neox
/
configurations-guix
1
0
Fork 0
Code Issues 2 Pull Requests Releases Activity

Ajout du service pcscd et amélioration de la doc

This commit is contained in:
Adrien Bourmault 2023-10-02 22:27:41 +02:00
parent 6c8c12b91b
commit 1d54c72761
No known key found for this signature in database
GPG Key ID: 6EB408FE0ACEC664
1 changed files with 75 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
config.scm
View File

@ -16,36 +16,45 @@
(use-modules (nongnu packages linux) (nongnu system linux-initrd)) (use-modules (nongnu packages linux) (nongnu system linux-initrd))
(use-service-modules cups desktop networking ssh xorg virtualization vpn) (use-service-modules cups desktop networking ssh xorg virtualization vpn)
;; Définitions ;; Configuration sudoer personnalisée
(define %sudoers-specification (define %sudoers-specification
(plain-file "sudoers" "\ (plain-file "sudoers" "\
root ALL=(ALL) ALL root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL %wheel ALL=(ALL) NOPASSWD: ALL
")) "))
;; Configuration spice personnalisée
;; Permet le partage de périphériques USB via virt-manager
;; Permet l'utilisation d'une nitrokey
(define %spice-rules (define %spice-rules
(udev-rule (udev-rule
"50-spice.rules" "41-spice-and-nitrokey.rules"
(string-append "\ (string-append "\
SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\" SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\"
SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\" SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
ACTION!=\"add|change\", GOTO=\"u2f_end\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\"
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\"
LABEL=\"u2f_end\"
SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\"
ACTION!=\"add\", GOTO=\"gnupg_rules_end\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
LABEL=\"gnupg_rules_end\"
KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\"
"))) ")))
(define channels ;; Configuration du système
;; This is the old revision from which we want to ;; C'est le point d'entrée de la configuration
;; extract guile-json.
(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(commit
"306737c6797cc209a4f034e51c4057c15c6cc311"))))
(define inferior
;; An inferior representing the above revision.
(inferior-for-channels channels))
;; Début de la configuration
(operating-system (operating-system
(locale "fr_FR.utf8") (locale "fr_FR.utf8")
(timezone "Europe/Paris") (timezone "Europe/Paris")
@ -57,6 +66,7 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
(initrd microcode-initrd) (initrd microcode-initrd)
(firmware (list linux-firmware)) (firmware (list linux-firmware))
;; Application de la configuration sudoer personnalisée (définie plus haut)
(kernel-arguments (kernel-arguments
(list "modprobe.blacklist=nouveau,pcspkr,usbmouse,usbkbd" "iommu=pt")) (list "modprobe.blacklist=nouveau,pcspkr,usbmouse,usbkbd" "iommu=pt"))
@ -85,9 +95,9 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
(program (file-append (specification->package "cdrdao") "/bin/cdrdao")))) (program (file-append (specification->package "cdrdao") "/bin/cdrdao"))))
%setuid-programs)) %setuid-programs))
;; Packages installed system-wide. Users can also install packages ;; Quelques paquets installés au niveau du système.
;; under their own account: use 'guix search KEYWORD' to search ;; On installe notamment network-manager et son extension pour openvpn,
;; for packages and 'guix install PACKAGE' to install a package. ;; ou encore libvirt/virt-manager pour la virtualisation
(packages (append (list (specification->package "nss-certs") (packages (append (list (specification->package "nss-certs")
(specification->package "qemu") (specification->package "qemu")
(specification->package "virt-manager") (specification->package "virt-manager")
@ -98,40 +108,50 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
(specification->package "network-manager-openvpn") (specification->package "network-manager-openvpn")
(specification->package "xf86-video-ati") (specification->package "xf86-video-ati")
