(define-module (ryan-config base-system) #:use-module (gnu) #:use-module (nongnu packages linux) #:use-module (gnu system setuid) #:use-module (gnu packages admin) #:use-module (gnu packages avahi) #:use-module (guix packages) #:use-module (gnu packages shells) #:use-module (guix build-system trivial) #:use-module (guix licenses) #:use-module (gnu packages tls) #:use-module (gnu packages spice) #:use-module (srfi srfi-1) #:use-module (ryan-packages freedesktop) #:use-module (ryan-packages wm) #:use-module (ryan-packages virtualization) #:use-module (ryan-packages linux) #:use-module (ryan-packages networking) #:use-module (rosenthal packages wm) #:use-module (rosenthal services networking) #:use-module (gnu packages security-token) #:use-module (gnu services security-token) #:use-module (gnu services cups) #:use-module (gnu services desktop) #:use-module (gnu services networking) #:use-module (gnu services xorg) #:use-module (gnu services ssh) #:use-module (gnu services nix) #:use-module (gnu services sound) #:use-module (gnu services docker) #:use-module (gnu services avahi) #:use-module (gnu services dbus) #:use-module (gnu services virtualization)) ; Define package that installs my root ca public keys (define my-ca-certs (package (name "my-ca-certs") (version "1") (source (local-file "./CACerts" #:recursive? #t)) (build-system trivial-build-system) (license mpl2.0) (home-page "https://rschanz.org") (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils) (srfi srfi-1) (srfi srfi-26) (ice-9 ftw)) (let* ((ca-certificates (assoc-ref %build-inputs "source")) (crt-suffix ".crt") (is-certificate? (cut string-suffix? crt-suffix <>)) (certificates (filter is-certificate? (scandir ca-certificates))) (out (assoc-ref %outputs "out")) (certificate-directory (string-append out "/etc/ssl/certs")) (openssl (string-append (assoc-ref %build-inputs "openssl") "/bin/openssl"))) (mkdir-p certificate-directory) (for-each (lambda (cert) (invoke openssl "x509" "-in" (string-append ca-certificates "/" cert) "-outform" "PEM" "-out" (string-append certificate-directory "/" cert ".pem"))) certificates) #t)))) (native-inputs (list openssl)) (synopsis "My CA Certs") (description synopsis))) ; Re-define the base packages to remove sudo (define %my-base-packages (remove (lambda (package) (member (package-name package) (list "sudo" "nano"))) %base-packages )) (define %backlight-udev-rule (udev-rule "90-backlight.rules" (string-append "ACTION==\"add\", SUBSYSTEM==\"backlight\", " "RUN+=\"/run/current-system/profile/bin/chgrp video /sys/class/backlight/%k/brightness\"" "\n" "ACTION==\"add\", SUBSYSTEM==\"backlight\", " "RUN+=\"/run/current-system/profile/bin/chmod g+w /sys/class/backlight/%k/brightness\""))) (define %flipper-udev-rule (udev-rule "42-flipperzero.rules" (string-append "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"0483\", ATTRS{idProduct}==\"5740\", ATTRS{manufacturer}==\"Flipper Devices Inc.\", TAG+=\"uaccess\"" "\n" "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"0483\", ATTRS{idProduct}==\"df11\", ATTRS{manufacturer}==\"STMicroelectronics\", TAG+=\"uaccess\"" "\n" "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"303a\", ATTRS{idProduct}==\"40??\", ATTRS{manufacturer}==\"Flipper Devices Inc.