guixconfig/config.org

#+TITLE: GUIX System Configuration
#+AUTHOR: Daniel Ziltener
#+PROPERTY: scheme-implementation guile
#+PROPERTY: header-args:scheme :comments none :session *guile*

#+begin_src emacs-lisp :results none
  (org-babel-lob-ingest "./library.org")
#+end_src

* Makefile

#+begin_src makefile :tangle Makefile
  reconfigure:
	mkdir -p ~/.config/guix
	cp channels.scm ~/.config/guix/channels.scm
	guix archive --authorize < signing-key.pub
	guix system reconfigure ./config.scm --substitute-urls='https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org'
	make -C /home/zilti/.guix-home/profile/lib/browserpass hosts-firefox-user
	flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
#+end_src

* System Installation Script

This is to be run after setting up the partitions.

#+begin_src sh :tangle sysinst.sh
  #!/bin/sh
  set euxo -pipefail
  mount /dev/disk/by-label/guix /mnt
  mkdir -p /mnt/boot/efi
  mount /dev/disk/by-label/EFI /mnt/boot/efi
  herd start cow-store /mnt
  guix pull -C./channels.scm
  GUIX_PROFILE="/root/.config/guix/current"
  . "$GUIX_PROFILE/etc/profile"
  hash guix
  guix system -L. init config.scm /mnt --substitute-urls="https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org"
#+end_src

* Modules

#+NAME: module-list
- gnu
- gnu image
- gnu services admin
- gnu services authentication
- gnu services base
- gnu services configuration
- gnu services dbus
- gnu services desktop
- gnu services docker
- gnu services linux
- gnu services networking
- gnu services pm
- gnu services sddm
- gnu services sound
- gnu services virtualization
- gnu services xorg
- gnu system nss
- zilti packages hyprland
- nongnu packages firmware
- nongnu packages linux
- nongnu system linux-initrd

#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
  <<list-to-use(use-call="use-modules",entries=module-list,all-parens=1)>>
#+end_src

#+RESULTS:

** Service Modules

#+NAME: service-module-list
- desktop
- xorg

#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
  <<list-to-use(use-call="use-service-modules",entries=service-module-list)>>
#+end_src

**  Package Modules

#+NAME: package-module-list
- bootloaders
- certs
- containers
- emacs
- emacs-xyz
- fonts
- gl
- gnome
- linux
- pciutils
- readline
- terminals
- version-control
- wm
- xdisorg
- xorg

#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm
  <<list-to-use(use-call="use-package-modules",entries=package-module-list)>>
#+end_src

* Configuration Definitions

** File System

#+NAME: config-filesystems
#+begin_src scheme :noweb yes
  (file-systems (append (list
                         (file-system
                          (device (file-system-label "EFI"))
                          (mount-point "/boot/efi")
                          (type "vfat"))
                         (file-system
                          (device (file-system-label "guix"))
                          (mount-point "/")
                          (type "xfs")))
                        %base-file-systems))
#+end_src

#+NAME: config-swap
#+begin_src scheme :noweb yes
  (swap-devices
   (list (swap-space (target (file-system-label "swap")))))
#+end_src

** Channels

This adds the Nonguix channel.

#+NAME: root-channels
#+begin_src scheme :tangle channels.scm
  (cons* (channel
          (name 'nonguix)
          (url "https://gitlab.com/nonguix/nonguix")
          ;; Enable signature verification:
          (introduction
           (make-channel-introduction
            "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
            (openpgp-fingerprint
             "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
         (channel
          (name 'emacs-melpa)
          (url "https://github.com/babariviere/guix-emacs")
          (introduction
           (make-channel-introduction
            "72ca4ef5b572fea10a4589c37264fa35d4564783"
            (openpgp-fingerprint
             "261C A284 3452 FB01 F6DF  6CF4 F9B7 864F 2AB4 6F18"))))
         (channel
          (name 'ziltis-channel)
          (url "https://gitea.lyrion.ch/zilti/guixchannel"))
         %default-channels)
#+end_src

