;;; ;;; Configurations GNU Guix des ordinateurs de neox ;;; ;;; Copyright (C) 2023 Adrien 'neox' Bourmault ;;; ;;; This is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; This is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with this. If not, see . ;; Indique quels modules importer pour accéder aux variables ;; utilisées dans cette configuration. (use-modules (gnu) (gnu home) (gnu home services shells) (gnu home services gnupg) (gnu packages) (gnu packages gnupg) (gnu packages freedesktop) (gnu packages cups) (gnu packages scanner) (gnu packages autotools) (gnu packages avahi) (gnu packages boost) (gnu packages compression) (gnu packages freedesktop) (gnu packages gettext) (gnu packages ghostscript) (gnu packages gnome) (gnu packages glib) (gnu packages gtk) (gnu packages image) (gnu packages imagemagick) (gnu packages libusb) (gnu packages linux) (gnu packages pkg-config) (gnu packages python) (gnu packages textutils) (gnu packages tls) (gnu packages xml) (gnu services) (srfi srfi-1) (guix gexp) (guix packages) (guix git-download) (guix build-system gnu) (guix utils) ((guix licenses) #:prefix license:)) (use-service-modules cups desktop guix networking ssh xorg virtualization vpn security-token) ;; Service SANE personnalisé (define sane-custom-minimal (package (name "sane-custom-minimal") (version "1.3.1") (source (origin (method git-fetch) (uri (git-reference (url "https://gitlab.com/sane-project/backends") (commit version))) (file-name (git-file-name name version)) (sha256 (base32 "1fb6shx9bz0svcyasmyqs93rbbwq7kzg6l0h1zh3kjvcwhchyv72")) (modules '((guix build utils))) (snippet ;; Generated HTML files and udev rules normally embed a ;; timestamp. Work around that to build things reproducibly. '(begin (substitute* "tools/sane-desc.c" (("asctime \\(localtime \\(¤t_time\\)\\)") "\"1970-01-01\"")))))) (build-system gnu-build-system) (native-inputs `(("autoconf" ,autoconf) ("autoconf-archive" ,autoconf-archive) ("automake" ,automake) ("gettext" ,gettext-minimal) ("libtool" ,libtool) ("pkg-config" ,pkg-config) ;; For scripts/pixma_gen_options.py. ("python" ,python-wrapper))) (inputs (list libusb)) (arguments `(#:configure-flags '("--with-lockdir=/var/lock/sane") ;; Avoid errors with plustek #:phases (modify-phases %standard-phases (add-before 'bootstrap 'zap-unnecessary-git-dependency (lambda _ ;; This runs before default patch-shebangs phase. (substitute* "tools/git-version-gen" (("/bin/sh") (which "sh"))) (with-output-to-file ".tarball-version" (lambda _ (format #t ,version))))) (add-before 'configure 'disable-lockdir-creation (lambda _ ;; Modify the Makefile.am to prevent the creation of the lock dir (substitute* "backend/Makefile.am" (("^install-lockpath:.*$") "install-lockpath: # pass")))) (add-before 'configure 'disable-backends (lambda _ (setenv "BACKENDS" " ") ;; Disable tests that may require back ends to be built. (substitute* "testsuite/Makefile.in" ((" backend ") " ")))) (add-before 'configure 'disable-failing-tests (lambda _ ;; Disable unmaintained tests that that fail with errors resembling: ;; ;; < # by sane-desc 3.5 from sane-backends 1.0.24git on Jul 31 2013 ;; --- ;; > # by sane-desc 3.5 from sane-backends 1.0.27 on 1970-01-01# ;; FAIL: sane-desc -m usermap -s ./data (for-each (lambda (pattern) (substitute* "testsuite/tools/Makefile.in" (((string-append " " pattern " ")) " "))) (list "usermap" "db" "udev" "udev\\+acl" "udev\\+hwdb" "hwdb")) ;; Disable tests that try to connect to actual USB hardware & fail ;; with the following error when no USB access is allowed at all: ;; ;; sanei_usb_test: sanei_usb_test.c:849: main: Assertion ;; `test_init (1)' failed. (substitute* "testsuite/sanei/Makefile.in" (("sanei_usb_test\\$\\(EXEEXT\\) ") "")))) (add-before 