bare-bones-sway.scm 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532
  1. ;; Copyright © 2021, 2022, 2023 Joshua Branson <jbranso@dismail.de>
  2. ;;
  3. ;; This is an operating system configuration template for a "basic desktop" setup using the sway window manager
  4. ;; I am trying to make my computer a LIFE computer.
  5. ;; This means that it would NOT run any graphical program.
  6. ;;
  7. (add-to-load-path (dirname (current-filename)))
  8. (use-modules (gnu)
  9. (guix)
  10. ;; (guile-web)
  11. (srfi srfi-1)
  12. ;; (secret nginx)
  13. ;; (secret hostfile)
  14. ;;(guixrus packages wayland-xyz)
  15. )
  16. (use-service-modules avahi
  17. databases
  18. ;; base
  19. desktop ;for fontconfig-file-service
  20. dbus
  21. dict
  22. linux
  23. mail
  24. mcron
  25. networking
  26. sound
  27. sysctl
  28. web)
  29. (use-package-modules base idutils ;gnome
  30. package-management)
  31. ;; (define mbsync-every-5-minutes
  32. ;; ;; Every 5 minutes
  33. ;; ;; The job's action is a shell command.
  34. ;; #~(job "*/5 * * * *" "mbsync -c /home/joshua/.mbsyncrc -a"
  35. ;; #:user "joshua"))
  36. (define %15-minutes
  37. (* 15 60))
  38. (define updatedb-job
  39. ;; Run 'updatedb' at 11AM every day. Here we write the
  40. ;; job's action as a Scheme procedure.
  41. #~(job '(next-hour '(11))
  42. (lambda ()
  43. (execl (string-append #$findutils "/bin/updatedb") "updatedb"
  44. "--prunepaths=/tmp /var/tmp /gnu/store")) "updatedb"))
  45. (define idutils-job
  46. ;; Update the index database as user "charlie" at 12:15PM
  47. ;; and 19:15PM. This runs from the user's home directory.
  48. #~(job '(next-minute-from (next-hour '(12 19))
  49. '(15))
  50. (string-append #$idutils "/bin/mkid src")
  51. #:user "charlie"))
  52. ;;I do not use zile. So no need to have it.
  53. (define %my-base-packages
  54. (remove (lambda (package
  55. )
  56. (member (package-name package)
  57. (list "zile"))) %base-packages))
  58. ;; (define (auto-login-to-tty config tty user)
  59. ;; (if (string=? tty
  60. ;; (mingetty-configuration-tty config))
  61. ;; (mingetty-configuration (inherit config)
  62. ;; (auto-login user)) config))
  63. ;;(define %current-directory "/home/joshua/prog/gnu/guix/guix-config/")
  64. (define %current-directory
  65. (dirname (current-filename)))
  66. (define* (path-join #:rest args)
  67. (string-join args "/"))
  68. (define (config-file file)
  69. (local-file (path-join %conf-dir file)))
  70. (define %my-base-services
  71. (modify-services %base-services
  72. ;; elogind-service
  73. ;; I customize my pulseaudio-service down below,
  74. ;; so I need to remove it here.
  75. ;;
  76. ;; I would prefer to instead of copying the file, just modify the default script
  77. ;; certainly guile can take the default script, change a line, and pass back
  78. ;; the modified file.
  79. ;;
  80. ;; This bit of code lets me change the input and out speakers and microphones for my laptop
  81. ;; so that I can use the nice headset that I have.
  82. (delete agetty-service-type)
  83. (delete mingetty-service-type)
  84. (delete mingetty-service-type)
  85. (delete mingetty-service-type)
  86. (delete mingetty-service-type)
  87. (delete mingetty-service-type)
  88. (delete mingetty-service-type)
  89. ;; (mingetty-service-type config =>
  90. ;; (auto-login-to-tty config "tty2" "joshua"))
  91. ;; (mingetty-service-type config =>
  92. ;; (auto-login-to-tty config "tty3" "joshua"))
  93. (guix-service-type
  94. config =>
  95. (guix-configuration (inherit config)
  96. (discover? #t)
  97. (max-silent-time %15-minutes)
  98. (substitute-urls
  99. (append (list
  100. ;; this substitute can be slow sometimes.
