;;;
;;; Configurations GNU Guix des ordinateurs de neox
;;;
;;; Copyright (C) 2023 Adrien 'neox' Bourmault <neox@a-lec.org>
;;;
;;; This is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; This is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this.  If not, see <http://www.gnu.org/licenses/>.


;; Indique quels modules importer pour accéder aux variables
;; utilisées dans cette configuration.
(use-modules (gnu))
(use-modules (gnu packages freedesktop))
(use-modules (srfi srfi-1))
(use-service-modules cups desktop networking ssh xorg virtualization vpn security-token)

;; Configuration sudoer personnalisée
(define %sudoers-specification
  (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
"))

;; Configuration spice personnalisée
;; Permet le partage de périphériques USB via virt-manager
(define %spice-rules
  (udev-rule
    "41-spice-and-nitrokey.rules"
    (string-append "\
SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\"
SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\"
ACTION!=\"add|change\", GOTO=\"u2f_end\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\"
KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\"
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\"
LABEL=\"u2f_end\"
SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\"
ACTION!=\"add\", GOTO=\"gnupg_rules_end\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\"
LABEL=\"gnupg_rules_end\"
KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\"
")))

;; Configuration du système
;; C'est le point d'entrée de la configuration
(operating-system
  (locale "fr_FR.utf8")
  (timezone "Europe/Paris")
  (keyboard-layout (keyboard-layout "fr" "oss"))
  (host-name "n-guix-port")


  ;; Application de la configuration sudoer personnalisée (définie plus haut)
  (kernel-arguments
    (list "modprobe.blacklist=usbmouse,usbkbd"))

  (sudoers-file %sudoers-specification)

  ;; La liste des comptes utilisateurs (« root » est implicite).
  (users (cons* (user-account
    (name "neox")
    (comment "neox")
    (group "users")
    (home-directory "/home/neox")
    ;; ajout de groupes pour virt-manager
    (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt" "kvm" "scanner" "spice")))
    %base-user-accounts))

  ;; Quelques paquets installés au niveau du système.
  ;; On installe notamment network-manager et son extension pour openvpn, 
  ;; ou encore libvirt/virt-manager pour la virtualisation
  (packages (append (list 
    (specification->package "nss-certs")
    (specification->package "qemu")
    (specification->package "virt-manager")
    (specification->package "libvirt") 
    (specification->package "lvm2") 
    (specification->package "mdadm") 
    (specification->package "network-manager")
    (specification->package "network-manager-openvpn"))
    %base-packages))

  ;; Services du système.
  ;; On en profite pour modifier le comportement par défaut de quelques services.
  (services
    (modify-services (append (list
      (service gnome-desktop-service-type)
      
      ;; Service de gestion des clés de chiffrement physique
      (service pcscd-service-type)
      
      ;; Service d'impression
      (service cups-service-type)

      ;; Service KVM/Libvirt pour virt-manager
      (service libvirt-service-type)
      (service virtlog-service-type)

      ;; Application de la configuration spice personnalisée (définie plus haut)
      (udev-rules-service 'spice %spice-rules #:groups '("spice"))

      ;; Modification des limites mémoires pour les accès audio temps réel
      ;; (utile notamment pour Ardour)
      (pam-limits-service
        (list
          (pam-limits-entry "@audio" 'both 'rtprio 99)
          (pam-limits-entry "@audio" 'both 'memlock 'unlimited)))

      ;; Configuration de l'environnement graphique (notamment clavier)
      (set-xorg-configuration
        (xorg-configuration (keyboard-layout keyboard-layout))))
        %desktop-services)

      ;; Configuration du service network-manager pour prendre en charge
      ;; OpenVPN
      (network-manager-service-type config => (network-manager-configuration 
        (inherit config)
        (vpn-plugins
          (list (specification->package "network-manager-openvpn")))))))

  ;; Chargeur de démarrage (GRUB)
  ;; On indique ici où il doit être installé et comment le configurer
  (bootloader (bootloader-configuration
    (bootloader grub-efi-bootloader)
    (targets (list "/boot/efi"))
    (keyboard-layout keyboard-layout)))
  
  ;; Périphériques mappés
  ;; On configure notamment ici les partitions chiffrées (LUKS)
  (mapped-devices (list (mapped-device
    (source (uuid
             "3ea148ff-1d1c-4f8c-a82c-5806b32dd6a0"))
    (target "crypthome")
    (type luks-device-mapping))))

  ;; La liste des systèmes de fichiers montés au démarrage
  ;; On configure ici le montage des partitions chiffrées et non chiffrées
  (file-systems (cons* 
    (file-system
      (mount-point "/home")
      (device "/dev/mapper/crypthome")
      (type "ext4")
      (dependencies mapped-devices))
    (file-system
      (mount-point "/boot/efi")
      (device (uuid "A012-A17A" 'fat32))
      (type "vfat"))
    (file-system
      (mount-point "/")
      (device (uuid "dfaec018-b99b-4d34-a206-eec25b833c45" 'ext4))
      (type "ext4")) %base-file-systems)))