'build 'build-pixma_sane_options.c ;; "No rule to make target '../backend/pixma/pixma_sane_options.c', ;; needed by 'sane-backends.pot-update'." (lambda _ (invoke "make" "-C" "backend" "pixma/pixma_sane_options.c"))) (add-after 'install 'install-udev-rules (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out"))) (mkdir-p (string-append out "/lib/udev/rules.d")) (copy-file "tools/udev/libsane.rules" (string-append out "/lib/udev/rules.d/" "60-libsane.rules"))))) (add-after 'install 'make-reproducible ;; XXX Work around an old bug . ;; Then work around "Throw to key `decoding-error' ..." by using sed. (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) (locale (string-append out "/share/locale"))) (with-directory-excursion locale (for-each (lambda (file) (invoke "sed" "-i" "/^PO-Revision-Date:/d" file)) (list "en@boldquot/LC_MESSAGES/sane-backends.mo" "en@quot/LC_MESSAGES/sane-backends.mo"))))))))) (home-page "http://www.sane-project.org") (synopsis "Raster image scanner library and drivers, without scanner support") (description "SANE stands for \"Scanner Access Now Easy\" and is an API proving access to any raster image scanner hardware (flatbed scanner, hand-held scanner, video- and still-cameras, frame-grabbers, etc.). The package contains the library, but no drivers.") (license license:gpl2+))) ; plus linking exception (define sane-custom-backends (package/inherit sane-custom-minimal (name "sane-custom-backends") (inputs `(("hplip" ,(@ (gnu packages cups) hplip-minimal)) ("libjpeg" ,libjpeg-turbo) ; for pixma/epsonds/other back ends ("libpng" ,libpng) ; support ‘scanimage --format=png’ ("libxml2" ,libxml2) ; for pixma back end ,@(package-inputs sane-backends-minimal))) (arguments (substitute-keyword-arguments (package-arguments sane-custom-minimal) ((#:phases phases) `(modify-phases ,phases (delete 'disable-backends) (add-after 'disable-failing-tests 'disable-failing-backend-tests (lambda _ ;; Disable test that fails on i686: ;; (substitute* "testsuite/backend/genesys/Makefile.in" ((" genesys_unit_tests\\$\\(EXEEXT\\)") "")) #t)) (add-after 'unpack 'add-backends (lambda _ (substitute* "backend/dll.conf.in" (("hp5590" all) (format #f "~a~%~a" all "hpaio"))) #t)) (add-after 'install 'install-hpaio (lambda* (#:key inputs outputs #:allow-other-keys) (define hplip (string-append (assoc-ref inputs "hplip") "/lib/sane")) (define out (string-append (assoc-ref outputs "out") "/lib/sane")) (for-each (lambda (file) (symlink file (string-append out "/" (basename file)))) (find-files hplip)) #t)))))) (synopsis "Raster image scanner library and drivers, with scanner support") (description "SANE stands for \"Scanner Access Now Easy\" and is an API proving access to any raster image scanner hardware (flatbed scanner, hand-held scanner, video- and still-cameras, frame-grabbers, etc.). The package contains the library and drivers."))) (define %sane-custom-accounts ;; The '60-libsane.rules' udev rules refers to the "scanner" group. (list (user-group (name "scanner") (system? #t)))) (define %sane-custom-activation #~(begin (use-modules (guix build utils)) (let ((lockpath "/var/lock/sane") (gid (vector-ref (getgrnam "scanner") 2))) ;; Create the lock directory at runtime and give right perms (mkdir-p lockpath) (chown lockpath -1 gid) (chmod lockpath #o770)) #t)) (define sane-custom-service-type (service-type (name 'sane) (description "Custom SANE service") (default-value sane-custom-minimal) (extensions (list (service-extension udev-service-type list) (service-extension activation-service-type (const %sane-custom-activation)) (service-extension account-service-type (const %sane-custom-accounts)))))) (define simple-scan-custom (package (inherit simple-scan) ; Inherit from the original 