guix/config/framework13-system.org
2024-02-09 14:01:22 +01:00

15 KiB
Raw Blame History

A semi-literate config for GUIX running on a Framework 13 AMD laptop

  • generate config with org-babel-tangle (bound to C-c C-v t)
  • rebuild with guix system reconfigure framework13.scm (or similar)

header

generate a header and timestamp if required

echo ";; -*- mode: scheme;  coding: utf-8; -*-
;;
;; tangled from framework13-system.org on `date --rfc-3339 seconds`)"
<<timestamp()>>

modules

(use-modules (gnu)
             (gnu packages)
             (guix modules)
             (gnu system nss)
             (gnu system setuid)
             (gnu packages shells)
             (gnu packages linux)
             (gnu packages xdisorg)
             (gnu packages emacs-xyz))

Include non-free linux kernel, modules and firmware from the nonguix channel (aka “The GUIX Channel That Shall Not Be Named”)

(use-modules (nongnu packages linux)
             (nongnu system linux-initrd))

service modules

(use-service-modules cups
                     desktop
                     networking
                     ssh
                     xorg
                     samba
                     sound
                     mail
                     vpn)

package modules

(use-package-modules admin
                     certs
                     package-management
                     ssh
                     tls
                     vpn)

kernel corruption

Some kernel corruption may be required to enable WIFI. Since the non-free kernel from nonguix prior to 6.7.2 doesnt include the driver for RZ616/MT7922 adapter by default it needs to be added explicitly. Defined here and used in the operating-system declaration below. (see also commit 3857d862 for the addition of nonguix-extra-linux-options)

(define-public linux-FWL13
  (corrupt-linux linux-libre-6.7
                 #:name "linux-fwl13"
                 #:configs '("CONFIG_MT7921E=m")))

operating-system

The operating-system declaration

(operating-system
 (host-name "zxxcxxz")
 (locale "en_GB.utf8")
 (timezone "Europe/Amsterdam")

hosts file for local & LAN name resolving and persistent /etc/hosts (maybe convert to hosts-service-type)

(hosts-file (local-file "hosts.conf"))

keyboard layout

Layout is qwerty, CAPSLOCK is CTRL, Ctrl-Fn-Meta-super to left of SPACE. The keyboard-layout declared here can be used for boot, console and Xorg

(keyboard-layout (keyboard-layout
                  "us" "altgr-intl"
                  #:options '("ctrl:nocaps"
                              "altwin:swap_lalt_lwin")))

kernel

A custom kernel is configured above, kernel arguments are declared here.

The hid_sensor_hub module needs to be disabled for screen dimming and keyboard backlight to work as expecrted. Some other kernel arguments possibly required for (in)compatability with other features include "amdgpu.sg_display=0", "acpi_osi=linux" "acpi_backlight=vendor"

Kernel & driver details

Using linux-6.7 from nonguix which includes CONFIG_MT7921E by default as of 6.7.2

(kernel linux-6.7) ;; previously (kernel linux-FWL13)

testing Adaptive Backlight Management (ABM)

(kernel-arguments '("amdgpu.abmlevel=3"))
;; (kernel-arguments '("modprobe.blacklist=hid_sensor_hub")) ;; required prior to 6.7

…and required firmware (should be possible to reduce to specifics)

(firmware (list linux-firmware))
;; (firmware (list amdgpu-firmware
;;                 amd-microcode
;;                 realtek-firmware))

users & groups

(users (cons* (user-account
               (name "zzk")
               (comment "zzk")
               (group "users")
               (home-directory "/home/zzk")
               (shell (file-append zsh "/bin/zsh"))
               (supplementary-groups '("wheel"
                                       "netdev"
                                       "audio"
                                       "video"
                                       "www-data"
                                       "realtime"
                                       "lp")))
              (user-account
               (name "www-data")
               (group "www-data")
               (home-directory "/home/www"))
              %base-user-accounts))
(groups (cons* (user-group
                (name "www-data"))
               (user-group
                (system? #t)
                (name "realtime"))
               %base-groups))

sudoers

 (sudoers-file
  (plain-file "sudoers"
              "root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL"))

system-wide packages

Packages installed system-wide. Users can also install packages under their own account: use guix search KEYWORD to search for packages and guix install PACKAGE to install a package.

(packages
 (append (map specification->package
              '("emacs"
                "emacs-guix"
                "emacs-exwm"
                "openssh-sans-x"
                "nss-certs"
                ;; xfce
                "xfce4-power-manager"
                "xfce4-settings"
                "xfce4-session"
                "xfce4-panel"
                ;; gnome extras
                "gnome-tweaks"
                "gvfs"
                ;; vpn
                "wireguard-tools"
                ))
         %base-packages))

system services

Below is the list of enabled system services. To search for any available services, run 'guix system search KEYWORD' in a terminal.

