15 KiB
A semi-literate config for GUIX running on a Framework 13 AMD laptop
- generate config with
org-babel-tangle
(bound toC-c C-v t
) - rebuild with
guix system reconfigure framework13.scm
(or similar)
header
generate a header and timestamp if required
echo ";; -*- mode: scheme; coding: utf-8; -*-
;;
;; tangled from framework13-system.org on `date --rfc-3339 seconds`)"
<<timestamp()>>
modules
(use-modules (gnu)
(gnu packages)
(guix modules)
(gnu system nss)
(gnu system setuid)
(gnu packages shells)
(gnu packages linux)
(gnu packages xdisorg)
(gnu packages display-managers) (gnu packages emacs-xyz))
Include non-free linux kernel, modules and firmware from the nonguix channel (aka “The GUIX Channel That Shall Not Be Named”)
(use-modules (nongnu packages linux) (nongnu system linux-initrd))
service modules
(use-service-modules cups
sddm
desktop
networking
ssh
xorg
samba
sound
mail vpn)
package modules
(use-package-modules admin
certs
package-management
ssh
tls vpn)
kernel corruption
Some kernel corruption may be required to enable WIFI. Since the
non-free kernel from nonguix prior to 6.7.2 doesn’t include the driver
for RZ616/MT7922 adapter by default it needs to be added explicitly.
Defined here and used in the operating-system
declaration below. (see also
commit 3857d862
for the addition of nonguix-extra-linux-options
)
define-public linux-FWL13
(
(corrupt-linux linux-libre-6.7"linux-fwl13"
#:name "CONFIG_MT7921E=m"))) #:configs '(
operating-system
The operating-system
declaration
(operating-system"zxxcxxz")
(host-name "en_GB.utf8")
(locale "Europe/Amsterdam") (timezone
hosts file for local & LAN name resolving and persistent /etc/hosts
(maybe convert to hosts-service-type
)
"hosts.conf")) (hosts-file (local-file
keyboard layout
Layout is qwerty, CAPSLOCK is CTRL, Ctrl-Fn-Meta-super to
left of SPACE. The keyboard-layout
declared here can be used for boot, console and Xorg
(keyboard-layout (keyboard-layout"us" "altgr-intl"
"ctrl:nocaps"
#:options '("altwin:swap_lalt_lwin")))
kernel
A custom kernel is configured above, kernel arguments are declared here.
The hid_sensor_hub
module needs to be
disabled for screen dimming and keyboard backlight to work as expecrted.
Some other kernel arguments possibly required for (in)compatability with
other features include "amdgpu.sg_display=0"
, "acpi_osi=linux" "acpi_backlight=vendor"
Kernel & driver details
- https://gitlab.com/nonguix/nonguix
- https://www.kernel.org/doc/html/latest/gpu/amdgpu/module-parameters.html
- https://community.frame.work/t/solved-backlight-brightness-issues/36065/13
Using linux-6.7
from nonguix (which
includes CONFIG_MT7921E
by default as of
6.7.2)
;; previously (kernel linux-FWL13) (kernel linux-6.7)
testing Adaptive Backlight Management (ABM)
;; (kernel-arguments '("amdgpu.abmlevel=3"))
;; (kernel-arguments '("modprobe.blacklist=hid_sensor_hub")) ;; required prior to 6.7
"splash quiet")) (kernel-arguments '(
…and required firmware (should be possible to reduce to specifics)
list linux-firmware))
(firmware (;; (firmware (list amdgpu-firmware
;; amd-microcode
;; realtek-firmware))
users & groups
cons* (user-account
(users ("zzk")
(name "zzk")
(comment "users")
(group "/home/zzk")
(home-directory "/bin/zsh"))
(shell (file-append zsh "wheel"
(supplementary-groups '("netdev"
"audio"
"video"
"www-data"
"realtime"
"lp")))
(user-account"www-data")
(name "www-data")
(group "/home/www"))
(home-directory %base-user-accounts))
cons* (user-group
(groups ("www-data"))
(name
(user-group#t)
(system? "realtime"))
(name %base-groups))
sudoers
(sudoers-file"sudoers"
(plain-file "root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL"))
system-wide packages
Packages installed system-wide. Users can also install packages under
their own account: use guix search KEYWORD
to search for packages and guix install PACKAGE
to install a package.
(packagesappend (map specification->package
("emacs"
'("emacs-guix"
"emacs-exwm"
"openssh-sans-x"
"nss-certs"
;; xfce
"xfce4-power-manager"
"xfce4-settings"
"xfce4-session"
"xfce4-panel"
;; gnome extras
"gnome-tweaks"
"gvfs"
; sddm
"chili-sddm-theme"
;; vpn
"wireguard-tools"
)) %base-packages))
system services
Below is the list of enabled system services. To search for any available services, run 'guix system search KEYWORD' in a terminal.
(servicesappend (list (
SSH
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)#true)
(password-authentication?