'simple-scan' (name "simple-scan-custom") ; Override the package name (inputs (modify-inputs (package-inputs simple-scan) (replace "sane-backends" sane-custom-backends))))) ; Replace the input ;; Configuration sudoer personnalisée (define %sudoers-specification (plain-file "sudoers" "\ root ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL ")) ;; Configuration spice personnalisée ;; Permet le partage de périphériques USB via virt-manager (define %spice-rules (udev-rule "41-spice.rules" (string-append "\ SUBSYSTEM==\"usb\", GROUP=\"spice\", MODE=\"0660\" SUBSYSTEM==\"usb_device\", GROUP=\"spice\", MODE=\"0660\" "))) (define %ch341a-nk3-rules (udev-rule "42-ch341a-and-nk3.rules" (string-append "\ ACTION!=\"add|change\", GOTO=\"u2f_end\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"2581\", ATTRS{idProduct}==\"f1d0\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4287\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b1\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b2\", TAG+=\"uaccess\" KERNEL==\"hidraw*\", SUBSYSTEM==\"hidraw\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42dd\", TAG+=\"uaccess\" ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42e8\", TAG+=\"uaccess\" LABEL=\"u2f_end\" SUBSYSTEM!=\"usb\", GOTO=\"gnupg_rules_end\" ACTION!=\"add\", GOTO=\"gnupg_rules_end\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4107\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4108\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"42b4\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4109\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"03eb\", ATTR{idProduct}==\"2ff1\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4211\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" ATTR{idVendor}==\"20a0\", ATTR{idProduct}==\"4230\", ENV{ID_SMARTCARD_READER}=\"1\", ENV{ID_SMARTCARD_READER_DRIVER}=\"gnupg\", TAG+=\"uaccess\" LABEL=\"gnupg_rules_end\" # Winchiphead (WCH) CH341a based programmer ATTRS{idVendor}==\"1a86\", ATTRS{idProduct}==\"5512\", MODE=\"664\", GROUP=\"plugdev\" KERNEL==\"sd?1\", ATTRS{idVendor}==\"20a0\", ATTRS{idProduct}==\"4109\", SYMLINK+=\"nitrospace\" "))) (define %bashrc_content (plain-file "bashrc" "\ if [ -n \"$GUIX_ENVIRONMENT\" ] then PS1='\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\] [env] \\$ ' else PS1='\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\]\\w\\[\\033[00m\\]\\$ ' fi PATH=\"$PATH:~/.local/bin\" guix() { if [[ \"$1\" == \"install\" ]]; then echo \"Tu es débile, ou bien ?\" elif [[ \"$1\" == \"remove\" ]]; then echo \"Tu es débile, ou bien ?\" else command guix \"$@\" fi } if [[ ! -n \"$SSH_CLIENT\" ]]; then unset SSH_AGENT_PID if [ \"${gnupg_SSH_AUTH_SOCK_by:-0}\" -ne $$ ]; then export SSH_AUTH_SOCK=\"$(gpgconf --list-dirs agent-ssh-socket)\" fi fi")) (define %profile_content (plain-file "profile" "\ if [[ ! -n \"$SSH_CLIENT\" ]]; then unset SSH_AGENT_PID if [ \"${gnupg_SSH_AUTH_SOCK_by:-0}\" -ne $$ ]; then export SSH_AUTH_SOCK=\"$(gpgconf --list-dirs agent-ssh-socket)\" fi fi")) (define %home_configuration (home-environment (services (list (service home-bash-service-type (home-bash-configuration (environment-variables '( ("BSD_GAMES_DIR" . "~/.local/share/bsd-games") ("GCC_COLORS" . "'error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'") ("GUIX_PACKAGE_PATH" . "$HOME/.config/guix/packages/defs") ("XDG_DATA_DIRS" . "$XDG_DATA_DIRS:$HOME/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share") ("LV2_PATH" . "/run/current-system/profile/lib/lv2"))) (aliases '( ("clear" . "printf '\\033c'") ("dir" . "dir --color=auto") ("egrep" . "grep -E --color=auto") ("fgrep" . "grep -F --color=auto") ("grep" . "grep --color=auto") ("la" . "ls -lthA -p --color=auto") ("ll" . "ls -lth -p --color=auto") ("ls" . "ls -p --color=auto") ("vdir" . "vdir --color=auto"))) (bashrc (list %bashrc_content)))) (service home-gpg-agent-service-type (home-gpg-agent-configuration (pinentry-program (file-append pinentry-gnome3 "/bin/pinentry-gnome3")) (ssh-support? #t))))))) ;; Configuration du système ;; C'est le point d'entrée de la configuration (operating-system (locale "fr_FR.utf8") (timezone "Europe/Paris") (keyboard-layout (keyboard-layout "fr" "oss")) (host-name "n-guix-port") ;; Application de la configuration sudoer personnalisée (définie plus haut) (kernel-arguments (list "modprobe.blacklist=usbmouse,usbkbd,i2c-hid" "psmouse.synaptics_intertouch=1")) (sudoers-file %sudoers-specification) ;; La liste des comptes utilisateurs (« root » est implicite). (users (cons* (user-account (name "neox") (comment "neox") (password (crypt "password" "$6$abc")) (group "users") (home-directory "/home/neox") (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt" "plugdev" "kvm" "scanner" "spice" "lp"))) %base-user-accounts)) ;; Quelques paquets installés au niveau du système. ;; On installe notamment network-manager et son extension pour openvpn, ;; ou encore libvirt/virt-manager pour la virtualisation (packages (append (specifications->packages (list "adb" "alsa-plugins" "alsa-utils" "ardour" "audacity" "beep" "bind:utils" "binutils" "blueman" ;"bmaptools" "cabextract" "calf" "claws-mail" "cmatrix" "cpupower" "cryptsetup" "curl" "cvs" "dconf-editor" "dino" "dosbox" "gocryptfs" "emacs" "endeavour" "python-esptool" "evolution" "exfatprogs" "fastboot" ;"ffmpeg" "file" "flashrom" "flatpak" "font-awesome" "font-ipa-ex" "font-ipa" "font-ipa-mj-mincho" "font-liberation" "font-mplus-testflight" "font-openmoji" "font-wqy-zenhei" "gallery-dl" "gdb" "ghostscript" "ghostwriter" "gimp" "git" "git-lfs" "git:send-email" "glmark2" "gnome-bluetooth" "gnome-builder" "gnome-font-viewer" "gnome-maps" "gnome-power-manager" "gnome-shell-extension-appindicator" "gnome-shell-extension-blur-my-shell" "gnome-shell-extension-burn-my-windows" "gnome-shell-extension-dash-to-dock" "gnome-shell-extension-night-theme-switcher" "gnome-shell-extension-noannoyance" "gnome-shell-extension-vitals" "gnome-tweaks" "gnupg" "gnuplot" "gparted" "gpgme" "graphviz" "grub" "hedgewars" "hexchat" "hplip" "htop" "hwloc" "icecat" "inetutils" "inkscape" "ipp-usb" "iptables" "jack" "jp2a" "kajongg" "kcachegrind" "kgraphviewer" "kicad" "kicad-templates" "kicad-footprints" "kicad-symbols" "kicad-doc" "ldns" "libreoffice" "libtree" "libvirt" "lm-sensors" "lsof" "lvm2" "lynx" "make" "man-pages" "mdadm" "mediainfo" "megatools" "meld" "microcom" "minetest" "minicom" "minisat" "mpv" "mtr" "mumble" "nbd" "ncftp" "ndisc6" "neofetch" "netcat" "network-manager" "network-manager-openvpn" "nextcloud-client" "ngspice" "nitrocli" "nmap" "ntfs-3g" "openssh" "openssl" "openvpn" "pam-u2f" "pandoc" "paprefs" "parted" "patchelf" "pavucontrol" "pipe-viewer" "pkg-config" "poppler" "powertop" "profanity" "python" "python2" "python-logutils" "python-markdown" "python-paramiko" "python-prettytable" "python-virtualenv" "qbittorrent" "qemu" "qjackctl" "qpdf" "recutils" "rsync" "rubber" "ruby-pygmentize" "screen" "perl-digest-sha" "strace" "xsane" "seahorse" "setxkbmap" "simplescreenrecorder" "sl" "speedtest-cli" "sqlitebrowser" "sshpass" "system-config-printer" "testdisk" "texlive" "texlive-biber" "texmaker" "tig" "tilix" "transmission" "tree" "tor" "torbrowser" "uefitool" "ungoogled-chromium" "unzip" "virt-manager" "vlc" "wine64" "xauth" ;"xdg-desktop-portal" "xdg-desktop-portal-gnome" "xdg-desktop-portal-gtk" "xdg-utils" "xdot" "xdotool" "xeyes" "xournalpp" "xrdp" "yt-dlp" "zip" "zstd")) (list sane-custom-backends simple-scan-custom) (remove (lambda (pkg) (string=? (package-name pkg) "simple-scan")) %base-packages))) ;; Services du système. ;; On en profite pour modifier le comportement par défaut de quelques services. (services (modify-services (append (list ;; Service guix home (reconfiguration auto des profils) (service guix-home-service-type `(("neox" ,%home_configuration))) ;; Service bluetooth (service bluetooth-service-type) ;; Service de gestion des clés de chiffrement physique (service pcscd-service-type) ;; Service OpenSSH (service openssh-service-type (openssh-configuration (x11-forwarding? #t) (password-authentication? #f) (permit-root-login 'prohibit-password))) ;; Service d'impression (service cups-service-type (cups-configuration (web-interface? #t) (extensions (list cups-filters epson-inkjet-printer-escpr hplip-minimal)))) ;; Service KVM/Libvirt pour virt-manager (service libvirt-service-type) (service virtlog-service-type) ;; Application de la configuration spice personnalisée (définie plus haut) (udev-rules-service 'spice %spice-rules #:groups '("spice")) (udev-rules-service 'plugdev %ch341a-nk3-rules #:groups '("plugdev")) ;; Modification des limites mémoires pour les accès audio temps réel ;; (utile notamment pour Ardour) (service pam-limits-service-type (list (pam-limits-entry "@audio" 'both 'rtprio 99) (pam-limits-entry "@audio" 'both 'memlock 'unlimited))) ;; Service Gnome/GDM (service gnome-desktop-service-type) ;; Service Tor (service tor-service-type) ;; Service de scanners (service sane-custom-service-type) ;; Configuration de l'environnement graphique (notamment clavier) (set-xorg-configuration (xorg-configuration (keyboard-layout keyboard-layout)))) ;; Services par défaut du système %desktop-services) ;; Modification de services par défaut ;; Configuration du service upower pour éviter la mise en veille lors ;; de la fermeture de capot (upower-service-type config => (upower-configuration (inherit config) (ignore-lid? #t))) ;; Configuration du service elogind pour éviter la mise en veille lors ;; de la fermeture du capot (elogind-service-type config => (elogind-configuration (inherit config) (handle-lid-switch 'ignore) (handle-lid-switch-external-power 'ignore))) ;; Configuration des scanners ;(sane-service-type _ => sane-backends) (delete sane-service-type) (sane-custom-service-type _ => sane-custom-backends) ;; Configuration du garbage collector (guix-service-type config => (guix-configuration (inherit config) (extra-options '("--gc-keep-derivations=yes" "--gc-keep-output=yes")))) ;; Configuration du service network-manager pour prendre en charge ;; OpenVPN (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list (specification->package "network-manager-openvpn"))))))) ;; Chargeur de démarrage (GRUB) ;; On indique ici où il doit être installé et comment le configurer (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets (list "/boot/efi")) (keyboard-layout keyboard-layout))) ;; Périphériques mappés ;; On configure notamment ici les partitions chiffrées (LUKS) (mapped-devices (list (mapped-device (source (uuid "3ea148ff-1d1c-4f8c-a82c-5806b32dd6a0")) (target "crypthome") (type luks-device-mapping)))) ;; Specify a swap file for the system, which resides on the ;; root file system. ;(swap-devices ; (list ; (swap-space ; (target "/swapfile")))) ;; La liste des systèmes de fichiers montés au démarrage ;; On configure ici le montage des partitions chiffrées et non chiffrées (file-systems (cons* (file-system (mount-point "/home") (device "/dev/mapper/crypthome") (type "ext4") (dependencies mapped-devices)) (file-system (mount-point "/boot/efi") (device (uuid "A012-A17A" 'fat32)) (type "vfat")) (file-system (mount-point "/") (device (file-system-label "root")) (type "ext4")) %base-file-systems)))