diff --git a/config/framework13-system.org b/config/framework13-system.org index 167c66a..09d4a6c 100644 --- a/config/framework13-system.org +++ b/config/framework13-system.org @@ -31,12 +31,12 @@ echo ";; -*- mode: scheme; coding: utf-8; -*- (gnu packages shells) (gnu packages linux) (gnu packages xdisorg) - (gnu packages emacs-xyz) + (gnu packages emacs-xyz)) #+end_src Include non-free linux kernel, modules and firmware from the [[https://gitlab.com/nonguix/nonguix/][nonguix channel]] #+begin_src scheme - (nongnu packages linux) +(use-modules (nongnu packages linux) (nongnu system linux-initrd)) #+end_src @@ -130,6 +130,7 @@ Kernel & driver details "audio" "video" "www-data" + "realtime" "lp"))) (user-account (name "www-data") @@ -141,6 +142,9 @@ Kernel & driver details #+begin_src scheme (groups (cons* (user-group (name "www-data")) + (user-group + (system? #t) + (name "realtime")) %base-groups)) #+end_src @@ -196,6 +200,7 @@ Below is the list of enabled system services. To search for any available servi `(("zzk" ,(local-file "zzk_rsa.pub")) ("root" ,(local-file "zzk_rsa.pub")))))) #+end_src + *** mail use dovecot for local IMAP #+begin_src scheme @@ -205,6 +210,43 @@ use dovecot for local IMAP (mail-location "maildir:%h/Maildir:LAYOUT=fs"))) #+end_src +*** iptables + +=iptables= configuration to allow ssh on port 22, imaps on 993 and local smb for 192.168.0.0/16 + +#+BEGIN_SRC scheme :session + (service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport 993 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 137 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 138 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-port-unreachable +COMMIT +")) + (ipv6-rules (plain-file "ip6tables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport 993 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 137 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 138 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-port-unreachable +COMMIT +")))) +#+END_SRC + *** display manager #+begin_src scheme ;; (service sddm-service-type @@ -219,6 +261,7 @@ use dovecot for local IMAP (xorg-configuration (keyboard-layout keyboard-layout) #+end_src + Trackpad config using [[https://www.mankier.com/4/libinput][libinput]] #+begin_src scheme (extra-config '("Section \"InputClass\" diff --git a/config/framework13-system.scm b/config/framework13-system.scm index 8c34917..ae364fc 100644 --- a/config/framework13-system.scm +++ b/config/framework13-system.scm @@ -1,6 +1,6 @@ ;; -*- mode: scheme; coding: utf-8; -*- ;; -;; tangled from framework13-system.org on 2024-01-04 14:14:30+01:00) +;; tangled from framework13-system.org on 2024-01-17 15:35:13+01:00) (use-modules (gnu) (gnu packages) @@ -10,9 +10,9 @@ (gnu packages shells) (gnu packages linux) (gnu packages xdisorg) - (gnu packages emacs-xyz) + (gnu packages emacs-xyz)) - (nongnu packages linux) +(use-modules (nongnu packages linux) (nongnu system linux-initrd)) (use-service-modules cups @@ -64,6 +64,7 @@ "audio" "video" "www-data" + "realtime" "lp"))) (user-account (name "www-data") @@ -73,6 +74,9 @@ (groups (cons* (user-group (name "www-data")) + (user-group + (system? #t) + (name "realtime")) %base-groups)) (sudoers-file @@ -115,6 +119,37 @@ (dovecot-configuration (mail-location "maildir:%h/Maildir:LAYOUT=fs"))) + (service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport 993 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 137 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 138 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-port-unreachable +COMMIT +")) + (ipv6-rules (plain-file "ip6tables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --dport 993 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 137 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 138 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 139 -j ACCEPT +-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 445 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-port-unreachable +COMMIT +")))) + ;; (service sddm-service-type ;; (sddm-configuration ;; (display-server "wayland")