(authorized-keys"zzk" ,(local-file "zzk_rsa.pub"))
`(("root" ,(local-file "zzk_rsa.pub")))))) (
use dovecot for local IMAP
(service dovecot-service-type
(dovecot-configuration"maildir:%h/Maildir:LAYOUT=fs"))) (mail-location
iptables
iptables
configuration to allow SSH on
port 22, IMAPS on 993, wireguard (wg0), mDNS and local smb for
192.168.0.0/16
(service iptables-service-type
(iptables-configuration"iptables.rules" (ipv4-rules (plain-file
ipv4 rules
"*nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A POSTROUTING -o en0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
SMB
192.168.0.0/16 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s
wireguard
51820 -j ACCEPT -A INPUT -p udp -m udp --dport -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable -A INPUT -m conntrack --ctstate INVALID -j DROP COMMIT"))
ipv6 rules
"ip6tables.rules" (ipv6-rules (plain-file "*nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A POSTROUTING -o en0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
SMB
137 -j ACCEPT -A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 138 -j ACCEPT -A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport
wireguard
51820 -j ACCEPT -A INPUT -p udp -m udp --dport -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable -A INPUT -m conntrack --ctstate INVALID -j DROP COMMIT"))))
wireguard
details can be found (and mostly ignored) in Connecting to Wireguard VPN section of the cookbook
(service wireguard-service-type
(wireguard-configuration"10.0.0.23/32" "fded:dada::23/128"))
(addresses '("/etc/wireguard/private.key")
(private-key 51820)
(port
(peerslist
(
(wireguard-peer"lmn")
(name "example.org:51820")
(endpoint "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=")
(public-key "10.0.0.1/24" "fded:dada::1/64"))
(allowed-ips '(25))
(keep-alive
(wireguard-peer"beryllium")
(name "example.org:51820")
(endpoint "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=")
(public-key "10.0.0.13/32" "fded:dada::13/128"))
(allowed-ips '(25)))))) (keep-alive
display manager
;; (service gdm-service-type
;; (gdm-configuration
;; (auto-suspend? #f)
;; (xorg-configuration
;; (xorg-configuration
;; (keyboard-layout keyboard-layout)
(service sddm-service-type
(sddm-configuration"x11")
(display-server #t)
(remember-last-user? "chili")
(theme
(xorg-configuration
(xorg-configuration (keyboard-layout keyboard-layout)
Trackpad config using libinput
"Section \"InputClass\"
(extra-config '( Identifier \"touchpad\"
Driver \"libinput\"
MatchIsTouchpad \"on\"
Option \"Tapping\" \"on\"
Option \"TappingButtonMap\" \"lrm\"
Option \"ClickMethod\" \"clickfinger\"
Option \"AccelProfile\" \"adaptive\"
EndSection"))))))
desktop environments
Provide Gnome, KDE (plasma) and xfce as desktop environments. exwm is enabled automatically via module.
(service plasma-desktop-service-type);; (service gnome-desktop-service-type)
(service xfce-desktop-service-type)
file sharing
(service samba-service-type
(samba-configuration#t)
(enable-smbd?
(config-file"smb.conf" "\
(plain-file [global]
protocol = SMB3
logging = syslog@1
workgroup = FOAM
netbios name = zxXCXxz
security = user
case sensitive = yes
preserve case = yes
short preserve case = yes
[homes]
valid users = %S
browsable = no
writable = yes
"))))
bluetooth
(service bluetooth-service-type)
printing
(service cups-service-type)
modify desktop services
If gdm is reconfigured (see above) or any other display manager is
declared, gdm needs to be removed from %desktop-services
;; end services list )
(modify-services %desktop-services (delete gdm-service-type))))
mDNS
Enable resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)
screen locker
screen locker requires suid
(setuid-programscons*
(
(setuid-program"/libexec/xsecurelock/authproto_pam")))
(program (file-append xsecurelock %setuid-programs))
initrd
initrd with AMD microcode blobs
lambda (file-systems . rest)
(initrd (
(apply microcode-initrd file-systems
#:initrd base-initrdlist amd-microcode)
#:microcode-packages (
rest)))
bootloader
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)list "/boot/efi"))
(targets ( (keyboard-layout keyboard-layout)))
swap device
list (swap-space
(swap-devices (
(target (uuid"e7cc2ca5-169a-4511-865f-d2d7ed72c05c")))))
file systems & mount points
The list of file systems that get mounted. The unique file system
identifiers ("UUIDs") can be obtained by running blkid
in a terminal.
cons* (file-system
(file-systems ("/boot/efi")
(mount-point "8B3C-3BC0" 'fat32))
(device (uuid "vfat"))
(type
(file-system"/")
(mount-point
(device (uuid"e0ece027-0396-4546-8aba-2ce91285d061"
'ext4))"ext4"))
(type %base-file-systems))
FIN
;; end operating-system declaration )