summaryrefslogtreecommitdiff
path: root/deployment/systems
diff options
context:
space:
mode:
Diffstat (limited to 'deployment/systems')
-rw-r--r--deployment/systems/aisaka.scm698
-rw-r--r--deployment/systems/akashi.scm125
-rw-r--r--deployment/systems/asakura.scm132
-rw-r--r--deployment/systems/cokolwiek.scm105
-rw-r--r--deployment/systems/git-ignore.conf48
-rw-r--r--deployment/systems/gitconfig10
-rw-r--r--deployment/systems/mcdowell.scm121
-rw-r--r--deployment/systems/rakan.scm241
8 files changed, 1480 insertions, 0 deletions
diff --git a/deployment/systems/aisaka.scm b/deployment/systems/aisaka.scm
new file mode 100644
index 0000000..e5c2945
--- /dev/null
+++ b/deployment/systems/aisaka.scm
@@ -0,0 +1,698 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems aisaka)
+ #:use-module (guix gexp)
+ #:use-module ((deployment keys)
+ #:prefix deployment:keys:)
+ #:use-module ((gnu bootloader)
+ #:prefix gnu:bootloader:)
+ #:use-module ((gnu bootloader grub)
+ #:prefix gnu:bootloader:grub:)
+ #:use-module ((gnu packages)
+ #:prefix gnu:packages:)
+ #:use-module ((gnu packages linux)
+ #:prefix gnu:packages:linux:)
+ #:use-module ((gnu packages tls)
+ #:prefix gnu:packages:tls:)
+ #:use-module ((gnu packages version-control)
+ #:prefix gnu:packages:version-control:)
+ #:use-module ((gnu services)
+ #:prefix gnu:services:)
+ #:use-module ((gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ((gnu services certbot)
+ #:prefix gnu:services:certbot:)
+ #:use-module ((gnu services cgit)
+ #:prefix gnu:services:cgit:)
+ #:use-module ((gnu services dns)
+ #:prefix gnu:services:dns:)
+ #:use-module ((gnu services mail)
+ #:prefix gnu:services:mail:)
+ #:use-module ((gnu services networking)
+ #:prefix gnu:services:networking:)
+ #:use-module ((gnu services shepherd)
+ #:prefix gnu:services:shepherd:)
+ #:use-module ((gnu services version-control)
+ #:prefix gnu:services:version-control:)
+ #:use-module ((gnu services web)
+ #:prefix gnu:services:web:)
+ #:use-module ((gnu system)
+ #:prefix gnu:system:)
+ #:use-module ((gnu system accounts)
+ #:prefix gnu:system:accounts:)
+ #:use-module ((gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ((gnu system keyboard)
+ #:prefix gnu:system:keyboard:)
+ #:use-module ((gnu system linux-initrd)
+ #:prefix gnu:system:linux-initrd:)
+ #:use-module ((gnu system locale)
+ #:prefix gnu:system:locale:)
+ #:use-module ((gnu packages matrix)
+ #:prefix gnu:packages:matrix:)
+ #:use-module ((gnu system nss)
+ #:prefix gnu:system:nss:)
+ #:use-module ((gnu system pam)
+ #:prefix gnu:system:pam:)
+ #:use-module ((gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ((guix diagnostics)
+ #:prefix guix:diagnostics:)
+ #:use-module ((nongnu packages linux)
+ #:prefix nongnu:packages:linux:)
+ #:use-module ((nongnu system linux-initrd)
+ #:prefix nongnu:system:linux-initrd:)
+ #:use-module ((sovereign devices)
+ #:prefix sovereign:devices:)
+ #:use-module ((sovereign devices amd64)
+ #:prefix sovereign:devices:amd64:)
+ #:use-module ((sovereign packages jekyll)
+ #:prefix sovereign:packages:jekyll:)
+ #:use-module ((sovereign services)
+ #:prefix sovereign:services:)
+ #:use-module ((sovereign systems)
+ #:prefix sovereign:systems:)
+ #:use-module ((users id1000)
+ #:prefix users:id1000:)
+ #:use-module ((users vmail)
+ #:prefix users:vmail:))
+
+(define-public architecture "x86_64-linux")
+
+(define-public system-name "aisaka")
+
+(define ip-multimedia "81.190.248.246")
+
+(define ip-otvarta "95.171.119.109")
+
+(define spf-value
+ (string-append "\"v=spf1 ip4:"
+ ip-otvarta
+ " -all\""))
+
+(define ttl "3600")
+
+(gnu:services:dns:define-zone-entries
+ marekpasnikowski.pl-entries
+ ("@" ttl "IN" "A" ip-otvarta)
+ ("ns1" ttl "IN" "A" ip-otvarta)
+ ("@" ttl "IN" "NS" "ns1.marekpasnikowski.pl.")