(specification->package "thin-provisioning-tools")) (specification->package "thin-provisioning-tools"))
; (first (lookup-inferior-packages inferior "icecat")))
%base-packages)) %base-packages))
;; Voici la liste des services du système. Pour trouver les services disponibles, ;; Services du système.
;; lancez « guix system search MOT-CLÉ » dans un terminal. ;; On en profite pour modifier le comportement par défaut de quelques services.
(services (services
(modify-services (append (modify-services (append (list
(list (service gnome-desktop-service-type)
(service gnome-desktop-service-type)
(service openssh-service-type ;; Service de gestion des clés de chiffrement physique
(openssh-configuration (service pcscd-service-type)
(x11-forwarding? #t)
(permit-root-login 'prohibit-password)
(authorized-keys
`(("neox" ,(local-file "/home/neox/.ssh/id_rsa.pub"))))))
(service cups-service-type
(cups-configuration
(web-interface? #t)
(extensions
(list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
(service libvirt-service-type
(libvirt-configuration
(unix-sock-group "libvirt")))
(udev-rules-service 'spice %spice-rules #:groups '("spice"))
(service virtlog-service-type)
(pam-limits-service
(list
(pam-limits-entry "@audio" 'both 'rtprio 99)
(pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
(set-xorg-configuration (service openssh-service-type
(xorg-configuration (keyboard-layout keyboard-layout)))) (openssh-configuration
%desktop-services) (x11-forwarding? #t)
(permit-root-login 'prohibit-password)
(authorized-keys
`(("neox" ,(local-file "/home/neox/.ssh/id_rsa.pub"))))))
(service cups-service-type
(cups-configuration
(web-interface? #t)
(extensions
(list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
;; Service KVM/Libvirt pour virt-manager
(service libvirt-service-type)
(service virtlog-service-type)
;; Application de la configuration spice personnalisée (définie plus haut)
(udev-rules-service 'spice %spice-rules #:groups '("spice"))
;; Modification des limites mémoires pour les accès audio temps réel
;; (utile notamment pour Ardour)
(pam-limits-service
(list
(pam-limits-entry "@audio" 'both 'rtprio 99)
(pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
;; Configuration de l'environnement graphique (notamment clavier)
(set-xorg-configuration
(xorg-configuration (keyboard-layout keyboard-layout))))
%desktop-services)
;; Configuration du service network-manager pour prendre en charge
;; OpenVPN
(network-manager-service-type config => (network-manager-configuration (network-manager-service-type config => (network-manager-configuration
(inherit config) (inherit config)
(vpn-plugins (vpn-plugins
@ -154,15 +174,15 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
" (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))) " (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")))
%default-authorized-guix-keys)))))) %default-authorized-guix-keys))))))
;; Chargeur de démarrage (GRUB)
;; On indique ici où il doit être installé et comment le configurer
(bootloader (bootloader-configuration (bootloader (bootloader-configuration
(bootloader grub-efi-bootloader) (bootloader grub-efi-bootloader)
(targets (list "/boot/efi")) (targets (list "/boot/efi"))
(keyboard-layout keyboard-layout))) (keyboard-layout keyboard-layout)))
;; La liste des systèmes de fichiers qui seront « montés ». Les identifiants ;; Périphériques mappés
;; de systèmes de fichiers uniques (« UUIDs ») qui se trouvent ici s'obtiennent ;; On configure notamment ici les partitions chiffrées (LUKS)
;; en exécutant « blkid » dans un terminal.
(mapped-devices (mapped-devices
(list (list
(mapped-device (mapped-device
@ -174,6 +194,8 @@ SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
(target "luks-f0a72a6c-499b-4445-8d13-21dc99337752") (target "luks-f0a72a6c-499b-4445-8d13-21dc99337752")
(type luks-device-mapping)))) (type luks-device-mapping))))
;; La liste des systèmes de fichiers montés au démarrage
;; On configure ici le montage des partitions chiffrées et non chiffrées
(file-systems (file-systems
(cons* (cons*
(file-system (file-system