2023-01-10 13:21:01 +01:00
|
|
|
;; Ceci est une configuration de système d'exploitation générée par
|
|
|
|
;; l'installateur graphique.
|
|
|
|
;;
|
|
|
|
;; Une fois l'installation terminée, vous pouvez apprendre à modifier
|
|
|
|
;; ce fichier pour ajuster la configuration du système et le passer à
|
|
|
|
;; la commande « guix system reconfigure » pour rendre vos changements
|
|
|
|
;; effectifs.
|
|
|
|
|
|
|
|
|
|
|
|
;; Indique quels modules importer pour accéder aux variables
|
|
|
|
;; utilisées dans cette configuration.
|
|
|
|
(use-modules (gnu))
|
2023-09-01 19:02:56 +02:00
|
|
|
(use-modules (srfi srfi-1))
|
2024-05-09 12:53:57 +02:00
|
|
|
(use-modules (gnu system setuid)
|
|
|
|
(gnu packages cups)
|
|
|
|
(gnu packages admin)
|
|
|
|
(gnu services shepherd))
|
|
|
|
|
|
|
|
(use-service-modules cups
|
|
|
|
desktop
|
|
|
|
networking
|
|
|
|
ssh
|
|
|
|
xorg
|
|
|
|
virtualization
|
|
|
|
vpn
|
|
|
|
security-token)
|
2023-01-10 13:21:01 +01:00
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Configuration sudoer personnalisée
|
2023-01-10 13:21:01 +01:00
|
|
|
(define %sudoers-specification
|
|
|
|
(plain-file "sudoers" "\
|
|
|
|
root ALL=(ALL) ALL
|
|
|
|
%wheel ALL=(ALL) NOPASSWD: ALL
|
|
|
|
"))
|
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Configuration spice personnalisée
|
|
|
|
;; Permet le partage de périphériques USB via virt-manager
|
|
|
|
;; Permet l'utilisation d'une nitrokey
|
2023-01-10 13:21:01 +01:00
|
|
|
(define %spice-rules
|
|
|
|
(udev-rule
|
2023-10-02 22:27:41 +02:00
|
|
|
"41-spice-and-nitrokey.rules"
|
2023-01-10 13:21:01 +01:00
|
|
|
(string-append "\
|
|
|
|
SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\"
|
|
|
|
SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
|
2023-10-02 22:27:41 +02:00
|
|
|
ACTION!=\"add|change\", GOTO=\"u2f_end\"
|
|
|
|
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\"
|
|
|
|
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\"
|
|
|
|
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\"
|
|
|
|
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\"
|
|
|
|
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\"
|
|
|
|
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\"
|
|
|
|
LABEL=\"u2f_end\"
|
|
|
|
SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\"
|
|
|
|
ACTION!=\"add\", GOTO=\"gnupg_rules_end\"
|
|
|
|
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
|
|
|
|
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
|
|
|
|
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\"
|
|
|
|
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
|
|
|
|
ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\"
|
|
|
|
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
|
|
|
|
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
|
|
|
|
LABEL=\"gnupg_rules_end\"
|
|
|
|
KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\"
|
2023-01-10 13:21:01 +01:00
|
|
|
")))
|
|
|
|
|
2024-05-09 12:53:57 +02:00
|
|
|
;; Définition du service de contrôle des ventilateurs
|
|
|
|
(define (fancontrol-shepherd-service cfg-path)
|
|
|
|
(shepherd-service
|
|
|
|
(documentation "Run the fancontrol daemon (fancontrol-daemon)." )
|
|
|
|
(provision '(fancontrol))
|
|
|
|
(requirement '(udev user-processes))
|
|
|
|
(start #~(make-forkexec-constructor
|
|
|
|
(list #$(file-append (specification->package "lm-sensors") "/sbin/fancontrol")
|
|
|
|
#$cfg-path)
|
|
|
|
#:user "root" #:group "root"
|
|
|
|
#:log-file "/var/log/fancontrol.log"))
|
|
|
|
(stop #~(make-kill-destructor))))
|
|
|
|
(define fancontrol-service-type
|
|
|
|
(service-type
|
|
|
|
(name 'fancontrol)
|
|
|
|
(description
|
|
|
|
"Run fancontrol as a daemon.")