** Packages

#+NAME: root-packages
- bluez-firmware
- egl-wayland
- eglexternalplatform
- emacs
- emacs-desktop-environment
- font-terminus
- fwupd-nonfree
- git
- glu
- hwdata
- hyprland
- i915-firmware
- libdrm
- mesa
- nss-certs
- network-manager
- podman
- readline
- tuxedo-keyboard
- xf86-video-amdgpu
- xf86-video-intel
- xorg-server-xwayland
- xorg-server
- amdgpu-firmware
- amd-microcode
- intel-microcode

#+NAME: root-package-block
#+begin_src scheme :noweb no-export
  (packages
   (append
    <<org-to-scheme-sym-list(input=root-packages)>>
    %base-packages))
#+end_src

#+RESULTS: root-package-block

** Services

#+NAME: root-services-block
#+begin_src scheme :noweb yes :exports none :results code
  (services
   (append
    <<root-modified-desktop-services>>
    <<root-simple-service-block>>
    (list polkit-wheel-service)
    (list
     <<greeter-service>>)
    (list
     <<screen-lock-service>>)
    (list
     <<hosts-file-service>>)
    (list
     <<unattended-upgrade>>)
    ))
#+end_src

*** Simple Services

These services are unmodified, or have just few settings.

#+NAME: root-simple-services
| Service        | Options                                              |
|----------------+------------------------------------------------------|
| tlp            | ()                                                   |
| thermald       | ((adaptive? #t))                                     |
| bluetooth      | ()                                                   |
| docker         | ()                                                   |
| earlyoom       | ((minimum-available-memory 5) (minimum-free-swap 5)) |
| inputattach    | ()                                                   |
| libvirt        | ((unix-sock-group "libvirt"))                        |
| fstrim         | ()                                                   |
| fprintd        | ()                                                   |
| plasma-desktop | ()                                                   |
| sddm           | ()                                                   |
| seatd          | ()                                                   |

#+NAME: root-simple-service-block
#+begin_src scheme :noweb yes :exports none :results output
  <<service-converter(input=root-simple-services)>>
#+end_src

*** Unattended Upgrade Service

#+NAME: unattended-upgrade
#+begin_src scheme :noweb no-export
  (service unattended-upgrade-service-type
   (unattended-upgrade-configuration
    (schedule "5 12 * * 1")
    #;(channels
     <<root-channels>>)))
#+end_src

*** Hosts File

#+NAME: hosts-file-service
#+begin_src scheme :noweb no-export
  (simple-service  'add-extra-hosts
                   hosts-service-type
                   (list (host "127.0.0.1" "l.redsky.io" '("ld.redsky.io"))
                         (host "::1" "l.redsky.io" '("ld.redsky.io"))))
#+end_src

*** Modified Desktop Services

#+NAME: nonguix-pubkey
#+begin_src scheme :tangle keys/non-guix.pub :mkdirp yes
  (public-key 
   (ecc 
    (curve Ed25519)
    (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
    )
   )
#+end_src

#+NAME: guix-ci-pubkey
#+begin_src scheme :tangle keys/guix-ci.pub :mkdirp yes
  (public-key 
   (ecc 
    (curve Ed25519)
    (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#)
    )
   )
#+end_src

#+NAME: guix-bordeaux-pubkey
#+begin_src scheme :tangle keys/guix-bordeaux.pub :mkdirp yes
  (public-key 
   (ecc 
    (curve Ed25519)
    (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
    )
   )
#+end_src

#+NAME: root-modified-desktop-services
#+begin_src scheme :exports none :results code :noweb no-export
  (modify-services
   %desktop-services
   (delete gdm-service-type)
   (delete screen-locker-service-type)
   (delete login-service-type)
   (delete mingetty-service-type)
   (delete console-font-service-type)
   (delete elogind-service-type)
   (delete pulseaudio-service-type)
   (guix-service-type config => (guix-configuration
                                 (inherit config)
                                 (substitute-urls
                                  (append (list "https://substitutes.nonguix.org")
                                          %default-substitute-urls))
                                 (authorized-keys
                                  (append (list (local-file "./keys/non-guix.pub"))
                                          %default-authorized-guix-keys)))))
#+end_src

*** Greeter Service

=greetd= is a broken mess, yet here we are.

