:00
(ipv4-rules (plain-file "iptables.rules"
2024-01-31 10:16:06 +00:00
#+end_src
**** ipv4 rules
#+BEGIN_SRC scheme
2024-01-24 15:44:22 +00:00
"*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o en0 -j MASQUERADE
2024-01-24 17:56:08 +00:00
COMMIT
2024-01-31 10:16:06 +00:00
,*filter
2024-01-17 14:36:03 +00:00
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
2024-01-17 15:18:45 +00:00
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
2024-01-19 10:54:35 +00:00
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
SMB
#+BEGIN_SRC scheme
2024-01-17 15:18:45 +00:00
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
wireguard
#+BEGIN_SRC scheme
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
2024-01-24 14:52:06 +00:00
-A FORWARD -i wg0 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
#+BEGIN_SRC scheme
2024-01-17 14:36:03 +00:00
-A INPUT -j REJECT --reject-with icmp-port-unreachable
2024-01-17 15:18:45 +00:00
-A INPUT -m conntrack --ctstate INVALID -j DROP
2024-01-17 14:36:03 +00:00
COMMIT
"))
2024-01-31 10:16:06 +00:00
#+end_src
**** ipv6 rules
#+BEGIN_SRC scheme
2024-01-24 15:44:22 +00:00
(ipv6-rules (plain-file "ip6tables.rules"
"*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o en0 -j MASQUERADE
2024-01-24 17:56:08 +00:00
COMMIT
,*filter
2024-01-17 14:36:03 +00:00
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
2024-01-19 10:54:35 +00:00
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
SMB
#+BEGIN_SRC scheme
2024-01-26 09:53:38 +00:00
-A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 137 -j ACCEPT
-A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 445 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
wireguard
#+BEGIN_SRC scheme
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
2024-01-24 14:52:06 +00:00
-A FORWARD -i wg0 -j ACCEPT
2024-01-24 14:26:34 +00:00
#+end_src
#+BEGIN_SRC scheme
2024-01-17 14:36:03 +00:00
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
2024-01-17 15:18:45 +00:00
-A INPUT -m conntrack --ctstate INVALID -j DROP
2024-01-17 14:36:03 +00:00
COMMIT
"))))
#+END_SRC
2024-01-22 14:29:47 +00:00
*** wireguard
2024-01-22 21:14:41 +00:00
details can be found (and mostly ignored) in [[https://guix.gnu.org/cookbook/en/html_node/Connecting-to-Wireguard-VPN.html][Connecting to Wireguard VPN]] section of the cookbook
#+BEGIN_SRC scheme :session
2024-01-23 16:38:27 +00:00
(service wireguard-service-type
2024-01-23 16:18:56 +00:00
(wireguard-configuration
2024-01-26 09:53:38 +00:00
(addresses '("10.0.0.23/32" "fded:dada::23/128"))
2024-01-24 14:26:34 +00:00
(private-key "/etc/wireguard/private.key")
2024-01-23 16:38:27 +00:00
(port 51820)
2024-01-22 21:14:41 +00:00
(peers
(list
(wireguard-peer
(name "lmn")
2024-01-23 16:18:56 +00:00
(endpoint "example.org:51820")
2024-01-22 21:14:41 +00:00
(public-key "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=")
2024-01-26 09:53:38 +00:00
(allowed-ips '("10.0.0.1/24" "fded:dada::1/64"))
2024-01-23 16:18:56 +00:00
(keep-alive 25))
(wireguard-peer
(name "beryllium")
(endpoint "example.org:51820")
(public-key "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=")
2024-01-26 09:53:38 +00:00
(allowed-ips '("10.0.0.13/32" "fded:dada::13/128"))
2024-01-31 10:19:56 +00:00
(keep-alive 25))))))
2024-01-22 21:14:41 +00:00
#+END_SRC
2024-01-22 14:29:47 +00:00
2024-01-04 17:56:41 +00:00
*** display manager
#+begin_src scheme
2024-02-10 15:59:21 +00:00
;; (service gdm-service-type
;; (gdm-configuration
;; (auto-suspend? #f)
;; (xorg-configuration
;; (xorg-configuration
;; (keyboard-layout keyboard-layout)
(service sddm-service-type
(sddm-configuration
(display-server "x11")
(remember-last-user? #t)
2024-02-17 22:11:41 +00:00
(theme "chili")
2024-02-10 15:59:21 +00:00
(xorg-configuration
2024-01-04 17:56:41 +00:00
(xorg-configuration
(keyboard-layout keyboard-layout)
#+end_src
2024-01-17 14:36:03 +00:00
2024-01-04 17:56:41 +00:00
Trackpad config using [[https://www.mankier.com/4/libinput][libinput]]
#+begin_src scheme
(extra-config '("Section \"InputClass\"
Identifier \"touchpad\"
Driver \"libinput\"
MatchIsTouchpad \"on\"
Option \"Tapping\" \"on\"
Option \"TappingButtonMap\" \"lrm\"
Option \"ClickMethod\" \"clickfinger\"
Option \"AccelProfile\" \"adaptive\"
EndSection"))))))
#+end_src
*** desktop environments
2024-02-09 13:01:22 +00:00
Provide Gnome, KDE (plasma) and xfce as desktop environments. exwm is enabled automatically via module.