+ ("@" ttl "IN" "A" ip-multimedia)
+ ("www" ttl "IN" "A" ip-multimedia)
+ ("ns2" ttl "IN" "A" ip-multimedia)
+ ("@" ttl "IN" "NS" "ns2.marekpasnikowski.pl.")
+ ("@" ttl "IN" "MX" "10 marekpasnikowski.pl.")
+ ("@" ttl "IN" "TXT" spf-value)
+ ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
+ ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
+ ("_dmarc" ttl "IN" "TXT" "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"")
+ ("dkim._domainkey" ttl "IN" "TXT" "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"")
+ ("git" ttl "IN" "CNAME" "www")
+ ("guix" ttl "IN" "CNAME" "www")
+ ("matrix" ttl "IN" "CNAME" "www")
+ ("radicale" ttl "IN" "CNAME" "www")
+ ("schron" ttl "IN" "CNAME" "www")
+ ("sejf" ttl "IN" "CNAME" "www")
+ ("test" ttl "IN" "CNAME" "www"))
+
+(define marekpasnikowski.pl-zone
+ (gnu:services:dns:zone-file
+ (entries marekpasnikowski.pl-entries)
+ (origin "marekpasnikowski.pl")
+ (ns "ns1.marekpasnikowski.pl.")
+ (mail "marek.marekpasnikowski.pl.")
+ (serial 2026032103)))
+
+(define master-zone
+ (gnu:services:dns:knot-zone-configuration
+ (domain "marekpasnikowski.pl")
+ (zone marekpasnikowski.pl-zone)))
+
+(define knot-configuration
+ (gnu:services:dns:knot-configuration
+ (listen-v4 "0.0.0.0")
+ (zones (list master-zone))))
+
+(define-public knot
+ (gnu:services:service
+ gnu:services:dns:knot-service-type
+ knot-configuration))
+
+(define radicale-keys "/secrets/radicale/keys")
+
+(define dovecot-keys "/secrets/dovecot")
+
+(define nginx-account
+ (gnu:system:accounts:user-account
+ (name "nginx")
+ (group "nginx")
+ (supplementary-groups '("git"))
+ (system? #t)
+ (comment "nginx server user")
+ (home-directory "/var/empty")
+ (shell (file-append (gnu:packages:specification->package "shadow")
+ "/sbin/nologin"))))
+
+(define nginx-group
+ (gnu:system:accounts:user-group
+ (name "nginx")
+ (system? #t)))
+
+(define nginx-accounts
+ (let
+ ((accounts- (list nginx-group
+ nginx-account)))
+ (const accounts-)))
+
+(define nginx-extension-of-account
+ (gnu:services:service-extension
+ gnu:system:shadow:account-service-type
+ nginx-accounts))
+
+(define (extend-account extension)
+ (let*
+ ((extension-target- (gnu:services:service-extension-target extension))
+ (account-service-type?- (eq? extension-target-
+ gnu:system:shadow:account-service-type)))
+ (if account-service-type?-
+ nginx-extension-of-account
+ extension)))
+
+(define nginx-service-type*
+ (let
+ ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type)))
+ (gnu:services:service-type
+ (inherit gnu:services:web:nginx-service-type)
+ (extensions (map extend-account
+ nginx-extensions-)))))
+
+(define cgit-repository-configuration
+ (gnu:services:cgit:repository-cgit-configuration
+ (hide? #t)
+ (path "/srv/git/marek/packages")))
+
+(define git-http-configuration
+ (gnu:services:version-control:git-http-configuration
+ (git-root "/var/lib/gitolite/repositories")
+ (uri-path "/git")))
+
+(define nginx-extension-of-cgit
+ (gnu:services:service-extension
+ nginx-service-type*
+ gnu:services:cgit:cgit-configuration-nginx-config))
+
+(define (extend-cgit extension)
+ (let*
+ ((extension-target- (gnu:services:service-extension-target extension))
+ (nginx-service-type?- (eq? extension-target-
+ gnu:services:web:nginx-service-type)))
+ (if nginx-service-type?-
+ nginx-extension-of-cgit
+ extension)))
+
+(define cgit-type
+ (let
+ ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type)))
+ (gnu:services:service-type
+ (inherit gnu:services:cgit:cgit-service-type)
+ (extensions (map extend-cgit