#+NAME: greeter-service
#+begin_src scheme
  (service greetd-service-type
           (greetd-configuration
            (greeter-supplementary-groups
             (list "video" "input"))
            (terminals
             (list
              (greetd-terminal-configuration
               (terminal-vt "1"))
              (greetd-terminal-configuration
               (terminal-vt "2"))
              (greetd-terminal-configuration
               (terminal-vt "3"))
              (greetd-terminal-configuration
               (terminal-vt "4"))
              #;(greetd-terminal-configuration
              (terminal-vt "7")
              (terminal-switch #t)
              (default-session-command
              (greetd-wlgreet-session
              (command
              (file-append swayfx "/bin/sway")))))
              (greetd-terminal-configuration
               (terminal-vt "8"))))))
#+end_src

*** Screen Locker Service

For some reason, this service runs on root level for Guix.

#+NAME: screen-lock-service
#+begin_src scheme
  (service screen-locker-service-type
           (screen-locker-configuration
            (name "swaylock")
            (program
             (file-append swaylock-effects "/bin/swaylock"))
            (using-setuid? #f)))
#+end_src

* Operating System

This is the full operating system specification.

#+begin_src scheme :noweb no-export :results code :tangle config.scm
  (operating-system
   (host-name "ziltis-machine")
   (timezone "Europe/Berlin")
   (locale "de_DE.utf8")
   (keyboard-layout
    (keyboard-layout "de" #:options '("caps:swapescape")))
   (kernel linux)
   (initrd microcode-initrd)
   (firmware (list linux-firmware))
   (bootloader
    (bootloader-configuration
     (bootloader grub-efi-bootloader)
     (targets
      '("/boot/efi"))
     (keyboard-layout keyboard-layout)))
   #;(file-systems %local-filesystem)
   #;(swap-devices %local-swap)
    <<config-filesystems>>
    <<config-swap>>
   (users
    (cons*
     (user-account
      (name "zilti")
      (group "users")
      (supplementary-groups
       '("avahi" "docker" "users" "wheel" "netdev" "audio" "cdrom" "video" "libvirt" "lp")))
     %base-user-accounts))
    <<root-package-block>>
    <<root-services-block>>
   (name-service-switch %mdns-host-lookup-nss))
#+end_src

* Other Components

** Podman

Podman needs the files =/etc/subuid= and =/etc/subgid=.

#+begin_src fundamental :tangle etc/subuid :mkdirp yes
zilti:1001:65536
#+end_src

#+begin_src fundamental :tangle etc/subgid :mkdirp yes
zilti:1000:1000
#+end_src

Then, there is the =policy.json=:

#+begin_src json :tangle podman/policy.json :mkdirp yes
{
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "docker": {
            "docker.io": [
                {
                    "type": "insecureAcceptAnything"
                }
            ],
            "docker.io/library": [
                {
                    "type": "insecureAcceptAnything"
                }
            ],
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}
#+end_src

And finally the registries.

#+begin_src conf :tangle podman/registries.conf :mkdirp yes
[registries.search]
registries = ["docker.io", "registry.access.redhat.com", "quay.io"]
#+end_src
. 2023-11-29 12:52:46 +00:00			`#+TITLE: GUIX System Configuration`
. 2023-12-01 13:22:33 +00:00			`#+AUTHOR: Daniel Ziltener`
. 2023-12-01 14:48:18 +00:00			`#+PROPERTY: scheme-implementation guile`
. 2023-12-20 16:21:33 +00:00			`#+PROPERTY: header-args:scheme :comments none :session guile`
. 2023-12-01 13:22:33 +00:00
			`#+begin_src emacs-lisp :results none`
			`(org-babel-lob-ingest "./library.org")`
			`#+end_src`
. 2023-11-29 12:52:46 +00:00
. 2023-12-11 11:54:43 +00:00			`* Makefile`

