last version

config.scm

@@ -0,0 +1,176 @@
+;;;
+;;; Configurations GNU Guix des ordinateurs de neox
+;;;
+;;; Copyright (C) 2023 Adrien 'neox' Bourmault <neox@a-lec.org>
+;;;
+;;; This is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; This is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this.  If not, see <http://www.gnu.org/licenses/>.
+
+
+;; Indique quels modules importer pour accéder aux variables
+;; utilisées dans cette configuration.
+(use-modules (gnu))
+(use-modules (gnu packages freedesktop) (gnu packages cups))
+(use-modules (srfi srfi-1))
+(use-service-modules cups desktop networking ssh xorg virtualization vpn security-token)
+
+;; Configuration sudoer personnalisée
+(define %sudoers-specification
+  (plain-file "sudoers" "\
+root ALL=(ALL) ALL
+%wheel ALL=(ALL) NOPASSWD: ALL
+"))
+
+;; Configuration spice personnalisée
+;; Permet le partage de périphériques USB via virt-manager
+(define %spice-rules
+  (udev-rule
+    "41-spice-and-nitrokey.rules"
+    (string-append "\
+SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\"
+SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
+ACTION!=\"add|change\", GOTO=\"u2f_end\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\"
+KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\"
+ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\"
+LABEL=\"u2f_end\"
+SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\"
+ACTION!=\"add\", GOTO=\"gnupg_rules_end\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
+LABEL=\"gnupg_rules_end\"
+KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\"
+")))
+
+;; Configuration du système
+;; C'est le point d'entrée de la configuration
+(operating-system
+  (locale "fr_FR.utf8")
+  (timezone "Europe/Paris")
+  (keyboard-layout (keyboard-layout "fr" "oss"))
+  (host-name "n-guix-port")
+
+
+  ;; Application de la configuration sudoer personnalisée (définie plus haut)
+  (kernel-arguments
+    (list "modprobe.blacklist=usbmouse,usbkbd,i2c-hid" "psmouse.synaptics_intertouch=1"))
+
+  (sudoers-file %sudoers-specification)
+
+  ;; La liste des comptes utilisateurs (« root » est implicite).
+  (users (cons* (user-account
+    (name "neox")
+    (comment "neox")
+    (group "users")
+    (home-directory "/home/neox")
+    ;; ajout de groupes pour virt-manager
+
+    (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt" "kvm" "scanner" "spice" "lp")))
+    %base-user-accounts))
+
+  ;; Quelques paquets installés au niveau du système.
+  ;; On installe notamment network-manager et son extension pour openvpn, 
+  ;; ou encore libvirt/virt-manager pour la virtualisation
+  (packages (append (list 
+    (specification->package "nss-certs")
+    (specification->package "qemu")
+    (specification->package "virt-manager")
+    (specification->package "libvirt") 
+    (specification->package "lvm2") 
+    (specification->package "mdadm") 
+    (specification->package "network-manager")
+    (specification->package "network-manager-openvpn"))
+    %base-packages))
+
+  ;; Services du système.
+  ;; On en profite pour modifier le comportement par défaut de quelques services.
+  (services
+    (modify-services (append (list
+      (service gnome-desktop-service-type)
+      (service bluetooth-service-type)
+
+      ;; Service de gestion des clés de chiffrement physique
+      (service pcscd-service-type)
+      
+      ;; Service d'impression
+      (service cups-service-type
+        (cups-configuration
+          (web-interface? #t)
+          (extensions
+            (list cups-filters epson-inkjet-printer-escpr hplip-minimal))))
+
+      ;; Service KVM/Libvirt pour virt-manager
+      (service libvirt-service-type)
+      (service virtlog-service-type)
+
+      ;; Application de la configuration spice personnalisée (définie plus haut)
+      (udev-rules-service 'spice %spice-rules #:groups '("spice"))
+
+      ;; Modification des limites mémoires pour les accès audio temps réel
+      ;; (utile notamment pour Ardour)
+      (pam-limits-service
+        (list
+          (pam-limits-entry "@audio" 'both 'rtprio 99)
+          (pam-limits-entry "@audio" 'both 'memlock 'unlimited)))
+
+      ;; Configuration de l'environnement graphique (notamment clavier)
+      (set-xorg-configuration
+        (xorg-configuration (keyboard-layout keyboard-layout))))
+        %desktop-services)
+
+      ;; Configuration du service network-manager pour prendre en charge
+      ;; OpenVPN
+      (network-manager-service-type config => (network-manager-configuration 
+        (inherit config)
+        (vpn-plugins
+          (list (specification->package "network-manager-openvpn")))))))
+
+  ;; Chargeur de démarrage (GRUB)
+  ;; On indique ici où il doit être installé et comment le configurer
+  (bootloader (bootloader-configuration
+    (bootloader grub-efi-bootloader)
+    (targets (list "/boot/efi"))
+    (keyboard-layout keyboard-layout)))
+  
+  ;; Périphériques mappés
+  ;; On configure notamment ici les partitions chiffrées (LUKS)
+  (mapped-devices (list (mapped-device
+    (source (uuid
+             "3ea148ff-1d1c-4f8c-a82c-5806b32dd6a0"))
+    (target "crypthome")
+    (type luks-device-mapping))))
+
+  ;; La liste des systèmes de fichiers montés au démarrage
+  ;; On configure ici le montage des partitions chiffrées et non chiffrées
+  (file-systems (cons* 
+    (file-system
+      (mount-point "/home")
+      (device "/dev/mapper/crypthome")
+      (type "ext4")
+      (dependencies mapped-devices))
+    (file-system
+      (mount-point "/boot/efi")
+      (device (uuid "A012-A17A" 'fat32))
+      (type "vfat"))
+    (file-system
+      (mount-point "/")
+      (device (uuid "dfaec018-b99b-4d34-a206-eec25b833c45" 'ext4))
+      (type "ext4")) %base-file-systems)))