+ cgit-extensions-)))))
+
+(define nginx-location-cgit
+ (gnu:services:web:nginx-location-configuration
+ (body (list "fastcgi_param HTTP_HOST $server_name ;"
+ "fastcgi_param PATH_INFO $uri ;"
+ "fastcgi_param QUERY_STRING $args ;"
+ "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;"
+ "fastcgi_pass 127.0.0.1:9000 ;"))
+ (uri "@cgit")))
+
+(define nginx-location-proxy-guix
+ (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_pass http://localhost:5232/ ;"
+ "proxy_set_header X-Script-Name \"\" ;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+ "proxy_set_header Host $http_host ;"
+ "proxy_pass_header Authorization ;"))
+ (uri "/")))
+
+(define nginx-location-proxy-matrix
+ (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_pass http://localhost:8008 ;"
+ "proxy_set_header X-Forwarded-For $remote_addr ;"
+ "proxy_set_header X-Forwarded-Proto $scheme ;"
+ "proxy_set_header Host $host:$server_port ;"))
+ (uri "~ ^(/_matrix|/_synapse/client)")))
+
+(define nginx-location-proxy-radicale
+ (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_pass http://localhost:8080/ ;"
+ "proxy_set_header X-Script-Name \"\" ;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+ "proxy_set_header Host $http_host ;"
+ "proxy_pass_header Authorization ;"))
+ (uri "/")))
+
+(define nginx-location-proxy-auth
+ (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_set_header Host $host;"
+ "proxy_set_header X-Real-IP $remote_addr;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_set_header X-Forwarded-Proto $scheme;"
+ "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+ (uri "/")))
+
+(define nginx-location-well-known
+ (gnu:services:web:nginx-location-configuration
+ (body (list "root /srv/www/marek/marekpasnikowski.pl ;"))
+ (uri "/.well-known")))
+
+(define nginx-server-cgit
+ (let
+ ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration)))
+ (gnu:services:web:nginx-server-configuration
+ (locations (list git-http-
+ nginx-location-cgit
+ nginx-location-well-known))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root gnu:packages:version-control:cgit)
+ (server-name (list "git.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (try-files (list "$uri" "@cgit")))))
+
+(define nginx-server-guix
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-guix))
+ (listen (list "192.168.10.2:443 ssl"))
+ (server-name (list "guix.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-matrix
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-matrix))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root gnu:packages:matrix:synapse)
+ (server-name (list "matrix.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-portal
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-well-known))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list "marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-radicale
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-radicale
+ nginx-location-well-known))
+ (listen (list "192.168.10.2:443 ssl"))
+ (server-name (list "radicale.marekpasnikowski.pl"))))
+
+(define nginx-server-schron
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "schron.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-sejf
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/sejf")
+ (server-name (list "sejf.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-test
+ (gnu:services:web:nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "test.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-www
+ (gnu:services:web:nginx-server-configuration