			`#+begin_src makefile :tangle Makefile`
. 2023-12-13 02:02:44 +00:00			`reconfigure:`
. 2023-12-17 14:51:31 +00:00			`mkdir -p ~/.config/guix`
			`cp channels.scm ~/.config/guix/channels.scm`
			`guix archive --authorize < signing-key.pub`
			`guix system reconfigure ./config.scm --substitute-urls='https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org'`
. 2023-12-19 15:57:08 +00:00			`make -C /home/zilti/.guix-home/profile/lib/browserpass hosts-firefox-user`
. 2023-12-17 14:51:31 +00:00			`flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo`
. 2023-12-11 11:54:43 +00:00			`#+end_src`

. 2023-12-11 15:56:04 +00:00			`* System Installation Script`

			`This is to be run after setting up the partitions.`

			`#+begin_src sh :tangle sysinst.sh`
. 2023-12-17 16:43:07 +00:00			`#!/bin/sh`
			`set euxo -pipefail`
			`mount /dev/disk/by-label/guix /mnt`
			`mkdir -p /mnt/boot/efi`
			`mount /dev/disk/by-label/EFI /mnt/boot/efi`
			`herd start cow-store /mnt`
			`guix pull -C./channels.scm`
. 2023-12-18 18:31:02 +00:00			`GUIX_PROFILE="/root/.config/guix/current"`
. 2023-12-17 16:43:07 +00:00			`. "$GUIX_PROFILE/etc/profile"`
			`hash guix`
. 2023-12-17 16:55:21 +00:00			`guix system -L. init config.scm /mnt --substitute-urls="https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org"`
. 2023-12-11 15:56:04 +00:00			`#+end_src`

. 2023-11-29 12:52:46 +00:00			`* Modules`

			`#+NAME: module-list`
			`- gnu`
. 2023-12-01 13:32:56 +00:00			`- gnu image`
. 2023-12-18 00:27:14 +00:00			`- gnu services admin`
. 2023-12-01 13:32:56 +00:00			`- gnu services authentication`
. 2023-11-29 12:52:46 +00:00			`- gnu services base`
. 2023-12-18 00:27:14 +00:00			`- gnu services configuration`
. 2023-12-01 13:22:33 +00:00			`- gnu services dbus`
. 2023-11-29 12:52:46 +00:00			`- gnu services desktop`
. 2024-01-05 14:31:18 +00:00			`- gnu services docker`
. 2023-12-01 13:22:33 +00:00			`- gnu services linux`
. 2023-11-29 12:52:46 +00:00			`- gnu services networking`
			`- gnu services pm`
. 2024-03-19 18:49:03 +00:00			`- gnu services sddm`
. 2023-12-19 00:16:03 +00:00			`- gnu services sound`
. 2023-12-01 13:22:33 +00:00			`- gnu services virtualization`
			`- gnu services xorg`
. 2023-11-29 12:52:46 +00:00			`- gnu system nss`
. 2024-01-17 19:58:45 +00:00			`- zilti packages hyprland`
. 2024-03-13 21:28:27 +00:00			`- nongnu packages firmware`
. 2023-12-11 11:54:43 +00:00			`- nongnu packages linux`
			`- nongnu system linux-initrd`
. 2023-11-29 12:52:46 +00:00
. 2023-12-12 09:57:23 +00:00			`#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm`
. 2023-12-01 13:32:56 +00:00			`<<list-to-use(use-call="use-modules",entries=module-list,all-parens=1)>>`
. 2023-12-01 13:22:33 +00:00			`#+end_src`

. 2023-12-13 02:02:44 +00:00			`#+RESULTS:`

. 2023-11-29 12:52:46 +00:00			`** Service Modules`

			`#+NAME: service-module-list`
			`- desktop`
. 2023-12-01 13:22:33 +00:00			`- xorg`

. 2023-12-12 09:57:23 +00:00			`#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm`
. 2023-12-01 13:22:33 +00:00			`<<list-to-use(use-call="use-service-modules",entries=service-module-list)>>`
			`#+end_src`
. 2023-11-29 12:52:46 +00:00
			`** Package Modules`