(services
 (append (list

SSH

(service openssh-service-type
         (openssh-configuration
          (openssh openssh-sans-x)
          (password-authentication? #true)
          (authorized-keys
           `(("zzk" ,(local-file "zzk_rsa.pub"))
             ("root" ,(local-file "zzk_rsa.pub"))))))

mail

use dovecot for local IMAP


(service dovecot-service-type
         (dovecot-configuration
          (mail-location "maildir:%h/Maildir:LAYOUT=fs")))

iptables

iptables configuration to allow SSH on port 22, IMAPS on 993, wireguard (wg0), mDNS and local smb for 192.168.0.0/16

(service iptables-service-type
         (iptables-configuration
          (ipv4-rules (plain-file "iptables.rules"
  1. ipv4 rules

    "*nat
    :PREROUTING ACCEPT
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :POSTROUTING ACCEPT
    -A POSTROUTING -o en0 -j MASQUERADE
    COMMIT
    *filter
    :INPUT ACCEPT
    :FORWARD ACCEPT
    :OUTPUT ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT

    SMB

    -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT

    wireguard

    -A INPUT -p udp -m udp --dport 51820 -j ACCEPT
    -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -i wg0 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    COMMIT
    "))
  2. ipv6 rules

                         (ipv6-rules (plain-file "ip6tables.rules"
    "*nat
    :PREROUTING ACCEPT
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :POSTROUTING ACCEPT
    -A POSTROUTING -o en0 -j MASQUERADE
    COMMIT
    *filter
    :INPUT ACCEPT
    :FORWARD ACCEPT
    :OUTPUT ACCEPT
    -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp --dport 993 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT

    SMB

    -A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 137 -j ACCEPT
    -A INPUT -p udp -m udp -s fded:c2f7:43ef::/64 --dport 138 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 139 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp -s fded:c2f7:43ef::/64 --dport 445 -j ACCEPT

    wireguard

    -A INPUT -p udp -m udp --dport 51820 -j ACCEPT
    -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -i wg0 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp6-port-unreachable
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    COMMIT
    "))))

wireguard

details can be found (and mostly ignored) in Connecting to Wireguard VPN section of the cookbook

(service wireguard-service-type
    (wireguard-configuration
      (addresses '("10.0.0.23/32" "fded:dada::23/128"))
      (private-key "/etc/wireguard/private.key")
      (port 51820)
      (peers
       (list
        (wireguard-peer
         (name "lmn")
         (endpoint "example.org:51820")
         (public-key "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=")
         (allowed-ips '("10.0.0.1/24" "fded:dada::1/64"))
         (keep-alive 25))
        (wireguard-peer
         (name "beryllium")
         (endpoint "example.org:51820")
         (public-key "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=")
         (allowed-ips '("10.0.0.13/32" "fded:dada::13/128"))
         (keep-alive 25))))))

display manager

;; (service sddm-service-type
;;       (sddm-configuration
;;        (display-server "wayland")
;;        (remember-last-user? #t)))

(service gdm-service-type
         (gdm-configuration
          (auto-suspend? #f)
          (xorg-configuration
           (xorg-configuration
            (keyboard-layout keyboard-layout)

Trackpad config using libinput

(extra-config '("Section \"InputClass\"
                     Identifier \"touchpad\"
                     Driver \"libinput\"
                     MatchIsTouchpad \"on\"
                     Option \"Tapping\" \"on\"
                     Option \"TappingButtonMap\" \"lrm\"
                     Option \"ClickMethod\" \"clickfinger\"
                     Option \"AccelProfile\" \"adaptive\"
                 EndSection"))))))

desktop environments

Provide Gnome, KDE (plasma) and xfce as desktop environments. exwm is enabled automatically via module.

(service plasma-desktop-service-type)
(service gnome-desktop-service-type)
(service xfce-desktop-service-type)

file sharing

           (service samba-service-type
                    (samba-configuration
                     (enable-smbd? #t)
                     (config-file
                      (plain-file "smb.conf" "\
[global]
protocol = SMB3
logging = syslog@1
workgroup = FOAM
netbios name = zxXCXxz
security = user
case sensitive = yes
preserve case = yes
short preserve case = yes

[homes]
valid users = %S
browsable = no
writable = yes
"))))

bluetooth

(service bluetooth-service-type)

printing

(service cups-service-type)

modify desktop services

If gdm is reconfigured (see above) or any other display manager is declared, gdm needs to be removed from %desktop-services

) ;; end services list
(modify-services %desktop-services
                 (delete gdm-service-type))))

mDNS

Enable resolution of '.local' host names with mDNS.

(name-service-switch %mdns-host-lookup-nss)

screen locker

screen locker requires suid

(setuid-programs
 (cons*
  (setuid-program
   (program (file-append xsecurelock "/libexec/xsecurelock/authproto_pam")))
         %setuid-programs))

initrd

initrd with AMD microcode blobs

(initrd (lambda (file-systems . rest)
          (apply microcode-initrd file-systems
                 #:initrd base-initrd
                 #:microcode-packages (list amd-microcode)
                 rest)))

bootloader

(bootloader (bootloader-configuration
             (bootloader grub-efi-bootloader)
             (targets (list "/boot/efi"))
             (keyboard-layout keyboard-layout)))

swap device

(swap-devices (list (swap-space
                     (target (uuid
                              "e7cc2ca5-169a-4511-865f-d2d7ed72c05c")))))

file systems & mount points

The list of file systems that get mounted. The unique file system identifiers ("UUIDs") can be obtained by running blkid in a terminal.

(file-systems (cons* (file-system
                      (mount-point "/boot/efi")
                      (device (uuid "8B3C-3BC0" 'fat32))
                      (type "vfat"))
                     (file-system
                      (mount-point "/")
                      (device (uuid
                               "e0ece027-0396-4546-8aba-2ce91285d061"
                               'ext4))
                      (type "ext4"))
                     %base-file-systems))

FIN

) ;; end operating-system declaration