  101. ;;"https://bordeaux-us-east-mirror.cbaines.net/"
  102. "https://guix.tobias.gr"
  103. "https://substitutes.nonguix.org")
  104. %default-substitute-urls))
  105. (authorized-keys
  106. (append
  107. (list
  108. (plain-file
  109. "substitutes.nonguix.org"
  110. "(public-key\n (ecc\n (curve Ed25519)\n (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)\n )\n )")
  111. (plain-file
  112. "guix.tobias.gr"
  113. "(public-key\n (ecc\n (curve Ed25519)\n (q #E21911E159DB6D031A763509A255B054360A4A96F5668CBBAC48052E67D274D3#)\n )\n )\n")
  114. (plain-file
  115. "bordeaux.guix.gnu.org.signing.key"
  116. "\n(public-key\n (ecc\n (curve Ed25519)\n (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)\n )\n )"))))
  117. ;; TODO would this work? it would be like adding --fallback by default.
  118. ;; (fallback #t)
  119. ;; (timeout %15-minutes)
  120. ;; ok specifying the --fallback breaks the daemon. weird.
  121. ;; (extra-options '("--fallback"))
  122. ;; I have two CPUs...
  123. (extra-options '("--max-jobs=2"))))
  124. ;; <dstolfa> jab`: you can also check `sysctl kernel.unprivileged_bpf_disabled`,
  125. ;; if that returns 1, that means it only works with root
  126. ;; https://vez.mrsk.me/linux-hardening.html#kern
  127. (sysctl-service-type config =>
  128. (sysctl-configuration
  129. (settings
  130. (append
  131. '(("vm.swappiness" . "30")
  132. ;; disable ipv6
  133. ("net.ipv6.conf.all.disable_ipv6" . "1")
  134. ("net.ipv6.conf.all.disable_policy" . "1")
  135. ("net.ipv6.conf.default.disable_ipv6" . "1")
  136. ("net.ipv6.conf.default.disable_policy" . "1")
  137. ("net.ipv6.conf.enp0s10.disable_ipv6" . "1")
  138. ("net.ipv6.conf.enp0s10.disable_policy" . "1")
  139. ("net.ipv6.conf.lo.disable_ipv6" . "1")
  140. ("net.ipv6.conf.lo.disable_policy" . "1")
  141. ;; disable ebpf in kernel virtual machine for unprivledged users
  142. ("sysctl kernel.unprivileged_bpf_disabled" . "1")
  143. ("spec_store_bypass_disable" . "on")
  144. ("spectre_v2" . "on")
  145. ("lld_flush" . "on")
  146. ;; need to enable apparmor for this...
  147. ;; ("lockdown" . "confidentiality")
  148. ("init_on_alloc" . "1")
  149. ("init_on_free" . "1")
  150. ("page_alloc.shuffle" . "1")
  151. ;; ("slab_nomerge")
  152. ("vsyscall" . "1")
  153. ;; ("slub_debug" . "F")
  154. ("randomize_kstack_offset" . "1")
  155. ;; disable re-leading a running kernel
  156. ("kernel.kexec_load_disabled" . "1")
  157. ;; restrict kernel pointers
  158. ("kernel.kptr_restrict" . "2")
  159. ;; unprivledegd users cannot get perf events
  160. ("kernel.perf_event_paranoid" . "3")
  161. ;; only privledged users can use bpf
  162. ("net.core.bpf_jit_harden" . "2")
  163. ("kernel.unprivleged_bpf" . "1")
  164. ;; prevest some proofing attacks
  165. ("net.ipv4.conf.all.rp_filter" . "1")
  166. ("net.ipv4.conf.default.rp_filter" . "1")
  167. ;; disable icmp redirects and
  168. ;; RFC1620 shared media redirects
  169. ("net.ipv4.conf.all.accept_redirects" . "0")
  170. ("net.ipv4.conf.all.secure_redirects" . "0")
  171. ("net.ipv4.conf.all.send_redirects" . "0")
  172. ("net.ipv4.conf.all.shared_media" . "0")
  173. ("net.ipv4.conf.default.accept_redirects" . "0")
  174. ("net.ipv4.conf.default.secure_redirects" . "0")
  175. ("net.ipv4.conf.default.send_redirects" . "0")
  176. ("net.ipv4.conf.default.shared_media" . "0")
  177. ("net.ipv6.conf.all.accept_redirects" . "0")
  178. ("net.ipv6.conf.default.accept_redirects" . "0")
  179. ;; disallow source-routed packets
  180. ("net.ipv4.conf.all.accept_source_route" . "0")
  181. ("net.ipv4.conf.default.accept_source_route" . "0")
  182. ("net.ipv6.conf.all.accept_source_route" . "0")
  183. ("net.ipv6.conf.default.accept_source_route" . "0")
  184. ;; disable pings sent to a broadcast address
  185. ("net.ipv4.icmp_echo_ignore_broadcasts" . "1")