\", TAG+=\"uaccess\""))) (define-public base-operating-system (operating-system (kernel linux) (firmware (list linux-firmware)) (locale "en_US.utf8") (timezone "America/New_York") (keyboard-layout (keyboard-layout "us")) (host-name "ThisWillChange") ;; The list of user accounts ('root' is implicit). (users (cons* (user-account (name "ryan") (comment "Ryan") (group "users") (shell (file-append fish "/bin/fish")) (home-directory "/home/ryan") (supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "plugdev" "docker" "libvirt" "kvm" "dialout"))) %base-user-accounts)) ;; Packages installed system-wide. Users can also install packages ;; under their own account: use 'guix search KEYWORD' to search ;; for packages and 'guix install PACKAGE' to install a package. (packages (append (map specification->package (list "sway" "hyprland" "swaybg" ;"swayidle" ;"swaylock-effects" "fuzzel" "foot" "pinentry-qt" "adwaita-icon-theme" "hicolor-icon-theme" "git" ;"waybar" "gnupg" "light" "avahi" "mako" "grim" "grimblast" "slurp" "wl-clipboard" ;"bluez" ;"blueman" "ldacbt" "libfreeaptx" "libfdk" "opendoas" ;"xdg-desktop-portal-wlr" "xdg-desktop-portal" "xdg-desktop-portal-gtk" "v4l2loopback-linux-module" "pipewire" "docker" ;"libvirt" ;New version inherited from service ;"virt-manager" "dconf" "wireplumber" "wireshark" "webkitgtk-with-libsoup2" ; Needed for Go wails development "zsh")) (list my-ca-certs swaylock-effects-new xdg-desktop-portal-hyprland-ryan virt-manager-ovmf bluez-ryan blueman-ryan swayidle-new waybar-new) %my-base-packages )) ;; Below is the list of system services. To search for available ;; services, run 'guix system search KEYWORD' in a terminal. (services (append (list ;; To configure OpenSSH, pass an 'openssh-configuration' ;; record as a second argument to 'service' below. (service openssh-service-type) (service pcscd-service-type) (service cups-service-type (cups-configuration (web-interface? #t))) ;; Avahi is only present for CUPS to support "automagic" printing (service avahi-service-type (avahi-configuration (publish? #f) ;; do not advertise this machine (publish-workstation? #f))) ;; do not advertise, I want this to be as silent as possible (service docker-service-type) ; Tailscale daemon from rosenthal (service tailscale-service-type) ; TODO: Add BIRD socket (service nix-service-type) (service libvirt-service-type (libvirt-configuration (libvirt libvirt-ovmf) (unix-sock-group "libvirt"))) (service virtlog-service-type) (simple-service 'spice-polkit polkit-service-type (list spice-gtk)) (simple-service 'hwdb-creation etc-service-type (list `("udev-here-oneoneone" ,(plain-file "issue" "test\n")))) (service bluetooth-service-type (bluetooth-configuration (bluez bluez-ryan) (experimental #t) (fast-connectable? #t))) (udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))) ;; This is the default list of services we ;; are appending to. (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (cons* (plain-file "non-guix.pub" "(public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#) ) )" ) %default-authorized-guix-keys)))) (udev-service-type config => (udev-configuration (inherit config) (rules (cons* %backlight-udev-rule %flipper-udev-rule (udev-configuration-rules config))))) (elogind-service-type config => (elogind-configuration (inherit config) (handle-power-key `ignore) (handle-suspend-key `ignore) (handle-lid-switch `ignore) (kill-user-processes? #t))) (delete pulseaudio-service-type) (delete gdm-service-type) (delete avahi-service-type) ;(delete xorg-server-service-type) (delete alsa-service-type) ))) (name-service-switch %mdns-host-lookup-nss) ;; Enable .local lookup (setuid-programs (append (list (file-like->setuid-program (file-append ;(specification->package "swaylock-effects") swaylock-effects-new "/bin/swaylock")) (file-like->setuid-program (file-append (specification->package "wireshark") "/bin/dumpcap")) (file-like->setuid-program (file-append (specification->package "spice-gtk") "/libexec/spice-client-glib-usb-acl-helper")) (file-like->setuid-program (file-append (specification->package "opendoas") "/bin/doas"))) (delete sudo %setuid-programs))) (file-systems (cons* (file-system (mount-point "/tmp") (device "none") (type "tmpfs") (check? #f)) %base-file-systems)) (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets (list "/boot/efi")) (keyboard-layout keyboard-layout)))))