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list "www.marekpasnikowski.pl"))))
+
+(define cgit-configuration
+ (gnu:services:cgit:cgit-configuration
+ (nginx (list nginx-server-cgit))
+ (repositories (list cgit-repository-configuration))
+ (project-list (list "deployment.git"
+ "nonguix.git"
+ "sovereign.git"))
+ (repository-directory "/var/lib/gitolite/repositories")))
+
+(define nginx-configuration*
+ (gnu:services:web:nginx-configuration
+ (shepherd-requirement (list 'networking))
+ (server-blocks (list nginx-server-portal
+ nginx-server-www
+ nginx-server-guix
+ nginx-server-matrix
+ nginx-server-test
+ nginx-server-schron
+ nginx-server-sejf
+ nginx-server-radicale))))
+
+(define nginx-deploy-hook-file
+ #~(let
+ ((pid (call-with-input-file "/var/run/nginx/pid"
+ read)))
+ (kill pid SIGHUP)))
+
+(define nginx-extension-of-certbot
+ (gnu:services:service-extension
+ nginx-service-type*
+ (@@ (gnu services certbot) certbot-nginx-server-configurations)))
+
+(define (extend-certbot extension)
+ (let*
+ ((extension-target- (gnu:services:service-extension-target extension))
+ (nginx-service-type?- (eq? extension-target-
+ gnu:services:web:nginx-service-type)))
+ (if nginx-service-type?-
+ nginx-extension-of-certbot
+ extension)))
+
+(define certbot-type
+ (let
+ ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type)))
+ (gnu:services:service-type
+ (inherit gnu:services:certbot:certbot-service-type)
+ (extensions (map extend-certbot
+ certbot-extensions-)))))
+
+(define certificate-configuration
+ (gnu:services:certbot:certificate-configuration
+ (deploy-hook (program-file "nginx-deploy-hook"
+ nginx-deploy-hook-file))
+ (domains (list "marekpasnikowski.pl"
+ "git.marekpasnikowski.pl"
+ "guix.marekpasnikowski.pl"
+ "matrix.marekpasnikowski.pl"
+ "mx.marekpasnikowski.pl"
+ "radicale.marekpasnikowski.pl"
+ "schron.marekpasnikowski.pl"
+ "sejf.marekpasnikowski.pl"
+ "test.marekpasnikowski.pl"
+ "www.marekpasnikowski.pl"))))
+
+(define certbot-configuration
+ (gnu:services:certbot:certbot-configuration
+ (certificates (list certificate-configuration))
+ (email "marek@marekpasnikowski.pl")
+ (webroot "/srv/www/marek/marekpasnikowski.pl")))
+
+(define-public certbot
+ (gnu:services:service
+ certbot-type
+ certbot-configuration))
+
+(define-public cgit
+ (gnu:services:service
+ cgit-type
+ cgit-configuration))
+
+(define-public etc
+ (let*
+ ((mailname-file- (plain-file "mailname"
+ "marekpasnikowski.pl\n"))
+ (mailname-link- (list "mailname"
+ mailname-file-))
+ (etc-links- (list mailname-link-)))
+ (gnu:services:simple-service 'etc-files
+ gnu:services:etc-service-type
+ etc-links-)))
+
+(define fcgiwrap-configuration
+ (gnu:services:web:fcgiwrap-configuration
+ (user "git")
+ (group "git")))
+
+(define-public fcgiwrap
+ (gnu:services:service
+ gnu:services:web:fcgiwrap-service-type
+ fcgiwrap-configuration))
+
+(define-public file-system-efi
+ (gnu:system:file-systems:file-system
+ (device (gnu:system:file-systems:file-system-label "AISAKA"))
+ (mount-point "/boot")
+ (type "vfat")
+ (flags (list))
+ (options #f)
+ (mount? #t)
+ (mount-may-fail? #t)
+ (needed-for-boot? #f)
+ (check? #t)
+ (skip-check-if-clean? #f)
+ (repair 'preen)
+ (create-mount-point? #f)
+ (dependencies (list))
+ (shepherd-requirements (list))
+ (location (current-source-location))))
+
+(define-public file-system-root
+ (gnu:system:file-systems:file-system
+ (device (gnu:system:file-systems:file-system-label "aisaka-root"))
+ (mount-point "/")
+ (type "ext4")