  186. ;; disable bogus icmp error responses
  187. ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
  188. ;; protect against time-wait assassination hazards in tcp
  189. ("net.ipv4.tcp_rfc1337" . "1")
  190. ("net.ipv4.tcp_sack" . "0")
  191. ("net.ipv4.tcp_dsack" . "0")
  192. ("net.ipv4.tcp_timestamps" . "0")
  193. ("vm.mmap_rnd_bits" . "32")
  194. ("vm.mmap_rnd_compat_bits" . "16")
  195. ("net.ipv4.icmp_echo_ignore_all" . "1"))
  196. %default-sysctl-settings))))))
  197. (operating-system
  198. (host-name "dobby")
  199. ;; (hosts-file
  200. ;; (plain-file "hosts"
  201. ;; (string-append
  202. ;; "127.0.0.1 localhost dobby\n"
  203. ;; "127.0.0.1 localhost dobby\n"
  204. ;; "127.0.0.1 guile.web.server.com guile.web.com www.date.com date.com\n"
  205. ;; "127.0.0.1 local.gnucode.me\n"
  206. ;; "127.0.0.1 local.the-nx.com\n"
  207. ;; ;; this is my guix linode server
  208. ;; "45.56.66.20 locke-lamora lamora locke\n"
  209. ;; "127.0.0.1 local.propernaming.org"
  210. ;; ;;%other-hosts-file-lines
  211. ;; "::1 localhost dobby"
  212. ;; )))
  213. (timezone "America/Indiana/Indianapolis")
  214. (locale "en_US.utf8")
  215. ;; (initrd-modules (list "e1000e" "i915" %base-initrd-modules))
  216. ;; when I reboot, does cat /proc/cmdline still show that I blacklisted:
  217. ;; modprobe.blacklist=usbmouse,usbkbd ?
  218. (kernel-arguments (append (list "modprobe.blacklist=pcspkr"
  219. ;; use the next line when you need to update
  220. ;; the libreboot firmware
  221. ;;"iomem=relaxed"
  222. )
  223. %default-kernel-arguments))
  224. (keyboard-layout (keyboard-layout "us"
  225. "dvorak"
  226. #:model "thinkpad"
  227. #:options '("ctrl:swapcaps")))
  228. ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
  229. ;; target hard disk, and "my-root" is the label of the target
  230. ;; root file system.
  231. (bootloader (bootloader-configuration
  232. (bootloader grub-bootloader)
  233. (keyboard-layout keyboard-layout)
  234. (targets (list "/dev/sda"))))
  235. (mapped-devices (list (mapped-device
  236. (source (uuid "d78d224d-4b5a-416e-afef-3ce77c4bd5ac"))
  237. (target "cryptroot")
  238. (type luks-device-mapping))))
  239. (file-systems (cons* (file-system
  240. (device "tmpfs")
  241. (mount-point "/home/joshua/tmp")
  242. (type "tmpfs")
  243. (check? #f)
  244. (flags '(no-suid no-dev))
  245. (options "size=50%") ;TODO: make size configurable
  246. (create-mount-point? #t))
  247. (file-system
  248. (mount-point "/")
  249. (device "/dev/mapper/cryptroot")
  250. (type "ext4")
  251. (dependencies mapped-devices))
  252. ;; (file-system
  253. ;; (mount-point "/mnt/debian")
  254. ;; (device "/dev/sda3")
  255. ;; (type "ext4"))
  256. %base-file-systems))
  257. (users (cons* (user-account
  258. (name "joshua")
  259. (comment "Joshua Branson")
  260. (group "users")
  261. (home-directory "/home/joshua")
  262. (supplementary-groups '("audio" "kvm" "netdev" "wheel"
  263. "seat"))) %base-user-accounts))
  264. ;; Globally-installed packages.
  265. (packages (append (map specification->package
  266. '("nss-certs")) %my-base-packages))
  267. (services
  268. (cons* (service dicod-service-type)
  269. ;; The global fontconfig cache directory can sometimes contain
  270. ;; stale entries, possibly referencing fonts that have been GC'd,
  271. ;; so mount it read-only.
  272. fontconfig-file-system-service
  273. (service dbus-root-service-type)
  274. (service dhcp-client-service-type)
  275. ;; guix now requires the avahi service type
  276. (service avahi-service-type)
  277. (simple-service 'add-extra-hosts hosts-service-type
  278. (list (host "127.0.0.1" "dobby"
  279. '("local.gnucode.me"
  280. "local.propernaming.org"))
  281. (host "45.56.66.20" "locke-lamora"
  282. '("lamora" "locke"))))
  283. ;; this lets connman connect to encrypted wifi.