|
|
|
|
(extensions
|
|
|
|
(list (service-extension shepherd-root-service-type
|
|
|
|
(compose list fancontrol-shepherd-service))))))
|
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Configuration du système
|
|
|
|
;; C'est le point d'entrée de la configuration
|
2023-01-10 13:21:01 +01:00
|
|
|
(operating-system
|
|
|
|
(locale "fr_FR.utf8")
|
|
|
|
(timezone "Europe/Paris")
|
|
|
|
(keyboard-layout (keyboard-layout "fr" "oss"))
|
|
|
|
(host-name "n-guix-fix")
|
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Application de la configuration sudoer personnalisée (définie plus haut)
|
2023-01-10 13:21:01 +01:00
|
|
|
(kernel-arguments
|
2024-05-09 12:53:57 +02:00
|
|
|
(list "nohz=on" "libata.force=noncq" "modprobe.blacklist=pcspkr,usbmouse,usbkbd" "iommu=pt" "nouveau.config=NvClkMode=15"))
|
2023-01-10 13:21:01 +01:00
|
|
|
|
2024-05-09 12:53:57 +02:00
|
|
|
(initrd-modules (append (list "w83795" "vfio-pci" "vfio_iommu_type1" "dm-raid" "dm-cache" "dm-crypt") %base-initrd-modules))
|
2023-06-13 00:00:22 +02:00
|
|
|
|
2023-01-10 13:21:01 +01:00
|
|
|
(sudoers-file %sudoers-specification)
|
|
|
|
|
|
|
|
;; La liste des comptes utilisateurs (« root » est implicite).
|
|
|
|
(users (cons* (user-account
|
|
|
|
(name "neox")
|
|
|
|
(comment "neox")
|
|
|
|
(group "users")
|
|
|
|
(home-directory "/home/neox")
|
2023-06-13 00:00:22 +02:00
|
|
|
(supplementary-groups '("users" "wheel" "netdev" "audio" "video" "libvirt" "kvm" "scanner" "spice" "cdrom" "lpadmin")))
|
2023-01-10 13:21:01 +01:00
|
|
|
%base-user-accounts))
|
|
|
|
|
2023-06-13 00:00:22 +02:00
|
|
|
(setuid-programs
|
|
|
|
(append (list
|
|
|
|
(setuid-program
|
|
|
|
(program (file-append (specification->package "cdrtools") "/bin/cdrecord")))
|
|
|
|
(setuid-program
|
|
|
|
(program (file-append (specification->package "cdrtools") "/bin/readcd")))
|
|
|
|
(setuid-program
|
|
|
|
(program (file-append (specification->package "cdrtools") "/bin/mkisofs")))
|
|
|
|
(setuid-program
|
|
|
|
(program (file-append (specification->package "cdrdao") "/bin/cdrdao"))))
|
|
|
|
%setuid-programs))
|
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Quelques paquets installés au niveau du système.
|
|
|
|
;; On installe notamment network-manager et son extension pour openvpn,
|
|
|
|
;; ou encore libvirt/virt-manager pour la virtualisation
|
2024-05-09 12:53:57 +02:00
|
|
|
(packages (append (list (specification->package "qemu")
|
2023-01-10 13:21:01 +01:00
|
|
|
(specification->package "virt-manager")
|
2024-05-09 12:53:57 +02:00
|
|
|
(specification->package "libvirt")
|
|
|
|
(specification->package "lm-sensors")
|
2023-01-10 13:21:01 +01:00
|
|
|
(specification->package "lvm2")
|
|
|
|
(specification->package "mdadm")
|
|
|
|
(specification->package "network-manager")
|
2023-06-13 00:00:22 +02:00
|
|
|
(specification->package "network-manager-openvpn")
|
|
|
|
(specification->package "xf86-video-ati")
|
|
|
|
(specification->package "thin-provisioning-tools"))
|
2023-01-10 13:21:01 +01:00
|
|
|
%base-packages))
|
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Services du système.
|
|
|
|
;; On en profite pour modifier le comportement par défaut de quelques services.
