17 KiB
A semi-literate config for GUIX running on a Framework 13 AMD laptop
- generate config with
org-babel-tangle(bound toC-c C-v t) - rebuild with
guix system reconfigure framework13.scm(or similar)
header
generate a header and timestamp if required
echo ";; -*- mode: scheme; coding: utf-8; -*-
;;
;; tangled from framework13-system.org on `date --rfc-3339 seconds`)"<<timestamp()>>modules
(use-modules (gnu)
(gnu packages)
(guix modules)
(gnu system nss)
(gnu system setuid)
(gnu packages shells)
(gnu packages linux)
(gnu packages xdisorg)
(gnu packages display-managers)
(gnu packages emacs-xyz))Include non-free linux kernel, modules and firmware from the nonguix channel (aka “The GUIX Channel That Shall Not Be Named”)
(use-modules (nongnu packages linux)
(nongnu system linux-initrd))service modules
(use-service-modules cups
sddm
desktop
networking
ssh
xorg
samba
sound
mail
vpn)package modules
(use-package-modules admin
certs
package-management
ssh
tls
vpn)kernel corruption
Some kernel corruption may be required to enable WIFI. Since the
non-free kernel from nonguix prior to 6.7.2 doesn’t include the driver
for RZ616/MT7922 adapter by default it needs to be added explicitly.
Defined here and used in the operating-system declaration below. (see also
commit 3857d862
for the addition of nonguix-extra-linux-options)
(define-public linux-FWL13
(corrupt-linux linux-libre-6.11
#:name "linux-fwl13"
#:configs '("CONFIG_MT7921E=m")))operating-system
The operating-system declaration
(operating-system
(host-name "zxxcxxz")
(locale "en_GB.utf8")
(timezone "Europe/Amsterdam")hosts file for local & LAN name resolving and persistent /etc/hosts (maybe convert to hosts-service-type)
(hosts-file (local-file "hosts.conf"))keyboard layout
Layout is qwerty, CAPSLOCK is CTRL, Ctrl-Fn-Meta-super to
left of SPACE. The keyboard-layout
declared here can be used for boot, console and Xorg
(keyboard-layout (keyboard-layout
"us" "altgr-intl"
#:options '("ctrl:nocaps"
"altwin:swap_lalt_lwin")))kernel
A custom kernel is configured above, kernel arguments are declared here.
The hid_sensor_hub module needs to be
disabled for screen dimming and keyboard backlight to work as expecrted.
Some other kernel arguments possibly required for (in)compatability with
other features include "amdgpu.sg_display=0", "acpi_osi=linux" "acpi_backlight=vendor"
Kernel & driver details
- https://gitlab.com/nonguix/nonguix
- https://www.kernel.org/doc/html/latest/gpu/amdgpu/module-parameters.html
- https://community.frame.work/t/solved-backlight-brightness-issues/36065/13
Using linux-6.11 from nonguix (which
includes CONFIG_MT7921E by default as of
6.7.2)
(kernel linux-6.11)
;; (kernel linux-FWL13)testing Adaptive Backlight Management (ABM)
;; (kernel-arguments '("amdgpu.abmlevel=3"))
;; (kernel-arguments '("modprobe.blacklist=hid_sensor_hub")) ;; required prior to 6.7
(kernel-arguments (cons* "resume=/swapfile"
"splash" "quiet")
%default-kernel-arguments)…and required firmware (should be possible to reduce to specifics)
(firmware (list linux-firmware
amdgpu-firmware
amd-microcode))
;; (firmware (list amdgpu-firmware
;; amd-microcode
;; realtek-firmware))users & groups
(users (cons* (user-account
(name "zzk")
(comment "zzk")
(group "users")
(home-directory "/home/zzk")
(shell (file-append zsh "/bin/zsh"))
(supplementary-groups '("wheel"
"netdev"
"audio"
"video"
"www-data"
"realtime"
"lp")))
(user-account
(name "www-data")
(group "www-data")
(home-directory "/home/www"))
%base-user-accounts))(groups (cons* (user-group
(name "www-data"))
(user-group
(system? #t)
(name "realtime"))
%base-groups))sudoers
(sudoers-file
(plain-file "sudoers"
"root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL"))system-wide packages
Packages installed system-wide. Users can also install packages under
their own account: use guix search KEYWORD
to search for packages and guix install PACKAGE to install a package.
(packages
(append (map specification->package
'("emacs"
"emacs-guix"
"emacs-exwm"
"openssh-sans-x"
;; xfce
"xfce4-power-manager"
"xfce4-settings"
"xfce4-session"
"xfce4-panel"
;; gnome extras
"gvfs"
; sddm
"chili-sddm-theme"
;; vpn
"wireguard-tools"
))
%base-packages))system services
Below is the list of enabled system services. To search for any
available services, run guix system search KEYWORD in a terminal.