  284. ;; (service wpa-supplicant-service-type)
  285. ;; if you ever need to connect to wireless networks,
  286. ;; just use the command: cmst
  287. ;; there should also be a logo on the top of the sway status bar too.
  288. ;; (service connman-service-type
  289. ;; (connman-configuration
  290. ;; (disable-vpn? #t)
  291. ;; (iwd? #f)))
  292. ;; https://lists.gnu.org/archive/html/help-guix/2016-08/msg00061.html
  293. ;; https://help.ubuntu.com/community/Dovecot
  294. ;; https://help.ubuntu.com/community/DovecotLDAP
  295. (service dovecot-service-type
  296. (dovecot-configuration (mail-location
  297. "maildir:~/.mail/dismail.de:LAYOUT=fs")
  298. (listen '("127.0.0.1"))
  299. ;; this will change a login of "joshua" to a login of "joshua@dismail.de"
  300. ;; (auth-default-realm "dismail.de")
  301. ;; I do not need ssl support in a locally running dovecot. :)
  302. (ssl? "no")
  303. ;; I have find this useful if dovecot cannot find
  304. ;; my mail
  305. (mail-debug? #t)
  306. ;; currently the only way to login to dovecot is to use
  307. ;; joshua and my regular user password
  308. ;; joshua@dismail.de fails and
  309. ;; jbranso@dismial.de fails.
  310. (protocols (list (protocol-configuration
  311. (name "imap")
  312. (mail-max-userip-connections
  313. 1))))
  314. (services (list (service-configuration
  315. (kind "imap")
  316. (client-limit 1))))))
  317. (service greetd-service-type
  318. (greetd-configuration (greeter-supplementary-groups (list
  319. "video"
  320. "input"
  321. "seat"))
  322. (terminals (list (greetd-terminal-configuration
  323. (terminal-vt "1")
  324. (terminal-switch #t))
  325. (greetd-terminal-configuration
  326. (terminal-vt "2")
  327. (terminal-switch #t))
  328. (greetd-terminal-configuration
  329. (terminal-vt "3")
  330. (terminal-switch #t))
  331. (greetd-terminal-configuration
  332. (terminal-vt "4")
  333. (terminal-switch #t))
  334. (greetd-terminal-configuration
  335. (terminal-vt "5")
  336. (terminal-switch #t))
  337. (greetd-terminal-configuration
  338. (terminal-vt "6")
  339. (terminal-switch #t))))))
  340. (service mingetty-service-type
  341. (mingetty-configuration (tty "tty8")))
  342. (service mingetty-service-type
  343. (mingetty-configuration (tty "tty7")))
  344. ;; enable gpg
  345. ;;
  346. ;; GPG_TTY=$(tty)
  347. ;; export GPG_TTY
  348. ;; # start the gpg agent
  349. ;; gpgconf --kill gpg-agent # (just in case it’s already running)
  350. ;; eval $(gpg-agent --daemon) # start the gpg-agent
  351. ;; (service gpg-agent-service-type)
  352. (service mcron-service-type
  353. (mcron-configuration (jobs (list idutils-job updatedb-job
  354. ;;mbsync-every-5-minutes
  355. ))))
  356. ;; (service nftables-service-type
  357. ;; (nftables-configuration
  358. ;; (ruleset
  359. ;; (local-file (string-append %current-directory "nftables.conf")))))
  360. (service nginx-service-type
  361. (nginx-configuration
  362. (server-blocks
  363. (list
  364. (nginx-server-configuration
  365. (server-name '("date.com"))
  366. (listen '("date.com"))
  367. (root
  368. "/home/joshua/prog/guile/decent-dating/")
  369. (locations (list
  370. (nginx-location-configuration
  371. (uri
  372. "/")
  373. (body '
  374. ("proxy_pass http://date.com:8082;")))
  375. (nginx-location-configuration
  376. (uri
  377. "/css/")
  378. (body '
  379. ("root /home/joshua/prog/guile/decent-dating/;")))
  380. (nginx-location-configuration
  381. (uri
  382. "/img/")
  383. (body '
  384. ("root /home/joshua/prog/guile/decent-dating/;"))))))
  385. (nginx-server-configuration
  386. (server-name '("local.gnucode.me"))
  387. (listen '("local.gnucode.me"))
  388. ;; (root "/home/joshua/prog/guile/gnucode.me/site/")
  389. (root
  390. "/srv/http/gnucode.me/site/")
  391. (locations (list
  392. (nginx-location-configuration
  393. (uri
  394. "/form/")
  395. (body '