|
2023-01-10 13:21:01 +01:00
|
|
|
(services
|
2023-10-02 22:27:41 +02:00
|
|
|
(modify-services (append (list
|
|
|
|
(service gnome-desktop-service-type)
|
2024-05-09 12:53:57 +02:00
|
|
|
|
|
|
|
;; Service de contrôle des ventilateurs
|
|
|
|
(service fancontrol-service-type "/etc/fancontrol")
|
2023-10-02 22:27:41 +02:00
|
|
|
|
|
|
|
;; Service de gestion des clés de chiffrement physique
|
|
|
|
(service pcscd-service-type)
|
|
|
|
|
|
|
|
(service openssh-service-type
|
|
|
|
(openssh-configuration
|
2023-11-07 11:03:48 +01:00
|
|
|
(x11-forwarding? #t)
|
|
|
|
(permit-root-login 'prohibit-password)))
|
|
|
|
|
2024-03-10 16:13:05 +01:00
|
|
|
;; Service impression et scanner
|
2023-11-07 11:03:48 +01:00
|
|
|
(service cups-service-type
|
2023-10-02 22:27:41 +02:00
|
|
|
(cups-configuration
|
|
|
|
(web-interface? #t)
|
|
|
|
(extensions
|
|
|
|
(list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
|
2024-03-10 16:13:05 +01:00
|
|
|
|
|
|
|
(service sane-service-type)
|
2023-10-02 22:27:41 +02:00
|
|
|
|
|
|
|
;; Service KVM/Libvirt pour virt-manager
|
|
|
|
(service libvirt-service-type)
|
|
|
|
(service virtlog-service-type)
|
|
|
|
|
|
|
|
;; Application de la configuration spice personnalisée (définie plus haut)
|
|
|
|
(udev-rules-service 'spice %spice-rules #:groups '("spice"))
|
|
|
|
|
|
|
|
;; Modification des limites mémoires pour les accès audio temps réel
|
|
|
|
;; (utile notamment pour Ardour)
|
2024-03-10 16:13:05 +01:00
|
|
|
(service pam-limits-service-type
|
2023-10-02 22:27:41 +02:00
|
|
|
(list
|
|
|
|
(pam-limits-entry "@audio" 'both 'rtprio 99)
|
|
|
|
(pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
|
|
|
|
|
|
|
|
;; Configuration de l'environnement graphique (notamment clavier)
|
|
|
|
(set-xorg-configuration
|
|
|
|
(xorg-configuration (keyboard-layout keyboard-layout))))
|
|
|
|
%desktop-services)
|
|
|
|
|
|
|
|
;; Configuration du service network-manager pour prendre en charge
|
|
|
|
;; OpenVPN
|
2023-01-10 13:21:01 +01:00
|
|
|
(network-manager-service-type config => (network-manager-configuration
|
|
|
|
(inherit config)
|
|
|
|
(vpn-plugins
|
|
|
|
(list (specification->package "network-manager-openvpn")))))
|
|
|
|
|
|
|
|
(guix-service-type config => (guix-configuration
|
|
|
|
(inherit config)
|
2023-11-07 11:03:48 +01:00
|
|
|
(extra-options '("--cores=10"))))))
|
2023-01-10 13:21:01 +01:00
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Chargeur de démarrage (GRUB)
|
|
|
|
;; On indique ici où il doit être installé et comment le configurer
|
2024-05-09 12:53:57 +02:00
|
|
|
(bootloader
|
|
|
|
(bootloader-configuration
|
|
|
|
(bootloader grub-bootloader)
|
|
|
|
(targets (list "/dev/nvme0n1"))
|
|
|
|
(terminal-outputs '(console))
|
|
|
|
(keyboard-layout keyboard-layout)
|
|
|
|
(theme
|
|
|
|
(grub-theme
|
|
|
|
(inherit (grub-theme))
|
|
|
|
(gfxmode '("640x480-24"))))))
|
2023-01-10 13:21:01 +01:00
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; Périphériques mappés
|
|
|
|
;; On configure notamment ici les partitions chiffrées (LUKS)
|
2023-01-10 13:21:01 +01:00
|
|
|
(mapped-devices
|
|
|
|
(list
|
|
|
|
(mapped-device
|
2024-05-09 12:53:57 +02:00
|
|
|
(source "/dev/nvme0n1p3")
|
|
|
|
(target "luks-d1673001-bea6-4d19-8ed7-88e3643aac3e")
|
2023-06-13 00:00:22 +02:00
|
|
|
(type luks-device-mapping))))
|
2023-01-10 13:21:01 +01:00
|
|
|
|
2023-10-02 22:27:41 +02:00
|
|
|
;; La liste des systèmes de fichiers montés au démarrage
|
|
|
|
;; On configure ici le montage des partitions chiffrées et non chiffrées
|
2023-01-10 13:21:01 +01:00
|
|
|
(file-systems
|
|
|
|
(cons*
|
|
|
|
(file-system
|
|
|
|
(mount-point "/")
|
|
|
|
(device (uuid "2e44f3f7-bb6b-43ac-933a-e8992bf10d29" 'ext4))
|
|
|
|
(type "ext4"))
|
|
|
|
(file-system
|
|
|
|
(mount-point "/home")
|
2024-05-09 12:53:57 +02:00
|
|
|
(device "/dev/mapper/luks-d1673001-bea6-4d19-8ed7-88e3643aac3e")
|
2023-01-10 13:21:01 +01:00
|
|
|
(type "ext4")
|
|
|
|
(dependencies mapped-devices))
|
|
|
|
%base-file-systems)))
|