			`#+NAME: package-module-list`
			`- bootloaders`
			`- certs`
. 2023-12-20 16:21:33 +00:00			`- containers`
. 2023-11-29 12:52:46 +00:00			`- emacs`
. 2023-12-01 13:22:33 +00:00			`- emacs-xyz`
			`- fonts`
. 2023-12-22 17:32:59 +00:00			`- gl`
. 2024-01-05 14:31:18 +00:00			`- gnome`
			`- linux`
. 2023-12-12 09:28:30 +00:00			`- pciutils`
. 2023-12-01 13:22:33 +00:00			`- readline`
			`- terminals`
			`- version-control`
. 2023-11-29 12:52:46 +00:00			`- wm`
. 2023-12-22 17:32:59 +00:00			`- xdisorg`
. 2023-11-29 12:52:46 +00:00			`- xorg`

. 2023-12-12 09:57:23 +00:00			`#+begin_src scheme :noweb yes :exports none :results output :tangle config.scm`
. 2023-12-01 13:22:33 +00:00			`<<list-to-use(use-call="use-package-modules",entries=package-module-list)>>`
			`#+end_src`

			`* Configuration Definitions`

			`** File System`

. 2023-12-14 21:49:12 +00:00			`#+NAME: config-filesystems`
			`#+begin_src scheme :noweb yes`
			`(file-systems (append (list`
. 2023-12-17 16:43:07 +00:00			`(file-system`
			`(device (file-system-label "EFI"))`
			`(mount-point "/boot/efi")`
			`(type "vfat"))`
			`(file-system`
			`(device (file-system-label "guix"))`
			`(mount-point "/")`
			`(type "xfs")))`
			`%base-file-systems))`
. 2023-12-14 21:49:12 +00:00			`#+end_src`

			`#+NAME: config-swap`
			`#+begin_src scheme :noweb yes`
			`(swap-devices`
			`(list (swap-space (target (file-system-label "swap")))))`
			`#+end_src`

. 2023-12-11 11:54:43 +00:00			`** Channels`

			`This adds the Nonguix channel.`

. 2023-12-18 00:05:20 +00:00			`#+NAME: root-channels`
. 2023-12-11 11:54:43 +00:00			`#+begin_src scheme :tangle channels.scm`
			`(cons* (channel`
. 2023-12-17 14:43:53 +00:00			`(name 'nonguix)`
			`(url "https://gitlab.com/nonguix/nonguix")`
			`;; Enable signature verification:`
			`(introduction`
			`(make-channel-introduction`
			`"897c1a470da759236cc11798f4e0a5f7d4d59fbc"`
			`(openpgp-fingerprint`
			`"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))`
. 2024-01-17 19:58:45 +00:00			`(channel`
			`(name 'emacs-melpa)`
			`(url "https://github.com/babariviere/guix-emacs")`
			`(introduction`
			`(make-channel-introduction`
			`"72ca4ef5b572fea10a4589c37264fa35d4564783"`
			`(openpgp-fingerprint`
			`"261C A284 3452 FB01 F6DF 6CF4 F9B7 864F 2AB4 6F18"))))`
. 2023-12-17 14:43:53 +00:00			`(channel`
			`(name 'ziltis-channel)`
			`(url "https://gitea.lyrion.ch/zilti/guixchannel"))`
			`%default-channels)`
. 2023-12-11 11:54:43 +00:00			`#+end_src`