+ (flags (list))
+ (options #f)
+ (mount? #t)
+ (mount-may-fail? #f)
+ (needed-for-boot? #t)
+ (check? #t)
+ (skip-check-if-clean? #f)
+ (repair 'preen)
+ (create-mount-point? #f)
+ (dependencies (list))
+ (shepherd-requirements (list))
+ (location (current-source-location))))
+
+(define gitolite-rc-file
+ (gnu:services:version-control:gitolite-rc-file
+ (umask #o0027)))
+
+(define gitolite-configuration
+ (gnu:services:version-control:gitolite-configuration
+ (rc-file gitolite-rc-file)
+ (admin-pubkey #f)))
+
+(define-public gitolite
+ (gnu:services:service
+ gnu:services:version-control:gitolite-service-type
+ gitolite-configuration))
+
+(define-public system-keyboard-layout
+ (gnu:system:keyboard:keyboard-layout "pl"))
+
+(define-public nginx
+ (gnu:services:service
+ nginx-service-type*
+ nginx-configuration*))
+
+(define rakan-machine
+ #~(build-machine
+ (name "rakan")
+ (systems (list "x86_64-linux"
+ "i686-linux"))
+ (user "marek")
+ (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan")
+ (private-key "/home/marek/.ssh/id_ed25519")))
+
+(define guix-offload-rakan
+ (gnu:services:base:guix-extension
+ (authorized-keys (list deployment:keys:akashi-guix
+ deployment:keys:rakan-guix))
+ (build-machines (list rakan-machine))))
+
+(define-public offload-rakan
+ (gnu:services:simple-service 'offload-rakan
+ gnu:services:base:guix-service-type
+ guix-offload-rakan))
+
+(define radicale-auth-configuration
+ (gnu:services:mail:radicale-auth-configuration
+ (type 'htpasswd)
+ (htpasswd-filename radicale-keys)
+ (htpasswd-encryption 'plain)))
+
+(define radicale-storage-configuration
+ (gnu:services:mail:radicale-storage-configuration
+ (filesystem-folder "/data/radicale/collections")))
+
+(define radicale-configuration
+ (gnu:services:mail:radicale-configuration
+ (auth radicale-auth-configuration)
+ (storage radicale-storage-configuration)))
+
+(define-public radicale
+ (gnu:services:service
+ gnu:services:mail:radicale-service-type
+ radicale-configuration))
+
+(define enp1s0-address-4
+ (gnu:services:base:network-address
+ (device "enp1s0")
+ (value "192.168.10.2/24")
+ (ipv6? #f)))
+
+(define enp2s0-address-4
+ (gnu:services:base:network-address
+ (device "enp2s0")
+ (value "192.168.1.2/24")
+ (ipv6? #f)))
+
+(define enp1s0-route-4-default
+ (gnu:services:base:network-route
+ (destination "default")
+ (source #f)
+ (device #f)
+ (ipv6? #f)
+ (gateway "192.168.10.1")))
+
+(define network-hardware
+ (gnu:services:base:static-networking
+ (addresses (list enp1s0-address-4
+ enp2s0-address-4))
+ (links (list))
+ (routes (list enp1s0-route-4-default))
+ (name-servers (list "192.168.10.1"
+ "192.168.1.1"))
+ (provision (list 'network-hardware))
+ (requirement (list))))
+
+(define static-networking-configuration
+ (list network-hardware))
+
+(define-public static-networking
+ (gnu:services:service
+ gnu:services:networking:static-networking-service-type
+ static-networking-configuration))
+
+(define ip-command
+ (file-append gnu:packages:linux:iproute
+ "/sbin/ip"))
+
+(define network-enp2s0-route-default
+ (let
+ ((route-default- #~(list #$ip-command
+ "route"
+ "add"
+ "default"
+ "via"
+ "192.168.1.1"
+ "table"
+ "1")))
+ (gnu:services:shepherd:shepherd-service
+ (provision (list 'network-enp2s0-route-default))
+ (requirement (list 'network-enp2s0-table))
+ (one-shot? #t)
+ (respawn? #f)
+ (start #~(make-forkexec-constructor #$route-default-))
+ (stop #~(const #f))
+ (actions (list))
+ (auto-start? #t)
+ (documentation "Sets up a default route for traffic from enp2s0.")
