#+TITLE: GUIX System Configuration #+AUTHOR: Daniel Ziltener #+PROPERTY: scheme-implementation guile #+PROPERTY: header-args:scheme :comments none :session *guile* #+begin_src emacs-lisp :results none (org-babel-lob-ingest "./library.org") #+end_src * Makefile #+begin_src makefile :tangle Makefile reconfigure: guix pull sudo guix archive --authorize < keys/non-guix.pub; \ guix system reconfigure ./config.scm --substitute-urls='https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org' guix home reconfigure ./home/home-configuration.scm make -C /home/zilti/.guix-home/profile/lib/browserpass hosts-firefox-user flatpak --user remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo #+end_src * System Installation Script This is to be run after setting up the partitions. #+begin_src sh :tangle sysinst.sh #!/bin/sh set euxo -pipefail mount /dev/disk/by-label/guix /mnt mkdir -p /mnt/boot/efi mount /dev/disk/by-label/EFI /mnt/boot/efi herd start cow-store /mnt GUIX_PROFILE="/root/.config/guix/current" . "$GUIX_PROFILE/etc/profile" hash guix guix system -L. init config.scm /mnt --substitute-urls="https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org" #+end_src * Modules There are many community modules at [[https://whereis.みんな/][Whereis]]. #+NAME: module-list - gnu - gnu image - gnu system nss - guix channels - rosenthal packages wm - zilti packages hyprland - nongnu packages firmware - nongnu packages linux - nongnu system linux-initrd #+begin_src scheme :noweb yes :exports none :results output :tangle config.scm <> #+end_src #+RESULTS: ** Service Modules #+NAME: service-module-list - admin - authentication - base - configuration - dbus - desktop - docker - linux - networking - nix - pm - sddm - sound - virtualization - xorg #+begin_src scheme :noweb yes :exports none :results output :tangle config.scm <> #+end_src ** Package Modules #+NAME: package-module-list - bootloaders - certs - containers - freedesktop - fonts - gl - gnome - kde-frameworks - linux - pciutils - qt - readline - terminals - version-control - virtualization - wm - xdisorg - xorg #+begin_src scheme :noweb yes :exports none :results output :tangle config.scm <> #+end_src * Configuration Definitions ** File System Update the file system labels: #+begin_src shell # XFS xfs_io -c "label -s NEWLABEL" / # FAT fatlabel /dev/device NEWLABEL #+end_src #+NAME: config-filesystems #+begin_src scheme :noweb yes (file-systems (append (list (file-system (device (file-system-label "EFI")) (mount-point "/boot/efi") (type "vfat")) (file-system (device (file-system-label "guix")) (mount-point "/") (type "xfs"))) %base-file-systems)) #+end_src #+NAME: config-swap #+begin_src scheme :noweb yes (swap-devices (list (swap-space (target (file-system-label "swap"))))) #+end_src ** Channels This adds the Nonguix channel. #+NAME: root-channels #+begin_src scheme :tangle channels.scm (cons* (channel (name 'nonguix) (url "https://gitlab.com/nonguix/nonguix") ;; Enable signature verification: (introduction (make-channel-introduction "897c1a470da759236cc11798f4e0a5f7d4d59fbc" (openpgp-fingerprint "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))) (channel (name 'emacs) (url "https://github.com/babariviere/guix-emacs") (introduction (make-channel-introduction "72ca4ef5b572fea10a4589c37264fa35d4564783" (openpgp-fingerprint "261C A284 3452 FB01 F6DF 6CF4 F9B7 864F 2AB4 6F18")))) (channel (name 'rosenthal) (url "https://codeberg.org/hako/rosenthal.git") (branch "trunk") (introduction (make-channel-introduction "7677db76330121a901604dfbad19077893865f35" (openpgp-fingerprint "13E7 6CD6 E649 C28C 3385 4DF5 5E5A A665 6149 17F7")))) (channel (name 'ziltis-channel) (url "https://gitea.lyrion.ch/zilti/guixchannel")) %default-channels) #+end_src #+RESULTS: root-channels :tangle channels.scm #+RESULTS: root-channels ** Packages #+NAME: root-packages - bluez-firmware - egl-gbm - egl-wayland - eglexternalplatform - font-terminus - fwupd-nonfree - git - glu - hwdata - hyprland-xwayland - i915-firmware - libdrm - libglvnd - linux-pam - mesa - nss-certs - network-manager - kwayland - qtwayland - readline - tuxedo-keyboard - xdg-desktop-portal-hyprland - xdg-desktop-portal - xf86-video-amdgpu - xf86-video-intel - xorg-server-xwayland - xorg-server - wayland - amdgpu-firmware - amd-microcode - intel-microcode #+NAME: root-package-block #+begin_src scheme :noweb no-export (packages (append <> %base-packages)) #+end_src #+RESULTS: root-package-block ** Services #+NAME: root-services-block #+begin_src scheme :noweb yes :exports none :results code (services (append <> <> (list polkit-wheel-service) (list <>) (list <>) (list <>))) #+end_src *** Simple Services These services are unmodified, or have just few settings. #+NAME: root-simple-services | Service | Options | |-------------+------------------------------------------------------| | tlp | () | | thermald | ((adaptive? #t)) | | bluetooth | () | | earlyoom | ((minimum-available-memory 5) (minimum-free-swap 5)) | | inputattach | () | | libvirt | ((unix-sock-group "libvirt")) | | nix | () | | virtlog | () | | fstrim | () | | fprintd | () | #+NAME: root-simple-service-block #+begin_src scheme :noweb yes :exports none :results output <> #+end_src *** Unattended Upgrade Service #+NAME: unattended-upgrade #+begin_src scheme :noweb no-export (service unattended-upgrade-service-type (unattended-upgrade-configuration (schedule "5 12 * * 1") (channels #~ <>))) #+end_src *** Hosts File #+NAME: hosts-file-service #+begin_src scheme :noweb no-export (simple-service 'add-extra-hosts hosts-service-type (list (host "127.0.0.1" "l.redsky.io" '("ld.redsky.io")) (host "::1" "l.redsky.io" '("ld.redsky.io")))) #+end_src *** Modified Desktop Services #+NAME: nonguix-pubkey #+begin_src scheme :tangle keys/non-guix.pub :mkdirp yes (public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#) ) ) #+end_src #+NAME: guix-ci-pubkey #+begin_src scheme :tangle keys/guix-ci.pub :mkdirp yes (public-key (ecc (curve Ed25519) (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#) ) ) #+end_src #+NAME: guix-bordeaux-pubkey #+begin_src scheme :tangle keys/guix-bordeaux.pub :mkdirp yes (public-key (ecc (curve Ed25519) (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#) ) ) #+end_src #+NAME: root-modified-desktop-services #+begin_src scheme :exports none :results code :noweb no-export (modify-services %desktop-services (delete screen-locker-service-type) (delete pulseaudio-service-type) (guix-service-type config => (guix-configuration (inherit config) (channels <>) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (local-file "./keys/non-guix.pub")) %default-authorized-guix-keys))))) #+end_src *** Screen Locker Service For some reason, this service runs on root level for Guix. #+NAME: screen-lock-service #+begin_src scheme (service screen-locker-service-type (screen-locker-configuration (name "swaylock") (program (file-append swaylock-effects "/bin/swaylock")) (using-setuid? #f))) #+end_src * Operating System This is the full operating system specification. #+begin_src scheme :noweb no-export :results code :tangle config.scm (operating-system (host-name "ziltis-machine") (timezone "Europe/Berlin") (locale "de_DE.utf8") (keyboard-layout (keyboard-layout "de" #:options '("caps:swapescape"))) (kernel linux) (initrd microcode-initrd) (firmware (list linux-firmware)) (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets '("/boot/efi")) (keyboard-layout keyboard-layout))) #;(file-systems %local-filesystem) #;(swap-devices %local-swap) <> <> (users (cons* (user-account (name "zilti") (group "users") (supplementary-groups '("avahi" "users" "input" "wheel" "netdev" "audio" "cdrom" "video" "libvirt" "lp"))) %base-user-accounts)) <> <> (name-service-switch %mdns-host-lookup-nss)) #+end_src