. 2023-12-01 13:22:33 +00:00			`** Packages`

			`#+NAME: root-packages`
. 2024-03-13 21:28:27 +00:00			`- bluez-firmware`
. 2023-12-22 17:32:59 +00:00			`- egl-wayland`
			`- eglexternalplatform`
. 2023-12-01 13:22:33 +00:00			`- emacs`
			`- emacs-desktop-environment`
			`- font-terminus`
. 2024-03-13 21:28:27 +00:00			`- fwupd-nonfree`
. 2023-12-01 13:22:33 +00:00			`- git`
. 2023-12-22 17:32:59 +00:00			`- glu`
. 2023-12-11 10:59:44 +00:00			`- hwdata`
. 2024-03-19 18:49:03 +00:00			`- hyprland`
. 2024-01-30 21:57:39 +00:00			`- i915-firmware`
. 2023-12-22 17:32:59 +00:00			`- libdrm`
			`- mesa`
. 2023-12-01 13:22:33 +00:00			`- nss-certs`
. 2023-12-14 23:48:17 +00:00			`- network-manager`
. 2023-12-20 16:21:33 +00:00			`- podman`
. 2023-12-01 13:22:33 +00:00			`- readline`
. 2024-01-17 15:34:06 +00:00			`- tuxedo-keyboard`
. 2023-12-22 13:59:57 +00:00			`- xf86-video-amdgpu`
. 2024-01-30 21:57:39 +00:00			`- xf86-video-intel`
. 2024-03-19 18:49:03 +00:00			`- xorg-server-xwayland`
			`- xorg-server`
. 2024-01-30 21:57:39 +00:00			`- amdgpu-firmware`
. 2024-03-13 21:32:06 +00:00			`- amd-microcode`
			`- intel-microcode`
. 2023-12-01 13:22:33 +00:00
			`#+NAME: root-package-block`
			`#+begin_src scheme :noweb no-export`
			`(packages`
			`(append`
			`<<org-to-scheme-sym-list(input=root-packages)>>`
			`%base-packages))`
			`#+end_src`

. 2023-12-12 09:57:23 +00:00			`#+RESULTS: root-package-block`

. 2023-12-01 13:22:33 +00:00			`** Services`

			`#+NAME: root-services-block`
			`#+begin_src scheme :noweb yes :exports none :results code`
			`(services`
			`(append`
. 2023-12-11 10:59:44 +00:00			`<<root-modified-desktop-services>>`
. 2023-12-01 13:38:40 +00:00			`<<root-simple-service-block>>`
. 2023-12-18 00:27:14 +00:00			`(list polkit-wheel-service)`
. 2023-12-01 13:38:40 +00:00			`(list`
			`<<greeter-service>>)`
			`(list`
			`<<screen-lock-service>>)`
. 2024-01-26 16:05:49 +00:00			`(list`
			`<<hosts-file-service>>)`
. 2023-12-18 00:05:20 +00:00			`(list`
. 2023-12-18 00:27:14 +00:00			`<<unattended-upgrade>>)`
. 2024-01-26 16:05:49 +00:00			`))`
. 2023-12-01 13:22:33 +00:00			`#+end_src`

			`*** Simple Services`

			`These services are unmodified, or have just few settings.`

			`#+NAME: root-simple-services`
. 2024-03-19 18:49:03 +00:00			`\| Service \| Options \|`
			`\|----------------+------------------------------------------------------\|`
			`\| tlp \| () \|`
			`\| thermald \| ((adaptive? #t)) \|`
			`\| bluetooth \| () \|`
			`\| docker \| () \|`
			`\| earlyoom \| ((minimum-available-memory 5) (minimum-free-swap 5)) \|`
			`\| inputattach \| () \|`
			`\| libvirt \| ((unix-sock-group "libvirt")) \|`
			`\| fstrim \| () \|`
			`\| fprintd \| () \|`
			`\| plasma-desktop \| () \|`
			`\| sddm \| () \|`
			`\| seatd \| () \|`
. 2023-12-01 13:22:33 +00:00
			`#+NAME: root-simple-service-block`
. 2023-12-12 09:57:23 +00:00			`#+begin_src scheme :noweb yes :exports none :results output`
. 2023-12-01 13:22:33 +00:00			`<<service-converter(input=root-simple-services)>>`
			`#+end_src`

. 2023-12-18 00:05:20 +00:00			`*** Unattended Upgrade Service`

			`#+NAME: unattended-upgrade`
			`#+begin_src scheme :noweb no-export`
			`(service unattended-upgrade-service-type`
			`(unattended-upgrade-configuration`
			`(schedule "5 12 * * 1")`
. 2023-12-18 00:27:14 +00:00			`#;(channels`
. 2023-12-18 00:05:20 +00:00			`<<root-channels>>)))`
			`#+end_src`

