From 1d54c72761f7d64210e7fec4326209895a901ac0 Mon Sep 17 00:00:00 2001
From: Adrien Bourmault <neox@a-lec.org>
Date: Mon, 2 Oct 2023 22:27:41 +0200
Subject: [PATCH] =?UTF-8?q?Ajout=20du=20service=20pcscd=20et=20am=C3=A9lio?=
 =?UTF-8?q?ration=20de=20la=20doc?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config.scm | 128 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 75 insertions(+), 53 deletions(-)

diff --git a/config.scm b/config.scm
index ca1db3d..07c36e2 100644
--- a/config.scm
+++ b/config.scm
@@ -16,36 +16,45 @@
 (use-modules (nongnu packages linux) (nongnu system linux-initrd))
 (use-service-modules cups desktop networking ssh xorg virtualization vpn)
 
-;; Définitions
-
+;; Configuration sudoer personnalisée
 (define %sudoers-specification
   (plain-file "sudoers" "\
 root ALL=(ALL) ALL
 %wheel ALL=(ALL) NOPASSWD: ALL
 "))
 
+;; Configuration spice personnalisée
+;; Permet le partage de périphériques USB via virt-manager
+;; Permet l'utilisation d'une nitrokey
 (define %spice-rules
   (udev-rule
-    "50-spice.rules"
+    "41-spice-and-nitrokey.rules"
     (string-append "\
 SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\"
 SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
+ACTION!=\"add|change\", GOTO=\"u2f_end\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\"
+ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\"
+LABEL=\"u2f_end\"
+SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\"
+ACTION!=\"add\", GOTO=\"gnupg_rules_end\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+LABEL=\"gnupg_rules_end\"
+KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\"
 ")))
 
-(define channels
-  ;; This is the old revision from which we want to
-  ;; extract guile-json.
-  (list (channel
-         (name 'guix)
-         (url "https://git.savannah.gnu.org/git/guix.git")
-         (commit
-          "306737c6797cc209a4f034e51c4057c15c6cc311"))))
-
-(define inferior
-  ;; An inferior representing the above revision.
-  (inferior-for-channels channels))
-
-;; Début de la configuration
+;; Configuration du système
+;; C'est le point d'entrée de la configuration
 (operating-system
   (locale "fr_FR.utf8")
   (timezone "Europe/Paris")
@@ -57,6 +66,7 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
   (initrd microcode-initrd)
   (firmware (list linux-firmware))
 
+  ;; Application de la configuration sudoer personnalisée (définie plus haut)
   (kernel-arguments
     (list "modprobe.blacklist=nouveau,pcspkr,usbmouse,usbkbd" "iommu=pt"))
 
@@ -85,9 +95,9 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
                 (program (file-append (specification->package "cdrdao") "/bin/cdrdao"))))	
             %setuid-programs))
 
-  ;; Packages installed system-wide.  Users can also install packages
-  ;; under their own account: use 'guix search KEYWORD' to search
-  ;; for packages and 'guix install PACKAGE' to install a package.
+  ;; Quelques paquets installés au niveau du système.
+  ;; On installe notamment network-manager et son extension pour openvpn, 
+  ;; ou encore libvirt/virt-manager pour la virtualisation
   (packages (append (list (specification->package "nss-certs")
                           (specification->package "qemu")
                           (specification->package "virt-manager")
@@ -98,40 +108,50 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
                           (specification->package "network-manager-openvpn")
                           (specification->package "xf86-video-ati")
                           (specification->package "thin-provisioning-tools"))
-;                          (first (lookup-inferior-packages inferior "icecat")))
                     %base-packages))
 
-  ;; Voici la liste des services du système.  Pour trouver les services disponibles,
-  ;; lancez « guix system search MOT-CLÉ » dans un terminal.
+  ;; Services du système.
+  ;; On en profite pour modifier le comportement par défaut de quelques services.
   (services
-    (modify-services  (append  
-                        (list 
-                          (service gnome-desktop-service-type)
-                          (service openssh-service-type
-                            (openssh-configuration
-                              (x11-forwarding? #t)
-                              (permit-root-login 'prohibit-password)
-                              (authorized-keys
-                                `(("neox" ,(local-file "/home/neox/.ssh/id_rsa.pub"))))))
-                          (service cups-service-type
-                            (cups-configuration
-                              (web-interface? #t)
-                              (extensions
-                                (list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
-                          (service libvirt-service-type
-                            (libvirt-configuration
-                              (unix-sock-group "libvirt")))
-                          (udev-rules-service 'spice %spice-rules #:groups '("spice"))
-                          (service virtlog-service-type)
-                          (pam-limits-service
-                            (list
-                              (pam-limits-entry "@audio" 'both 'rtprio 99)
-                              (pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
+    (modify-services (append (list
+      (service gnome-desktop-service-type)
+      
+      ;; Service de gestion des clés de chiffrement physique
+      (service pcscd-service-type)
 
-                          (set-xorg-configuration
-                            (xorg-configuration (keyboard-layout keyboard-layout))))
-                        %desktop-services)
+      (service openssh-service-type
+        (openssh-configuration
+        (x11-forwarding? #t)
+        (permit-root-login 'prohibit-password)
+        (authorized-keys
+          `(("neox" ,(local-file "/home/neox/.ssh/id_rsa.pub"))))))
+        (service cups-service-type
+          (cups-configuration
+            (web-interface? #t)
+            (extensions
+              (list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
+              
+      ;; Service KVM/Libvirt pour virt-manager
+      (service libvirt-service-type)
+      (service virtlog-service-type)
+      
+      ;; Application de la configuration spice personnalisée (définie plus haut)
+      (udev-rules-service 'spice %spice-rules #:groups '("spice"))
 
+      ;; Modification des limites mémoires pour les accès audio temps réel
+      ;; (utile notamment pour Ardour)
+      (pam-limits-service
+        (list
+          (pam-limits-entry "@audio" 'both 'rtprio 99)
+          (pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
+
+      ;; Configuration de l'environnement graphique (notamment clavier)
+      (set-xorg-configuration
+        (xorg-configuration (keyboard-layout keyboard-layout))))
+        %desktop-services)
+
+    ;; Configuration du service network-manager pour prendre en charge
+    ;; OpenVPN
     (network-manager-service-type config => (network-manager-configuration 
       (inherit config)
       (vpn-plugins
@@ -154,15 +174,15 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
                 "  (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")))
             %default-authorized-guix-keys))))))
 
+  ;; Chargeur de démarrage (GRUB)
+  ;; On indique ici où il doit être installé et comment le configurer
   (bootloader (bootloader-configuration
                 (bootloader grub-efi-bootloader)
                 (targets (list "/boot/efi"))
                 (keyboard-layout keyboard-layout)))
 
-  ;; La liste des systèmes de fichiers qui seront « montés ». Les identifiants
-  ;; de systèmes de fichiers uniques (« UUIDs ») qui se trouvent ici s'obtiennent
-  ;; en exécutant « blkid » dans un terminal.
-  
+  ;; Périphériques mappés
+  ;; On configure notamment ici les partitions chiffrées (LUKS)
   (mapped-devices
    (list
     (mapped-device
@@ -174,6 +194,8 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
       (target "luks-f0a72a6c-499b-4445-8d13-21dc99337752")
       (type luks-device-mapping))))
 
+  ;; La liste des systèmes de fichiers montés au démarrage
+  ;; On configure ici le montage des partitions chiffrées et non chiffrées  
   (file-systems 
     (cons* 
       (file-system