(services
(append (listSSH
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #true)
(authorized-keys
`(("zzk" ,(local-file "zzk_rsa.pub"))
("root" ,(local-file "zzk_rsa.pub"))))))use dovecot for local IMAP
(service dovecot-service-type
(dovecot-configuration
(mail-location "maildir:%h/Maildir:LAYOUT=fs")))iptables
iptables configuration to allow SSH on
port 22, IMAPS on 993, wireguard (wg0), syncthing, mDNS and local smb
for 192.168.0.0/16
(service iptables-service-type
(iptables-configuration
(ipv4-rules (plain-file "iptables.rules"ipv4 rules
"*nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A POSTROUTING -o en0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPTSMB
-A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPTwireguard
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i wg0 -j ACCEPTsyncthing
-A INPUT -p tcp -s 192.168.0.0/16 --dport 8384 -j ACCEPT -A INPUT -p tcp -s 192.168.0.0/16 --dport 21027 -j ACCEPTotherwise
-A INPUT -j REJECT --reject-with icmp-port-unreachable -A INPUT -m conntrack --ctstate INVALID -j DROP COMMIT "))ipv6 rules
(ipv6-rules (plain-file "ip6tables.rules" "*nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A POSTROUTING -o en0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPTSMB
-A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 445 -j ACCEPTwireguard
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i wg0 -j ACCEPTsyncthing
-A INPUT -p tcp -s 192.168.0.0/16 --dport 8384 -j ACCEPT -A INPUT -p tcp -s 192.168.0.0/16 --dport 21027 -j ACCEPTotherwise
-A INPUT -j REJECT --reject-with icmp6-port-unreachable -A INPUT -m conntrack --ctstate INVALID -j DROP COMMIT "))))
wireguard
details can be found (and mostly ignored) in Connecting to Wireguard VPN section of the cookbook
(service wireguard-service-type
(wireguard-configuration
(addresses '("10.0.0.23/32" "fded:dada::23/128"))
(private-key "/etc/wireguard/private.key")
(port 51820)
(peers
(list
(wireguard-peer
(name "lmn")
(endpoint "example.org:51820")
(public-key "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=")
(allowed-ips '("10.0.0.1/24" "fded:dada::1/64"))
(keep-alive 25))
(wireguard-peer
(name "beryllium")
(endpoint "example.org:51820")
(public-key "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=")
(allowed-ips '("10.0.0.13/32" "fded:dada::13/128"))
(keep-alive 25))
(wireguard-peer
(name "vrt")
(public-key "4xA6sNrHyAebXZ2i8szdN0WMhH61CE786H+pGQwuLlA=")
(allowed-ips '("10.0.0.22/32" "fded:dada::22/128"))
(keep-alive 25))))))display manager
(service sddm-service-type
(sddm-configuration
(display-server "x11")
(remember-last-user? #t)
(theme "chili")
(xorg-configuration
(xorg-configuration
(keyboard-layout keyboard-layout)Trackpad config using libinput
(extra-config '("Section \"InputClass\"
Identifier \"touchpad\"
Driver \"libinput\"
MatchIsTouchpad \"on\"
Option \"Tapping\" \"on\"
Option \"TappingButtonMap\" \"lrm\"
Option \"ClickMethod\" \"clickfinger\"
Option \"AccelProfile\" \"adaptive\"
EndSection"))))))desktop environments
Provide Gnome, KDE (plasma) and/or xfce as desktop environments. exwm is enabled automatically via module.
(service plasma-desktop-service-type)
;; (service gnome-desktop-service-type)
;; (service xfce-desktop-service-type)
;; (service lxqt-desktop-service-type)file sharing
(service samba-service-type
(samba-configuration
(enable-smbd? #t)
(config-file
(plain-file "smb.conf" "\
[global]
protocol = SMB3
logging = syslog@1
workgroup = FOAM
netbios name = zxXCXxz
security = user
case sensitive = yes
preserve case = yes
short preserve case = yes
[homes]
valid users = %S
browsable = no
writable = yes
"))))realtime
real-time scheduling for the realtime
group (sound, supercollider, etc)
(service pam-limits-service-type
(list
(pam-limits-entry "@realtime" 'both 'rtprio 99)
(pam-limits-entry "@realtime" 'both 'memlock 'unlimited)))bluetooth
(service bluetooth-service-type)printing
(service cups-service-type)firmware updates
via fwdup (incomplete)
;; (simple-service 'fwupd-dbus dbus-root-service-type
;; (list fwupd-nonfree))modify desktop services
If gdm is reconfigured (see above) or any other display manager is
declared, gdm needs to be removed from %desktop-services
) ;; end services list(modify-services %desktop-services
(delete gdm-service-type))))mDNS
Enable resolution of '.local' host names with mDNS (as of 2024-06-17 looks like this conflicts with smbd)
;; (name-service-switch %mdns-host-lookup-nss)screen locker
screen locker requires suid
;; (service screen-locker-service-type
;; (screen-locker-configuration
;; (name "xscreensaver")
;; (program (file-append xscreensaver "/bin/xscreensaver")) (using-pam? #t)
;; (using-setuid? #f)))
(setuid-programs
(cons*
(setuid-program
(program (file-append xsecurelock "/libexec/xsecurelock/authproto_pam")))
%setuid-programs))initrd
initrd with AMD microcode blobs
(initrd (lambda (file-systems . rest)
(apply microcode-initrd file-systems
#:initrd base-initrd
#:microcode-packages (list amd-microcode)
rest)))bootloader
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets (list "/boot/efi"))
(keyboard-layout keyboard-layout)))file systems & mount points
Using LUKS for encrypted partitions requires mapped-devices
(mapped-devices (list (mapped-device
(source (uuid
"9b5d47cd-d865-4ec9-81ec-30565fa767e4"))
(target "cryptroot")
(type luks-device-mapping))))The list of file systems that get mounted. The unique file system
identifiers ("UUIDs") can be obtained by running blkid in a terminal.
(file-systems (cons* (file-system
(mount-point "/boot/efi")
(device (uuid "0D77-7016" 'fat32))
(type "vfat"))
(file-system
(mount-point "/")
(device "/dev/mapper/cryptroot")
(type "ext4")
(dependencies mapped-devices))
%base-file-systems))swap device
keep swap file within the encrypted partition:
- dd if=/dev/zero of=/swapfile bs=1M count=32768
- chmod 0600 /swapfile && mkswap /swapfile && swapon
- add "resume=/swapfile" to
kernel-arguments
(swap-devices (list (swap-space
(target "/swapfile")
(dependencies mapped-devices))))
FIN
) ;; end operating-system declaration