2024-01-04 17:56:41 +00:00
#+begin_src scheme
2024-02-09 13:01:22 +00:00
(service plasma-desktop-service-type)
2024-02-10 15:59:21 +00:00
;; (service gnome-desktop-service-type)
2024-01-04 17:56:41 +00:00
(service xfce-desktop-service-type)
#+end_src
*** file sharing
#+begin_src scheme
(service samba-service-type
(samba-configuration
(enable-smbd? #t)
(config-file
(plain-file "smb.conf" "\
[global]
protocol = SMB3
logging = syslog@1
workgroup = FOAM
netbios name = zxXCXxz
security = user
case sensitive = yes
preserve case = yes
short preserve case = yes
[homes]
valid users = %S
browsable = no
writable = yes
"))))
#+end_src
*** bluetooth
#+begin_src scheme
(service bluetooth-service-type)
#+end_src
*** printing
#+begin_src scheme
(service cups-service-type)
#+end_src
*** modify desktop services
If gdm is reconfigured (see above) or any other display manager is declared, gdm needs to be removed from =%desktop-services=
#+begin_src scheme
) ;; end services list
#+end_src
#+begin_src scheme
(modify-services %desktop-services
(delete gdm-service-type))))
#+end_src
*** mDNS
Enable resolution of '.local' host names with mDNS.
#+begin_src scheme
(name-service-switch %mdns-host-lookup-nss)
#+end_src
*** screen locker
screen locker requires suid
#+begin_src scheme
(setuid-programs
(cons*
(setuid-program
(program (file-append xsecurelock "/libexec/xsecurelock/authproto_pam")))
%setuid-programs))
#+end_src
** initrd
initrd with AMD microcode blobs
#+begin_src scheme
(initrd (lambda (file-systems . rest)
(apply microcode-initrd file-systems
#:initrd base-initrd
#:microcode-packages (list amd-microcode)
rest)))
#+end_src
** bootloader
#+begin_src scheme
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets (list "/boot/efi"))
(keyboard-layout keyboard-layout)))
#+end_src
** swap device
#+begin_src scheme
(swap-devices (list (swap-space
(target (uuid
2024-02-09 13:01:22 +00:00
"e7cc2ca5-169a-4511-865f-d2d7ed72c05c")))))
2024-01-04 17:56:41 +00:00
#+end_src
** file systems & mount points
The list of file systems that get mounted. The unique file system identifiers ("UUIDs") can be obtained by running =blkid= in a terminal.
#+begin_src scheme
(file-systems (cons* (file-system
(mount-point "/boot/efi")
(device (uuid "8B3C-3BC0" 'fat32))
(type "vfat"))
(file-system
(mount-point "/")
(device (uuid
"e0ece027-0396-4546-8aba-2ce91285d061"
'ext4))
(type "ext4"))
%base-file-systems))
#+end_src
** FIN
#+begin_src scheme
) ;; end operating-system declaration
#+end_src