;;; ;;; Configurations GNU Guix des ordinateurs de neox ;;; ;;; Copyright (C) 2023 Adrien 'neox' Bourmault ;;; ;;; This is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; This is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with this. If not, see . ;; Indique quels modules importer pour accéder aux variables ;; utilisées dans cette configuration. (use-modules (gnu) (gnu home) (gnu home services shells) (gnu home services gnupg) (gnu packages) (gnu packages gnupg) (gnu packages freedesktop) (gnu packages cups) (gnu services) (srfi srfi-1) (guix gexp)) (use-service-modules cups desktop guix networking ssh xorg virtualization vpn security-token) ;; Configuration sudoer personnalisée (define %sudoers-specification (plain-file "sudoers" "\ root ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL ")) ;; Configuration spice personnalisée ;; Permet le partage de périphériques USB via virt-manager (define %spice-rules (udev-rule "41-spice-and-nitrokey.rules" (string-append "\ SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\" SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\" ACTION!=\"add|change\", GOTO=\"u2f_end\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\" ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\" LABEL=\"u2f_end\" SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\" ACTION!=\"add\", GOTO=\"gnupg_rules_end\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" LABEL=\"gnupg_rules_end\" KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\" "))) (define %bashrc_content (plain-file "bashrc" "\ if [ -n \"$GUIX_ENVIRONMENT\" ] then PS1='\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\] [env] \\$ ' else PS1='\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\]\\$ ' fi if [[ ! -n \"$SSH_CLIENT\" ]]; then unset SSH_AGENT_PID if [ \"${gnupg_SSH_AUTH_SOCK_by:-0}\" -ne $$ ]; then export SSH_AUTH_SOCK=\"$(gpgconf --list-dirs agent-ssh-socket)\" fi fi")) (define %profile_content (plain-file "profile" "\ if [[ ! -n \"$SSH_CLIENT\" ]]; then unset SSH_AGENT_PID if [ \"${gnupg_SSH_AUTH_SOCK_by:-0}\" -ne $$ ]; then export SSH_AUTH_SOCK=\"$(gpgconf --list-dirs agent-ssh-socket)\" fi fi")) (define %home_configuration (home-environment (services (list (service home-bash-service-type (home-bash-configuration (environment-variables '( ("BSD_GAMES_DIR" . "~/.local/share/bsd-games") ("GCC_COLORS" . "'error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'") ("GUIX_PACKAGE_PATH" . "$HOME/.config/guix/packages/defs") ("XDG_DATA_DIRS" . "$XDG_DATA_DIRS:$HOME/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share") ("LV2_PATH" . "$HOME/.guix-profile/lib/lv2"))) (aliases '( ("clear" . "printf '\\033c'") ("dir" . "dir --color=auto") ("egrep" . "grep -E --color=auto") ("fgrep" . "grep -F --color=auto") ("grep" . "grep --color=auto") ("la" . "ls -lthA -p --color=auto") ("ll" . "ls -lth -p --color=auto") ("ls" . "ls -p --color=auto") ("vdir" . "vdir --color=auto"))) (bashrc (list %bashrc_content)))) (service home-gpg-agent-service-type (home-gpg-agent-configuration (pinentry-program (file-append pinentry-gnome3 "/bin/pinentry-gnome3")) (ssh-support? #t))))))) ;; Configuration du système ;; C'est le point d'entrée de la configuration (operating-system (locale "fr_FR.utf8") (timezone "Europe/Paris") (keyboard-layout (keyboard-layout "fr" "oss")) (host-name "n-guix-port") ;; Application de la configuration sudoer personnalisée (définie plus haut) (kernel-arguments (list "modprobe.blacklist=usbmouse,usbkbd,i2c-hid" "psmouse.synaptics_intertouch=1")) (sudoers-file %sudoers-specification) ;; La liste des comptes utilisateurs (« root » est implicite). (users (cons* (user-account (name "neox") (comment "neox") (password (crypt "password" "$6$abc")) (group "users") (home-directory "/home/neox") (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt" "kvm" "scanner" "spice" "lp"))) %base-user-accounts)) ;; Quelques paquets installés au niveau du système. ;; On installe notamment network-manager et son extension pour openvpn, ;; ou encore libvirt/virt-manager pour la virtualisation (packages (append (specifications->packages (list "adb" "alsa-plugins" "alsa-utils" "ardour" "audacity" "bind:utils" "binutils" "blueman" "bmaptools" "cabextract" "claws-mail" "cmatrix" "cpupower" "cryptsetup" "curl" "cvs" "dconf-editor" "dino" "emacs" "endeavour" "evolution" "exfatprogs" "fastboot" "ffmpeg" "file" "flashrom" "flatpak" "font-awesome" "font-liberation" "font-openmoji" "gallery-dl" "gdb" "ghostscript" "ghostwriter" "gimp" "git" "git-lfs" "git:send-email" "glmark2" "gnome-bluetooth" "gnome-builder" "gnome-font-viewer" "gnome-maps" "gnome-power-manager" "gnome-shell-extension-appindicator" "gnome-shell-extension-blur-my-shell" "gnome-shell-extension-burn-my-windows" "gnome-shell-extension-dash-to-dock" "gnome-shell-extension-night-theme-switcher" "gnome-shell-extension-noannoyance" "gnome-shell-extension-vitals" "gnome-tweaks" "gnupg" "gnuplot" "gparted" "gpgme" "graphviz" "grub" "hexchat" "hplip" "htop" "hwloc" "icecat" "inetutils" "inkscape" "jack" "jp2a" "kajongg" "kcachegrind" "kgraphviewer" "ldns" "libreoffice" "libtree" "libvirt" "lm-sensors" "lsof" "lvm2" "lynx" "make" "man-pages" "mdadm" "mediainfo" "megatools" "meld" "microcom" "minetest" "minicom" "minisat" "mpv" "mtr" "mumble" "nbd" "ncftp" "ndisc6" "neofetch" "network-manager" "network-manager-openvpn" "nextcloud-client" "nitrocli" "nmap" "ntfs-3g" "openssh" "openssl" "openvpn" "pam-u2f" "pandoc" "parted" "patchelf" "pavucontrol" "pkg-config" "poppler" "powertop" "profanity" "python" "python2" "python-logutils" "python-markdown" "python-paramiko" "qbittorrent" "qemu" "qjackctl" "qpdf" "recutils" "rsync" "rubber" "screen" "seahorse" "setxkbmap" "simplescreenrecorder" "sl" "speedtest-cli" "sqlitebrowser" "sshpass" "system-config-printer" "testdisk" "texlive" "texlive-biber" "texmaker" "tig" "tilix" "transmission" "tree" "uefitool" "ungoogled-chromium" "virt-manager" "vlc" "wine64" "xauth" "xdg-desktop-portal" "xdg-desktop-portal-gnome" "xdg-desktop-portal-gtk" "xdg-utils" "xdot" "xdotool" "xeyes" "xournalpp" "xrdp" "yt-dlp" "zstd")) %base-packages)) ;; Services du système. ;; On en profite pour modifier le comportement par défaut de quelques services. (services (modify-services (append (list ;; Service guix home (reconfiguration auto des profils) (service guix-home-service-type `(("neox" ,%home_configuration))) ;; Service bluetooth (service bluetooth-service-type) ;; Service de gestion des clés de chiffrement physique (service pcscd-service-type) ;; Service OpenSSH (service openssh-service-type (openssh-configuration (x11-forwarding? #t) (password-authentication? #f) (permit-root-login 'prohibit-password))) ;; Service d'impression (service cups-service-type (cups-configuration (web-interface? #t) (extensions (list cups-filters epson-inkjet-printer-escpr hplip-minimal)))) ;; Service KVM/Libvirt pour virt-manager (service libvirt-service-type) (service virtlog-service-type) ;; Application de la configuration spice personnalisée (définie plus haut) (udev-rules-service 'spice %spice-rules #:groups '("spice")) ;; Modification des limites mémoires pour les accès audio temps réel ;; (utile notamment pour Ardour) (service pam-limits-service-type (list (pam-limits-entry "@audio" 'both 'rtprio 99) (pam-limits-entry "@audio" 'both 'memlock 'unlimited))) ;; Service Gnome/GDM (service gnome-desktop-service-type) ;; Configuration de l'environnement graphique (notamment clavier) (set-xorg-configuration (xorg-configuration (keyboard-layout keyboard-layout)))) ;; Services par défaut du système %desktop-services) ;; Modification de services par défaut ;; Configuration du service upower pour éviter la mise en veille lors ;; de la fermeture de capot (upower-service-type config => (upower-configuration (inherit config) (ignore-lid? #t))) ;; Configuration du service elogind pour éviter la mise en veille lors ;; de la fermeture du capot (elogind-service-type config => (elogind-configuration (inherit config) (handle-lid-switch 'ignore) (handle-lid-switch-external-power 'ignore))) ;; Configuration du service network-manager pour prendre en charge ;; OpenVPN (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list (specification->package "network-manager-openvpn"))))))) ;; Chargeur de démarrage (GRUB) ;; On indique ici où il doit être installé et comment le configurer (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets (list "/boot/efi")) (keyboard-layout keyboard-layout))) ;; Périphériques mappés ;; On configure notamment ici les partitions chiffrées (LUKS) (mapped-devices (list (mapped-device (source (uuid "3ea148ff-1d1c-4f8c-a82c-5806b32dd6a0")) (target "crypthome") (type luks-device-mapping)))) ;; Specify a swap file for the system, which resides on the ;; root file system. (swap-devices (list (swap-space (target "/swapfile")))) ;; La liste des systèmes de fichiers montés au démarrage ;; On configure ici le montage des partitions chiffrées et non chiffrées (file-systems (cons* (file-system (mount-point "/home") (device "/dev/mapper/crypthome") (type "ext4") (dependencies mapped-devices)) (file-system (mount-point "/boot/efi") (device (uuid "A012-A17A" 'fat32)) (type "vfat")) (file-system (mount-point "/") (device (uuid "dfaec018-b99b-4d34-a206-eec25b833c45" 'ext4)) (type "ext4")) %base-file-systems)))