  396. ("proxy_pass http://local.gnucode.me:8081;")))
  397. (nginx-location-configuration
  398. (uri
  399. "/form/css/")
  400. (body '
  401. ("root /home/joshua/prog/guile/;"))))))
  402. (nginx-server-configuration
  403. (server-name '("local.the-nx.com"))
  404. (listen '("local.the-nx.com"))
  405. ;; (root "/home/joshua/prog/guile/gnucode.me/site/")
  406. (root
  407. "/srv/http/gnucode.me/site/")
  408. (locations (list
  409. (nginx-location-configuration
  410. (uri
  411. "/")
  412. (body '
  413. ("proxy_pass http://local.the-nx.com:8080;"))))))
  414. ;; (nginx-server-configuration
  415. ;; (server-name '("local.propernaming.org"))
  416. ;; (listen '("local.propernaming.org"))
  417. ;; (root "/home/joshua/prog/guile/propernaming/site/")
  418. ;; (locations
  419. ;; (list
  420. ;; (nginx-location-configuration
  421. ;; (uri "/css/")
  422. ;; (body '("root /home/joshua/prog/guile/propernaming/site/;")))
  423. ;; )))
  424. ;; %nginx-servers
  425. ))))
  426. ;; (openvpn-client-service
  427. ;; #:config
  428. ;; (openvpn-client-configuration
  429. ;; (ca "/home/joshua/prog/guile/guix-config/vpn/ca.crt")
  430. ;; ;;(cert "/home/joshua/prog/guile/guix-config/vpn/client.crt")
  431. ;; (key "/home/joshua/prog/guile/guix-config/vpn/client.key")
  432. ;; ;; the expressvpn file I use disables lzo compression
  433. ;; (comp-lzo? #f)
  434. ;; (auth-user-pass "/home/joshua/login.conf")
  435. ;; (remote
  436. ;; (list
  437. ;; (openvpn-remote-configuration
  438. ;; (name "213.232.87.77")
  439. ;; (port 1195))))))
  440. (service seatd-service-type)
  441. ;; make guix system autoupgrade itself once a week!
  442. ;; this is currently failing...see /var/log/unattended-upgrade.log
  443. ;; (service unattended-upgrade-service-type
  444. ;; (unattended-upgrade-configuration
  445. ;; (schedule "30 01 * * 0")
  446. ;; (system-expiration (* 3 30 24 3600))))
  447. ;; currently does not work so not enabling it.
  448. ;; (service wireguard-service-type
  449. ;; (wireguard-configuration
  450. ;; (private-key "/home/joshua/prog/gnu/guix/guix-config/wireguard-keys/laptop.private.key")
  451. ;; (peers
  452. ;; (list
  453. ;; (wireguard-peer
  454. ;; (name "my client laptop")
  455. ;; (endpoint "wireguard.gnucode.me:51820")
  456. ;; (public-key "9zhoGW8DYr9zJHFbzBZUSBQHWlY6h/9HeoNzrC58dTc=")
  457. ;; (allowed-ips '("0.0.0.0/0")))))))
  458. ;; Fedora is including a zram device by default
  459. (service zram-device-service-type
  460. (zram-device-configuration (size "512M")))
  461. ;; The global fontconfig cache directory can sometimes contain
  462. ;; stale entries, possibly referencing fonts that have been GC'd,
  463. ;; so mount it read-only.
  464. ;; fontconfig-file-system-service
  465. (service ntp-service-type)
  466. ;; %desktop-services has both pulse and alsa services defined.
  467. (service pulseaudio-service-type
  468. (pulseaudio-configuration (script-file (local-file (string-append
  469. %current-directory
  470. "/pulse/default.pa")))))
  471. (service alsa-service-type)
  472. %my-base-services))
  473. ;; I can read 'man 5 suoders' for tips about the syntax of suoders file.
  474. ;; the very end of the file has some examples.
  475. (sudoers-file (plain-file "sudoers"
  476. (string-append (plain-file-content
  477. %sudoers-specification)
  478. "Cmnd_Alias KILL = /run/current-system/profile/bin/kill\n"
  479. "Cmnd_Alias SHUTDOWN = /run/current-system/profile/sbin/shutdown\n"
  480. "Cmnd_Alias HALT = /run/current-system/profile/sbin/halt\n"
  481. "Cmnd_Alias REBOOT = /run/current-system/profile/sbin/reboot\n"
  482. "Cmnd_Alias HERD = /run/current-system/profile/bin/HERD\n"
  483. "joshua ALL = KILL, SHUTDOWN, HALT, REBOOT, HERD \n")))
  484. ;; ;; Here the user joshua may run basic maintence tasks such as
  485. ;; starting/stoping services, rebooting, wifi, etc.
  486. )