. 2024-01-26 16:05:49 +00:00			`*** Hosts File`

			`#+NAME: hosts-file-service`
			`#+begin_src scheme :noweb no-export`
			`(simple-service 'add-extra-hosts`
			`hosts-service-type`
			`(list (host "127.0.0.1" "l.redsky.io" '("ld.redsky.io"))`
			`(host "::1" "l.redsky.io" '("ld.redsky.io"))))`
			`#+end_src`

. 2023-12-11 10:59:44 +00:00			`*** Modified Desktop Services`

. 2023-12-11 11:54:43 +00:00			`#+NAME: nonguix-pubkey`
			`#+begin_src scheme :tangle keys/non-guix.pub :mkdirp yes`
. 2023-12-19 00:16:03 +00:00			`(public-key`
			`(ecc`
			`(curve Ed25519)`
			`(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)`
			`)`
			`)`
. 2023-12-18 20:41:02 +00:00			`#+end_src`

. 2023-12-19 15:57:08 +00:00			`#+NAME: guix-ci-pubkey`
			`#+begin_src scheme :tangle keys/guix-ci.pub :mkdirp yes`
			`(public-key`
			`(ecc`
			`(curve Ed25519)`
			`(q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#)`
			`)`
			`)`
			`#+end_src`

			`#+NAME: guix-bordeaux-pubkey`
			`#+begin_src scheme :tangle keys/guix-bordeaux.pub :mkdirp yes`
			`(public-key`
			`(ecc`
			`(curve Ed25519)`
			`(q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)`
			`)`
			`)`
			`#+end_src`

. 2023-12-11 10:59:44 +00:00			`#+NAME: root-modified-desktop-services`
. 2023-12-14 23:48:17 +00:00			`#+begin_src scheme :exports none :results code :noweb no-export`
. 2023-12-18 20:41:02 +00:00			`(modify-services`
			`%desktop-services`
. 2023-12-18 21:11:28 +00:00			`(delete gdm-service-type)`
			`(delete screen-locker-service-type)`
. 2023-12-18 20:41:02 +00:00			`(delete login-service-type)`
			`(delete mingetty-service-type)`
			`(delete console-font-service-type)`
. 2023-12-18 21:11:28 +00:00			`(delete elogind-service-type)`
			`(delete pulseaudio-service-type)`
. 2023-12-18 20:41:02 +00:00			`(guix-service-type config => (guix-configuration`
			`(inherit config)`
			`(substitute-urls`
			`(append (list "https://substitutes.nonguix.org")`
			`%default-substitute-urls))`
			`(authorized-keys`
. 2023-12-19 15:57:08 +00:00			`(append (list (local-file "./keys/non-guix.pub"))`
. 2023-12-19 00:16:03 +00:00			`%default-authorized-guix-keys)))))`
. 2023-12-11 10:59:44 +00:00			`#+end_src`

. 2023-12-01 13:22:33 +00:00			`*** Greeter Service`

			`=greetd= is a broken mess, yet here we are.`

			`#+NAME: greeter-service`
			`#+begin_src scheme`
			`(service greetd-service-type`
			`(greetd-configuration`
			`(greeter-supplementary-groups`
			`(list "video" "input"))`
			`(terminals`
			`(list`
			`(greetd-terminal-configuration`
. 2023-12-01 15:19:17 +00:00			`(terminal-vt "1"))`
			`(greetd-terminal-configuration`
			`(terminal-vt "2"))`
			`(greetd-terminal-configuration`
			`(terminal-vt "3"))`
			`(greetd-terminal-configuration`
			`(terminal-vt "4"))`
			`#;(greetd-terminal-configuration`
. 2023-12-01 15:47:03 +00:00			`(terminal-vt "7")`
			`(terminal-switch #t)`
			`(default-session-command`
			`(greetd-wlgreet-session`
			`(command`
. 2023-12-01 15:19:17 +00:00			`(file-append swayfx "/bin/sway")))))`
. 2023-12-01 13:22:33 +00:00			`(greetd-terminal-configuration`
			`(terminal-vt "8"))))))`
			`#+end_src`

			`*** Screen Locker Service`

			`For some reason, this service runs on root level for Guix.`

			`#+NAME: screen-lock-service`
			`#+begin_src scheme`
			`(service screen-locker-service-type`
			`(screen-locker-configuration`
			`(name "swaylock")`
			`(program`
			`(file-append swaylock-effects "/bin/swaylock"))`
			`(using-setuid? #f)))`
			`#+end_src`

			`* Operating System`

			`This is the full operating system specification.`

			`#+begin_src scheme :noweb no-export :results code :tangle config.scm`
			`(operating-system`
			`(host-name "ziltis-machine")`
			`(timezone "Europe/Berlin")`
			`(locale "de_DE.utf8")`
			`(keyboard-layout`
			`(keyboard-layout "de" #:options '("caps:swapescape")))`
. 2023-12-11 11:54:43 +00:00			`(kernel linux)`
			`(initrd microcode-initrd)`
			`(firmware (list linux-firmware))`
. 2023-12-01 13:22:33 +00:00			`(bootloader`
			`(bootloader-configuration`
. 2023-12-01 13:34:54 +00:00			`(bootloader grub-efi-bootloader)`
. 2023-12-01 13:22:33 +00:00			`(targets`
			`'("/boot/efi"))`
			`(keyboard-layout keyboard-layout)))`
. 2023-12-14 21:49:12 +00:00			`#;(file-systems %local-filesystem)`
			`#;(swap-devices %local-swap)`
			`<<config-filesystems>>`
			`<<config-swap>>`
. 2023-12-01 13:22:33 +00:00			`(users`
			`(cons*`
			`(user-account`
			`(name "zilti")`
			`(group "users")`
			`(supplementary-groups`
. 2024-03-19 18:49:03 +00:00			`'("avahi" "docker" "users" "wheel" "netdev" "audio" "cdrom" "video" "libvirt" "lp")))`
. 2023-12-01 13:22:33 +00:00			`%base-user-accounts))`
			`<<root-package-block>>`
			`<<root-services-block>>`
			`(name-service-switch %mdns-host-lookup-nss))`
			`#+end_src`
. 2024-01-05 14:31:18 +00:00
			`* Other Components`

			`** Podman`

			`Podman needs the files =/etc/subuid= and =/etc/subgid=.`

			`#+begin_src fundamental :tangle etc/subuid :mkdirp yes`
			`zilti:1001:65536`
			`#+end_src`

			`#+begin_src fundamental :tangle etc/subgid :mkdirp yes`
			`zilti:1000:1000`
			`#+end_src`

			`Then, there is the =policy.json=:`

			`#+begin_src json :tangle podman/policy.json :mkdirp yes`
			`{`
			`"default": [`
			`{`
			`"type": "reject"`
			`}`
			`],`
			`"transports": {`
			`"docker": {`
			`"docker.io": [`
			`{`
			`"type": "insecureAcceptAnything"`
			`}`
			`],`
			`"docker.io/library": [`
			`{`
			`"type": "insecureAcceptAnything"`
			`}`
			`],`
			`"registry.access.redhat.com": [`
			`{`
			`"type": "signedBy",`
			`"keyType": "GPGKeys",`
			`"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"`
			`}`
			`],`
			`"registry.redhat.io": [`
			`{`
			`"type": "signedBy",`
			`"keyType": "GPGKeys",`
			`"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"`
			`}`
			`]`
			`},`
			`"docker-daemon": {`
			`"": [`
			`{`
			`"type": "insecureAcceptAnything"`
			`}`
			`]`
			`}`
			`}`
			`}`
			`#+end_src`

			`And finally the registries.`

			`#+begin_src conf :tangle podman/registries.conf :mkdirp yes`
			`[registries.search]`
			`registries = ["docker.io", "registry.access.redhat.com", "quay.io"]`
			`#+end_src`