+ (modules gnu:services:shepherd:%default-modules))))
+
+(define network-enp2s0-table
+ (let
+ ((table- #~(list #$ip-command
+ "rule"
+ "add"
+ "from"
+ "192.168.1.2"
+ "table"
+ "1"
+ "prio"
+ "1")))
+ (gnu:services:shepherd:shepherd-service
+ (provision (list 'network-enp2s0-table))
+ (requirement (list 'network-hardware))
+ (one-shot? #t)
+ (respawn? #f)
+ (start #~(make-forkexec-constructor #$table-))
+ (stop #~(const #f))
+ (actions (list))
+ (auto-start? #t)
+ (documentation "Defines a table of rules number 1 for routes through enp2s0.")
+ (modules gnu:services:shepherd:%default-modules))))
+
+(define networking
+ (gnu:services:shepherd:shepherd-service
+ (provision (list 'networking))
+ (requirement (list 'network-enp2s0-table
+ 'network-enp2s0-route-default))
+ (one-shot? #t)
+ (respawn? #f)
+ (start #~(const #t))
+ (stop #~(const #f))
+ (actions (list))
+ (auto-start? #t)
+ (documentation "Defines a graph root of one-shot services to invoke various ip commands.")
+ (modules gnu:services:shepherd:%default-modules)))
+
+(define-public iproute2-networking
+ (let
+ ((extensions- (list network-enp2s0-table
+ network-enp2s0-route-default
+ networking)))
+ (gnu:services:simple-service 'networking
+ gnu:services:shepherd:shepherd-root-service-type
+ extensions-)))
+
+(define swap-device-izumi-1-label
+ (gnu:system:file-systems:file-system-label "izumi-swap-f"))
+
+(define-public %sovereign-services*
+ (gnu:services:modify-services sovereign:systems:%sovereign-services
+ (gnu:services:delete gnu:services:networking:network-manager-service-type)))
+
+(define-public system-bootloader
+ (gnu:bootloader:bootloader-configuration
+ (bootloader gnu:bootloader:grub:grub-efi-bootloader)
+ (targets (list "/boot"))
+ (keyboard-layout sovereign:devices:pl-keyboard-layout)))
+
+(define-public vmail-group
+ (gnu:system:accounts:user-group
+ (name "vmail")
+ (system? #t)))
+
+(define named-home-environments
+ (list users:id1000:named-home-environment))
+
+(define guix-publish-configuration
+ (gnu:services:base:guix-publish-configuration
+ (host "192.168.10.2")
+ (port 8080)
+ (advertise? #t)))
+
+(define-public guix-home-service
+ (sovereign:systems:guix-home-service named-home-environments))
+
+(define-public guix-publish-service
+ (sovereign:services:guix-publish-service guix-publish-configuration))
diff --git a/deployment/systems/akashi.scm b/deployment/systems/akashi.scm
new file mode 100644
index 0000000..142ffae
--- /dev/null
+++ b/deployment/systems/akashi.scm
@@ -0,0 +1,125 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems akashi)
+ #:use-module (guix gexp)
+ #:use-module (users id1000)
+ #:use-module ((deployment keys)
+ #:prefix deployment:keys:)
+ #:use-module ((gnu packages linux)
+ #:prefix gnu:packages:linux:)
+ #:use-module ((gnu services)
+ #:prefix gnu:services:)
+ #:use-module ((gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ((gnu services guix)
+ #:prefix gnu:services:guix:)
+ #:use-module ((gnu system)
+ #:prefix gnu:system:)
+ #:use-module ((gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ((gnu system keyboard)
+ #:prefix gnu:system:keyboard:)
+ #:use-module ((gnu system linux-initrd)
+ #:prefix gnu:system:linux-initrd:)
+ #:use-module ((gnu system locale)
+ #:prefix gnu:system:locale:)
+ #:use-module ((gnu system nss)
+ #:prefix gnu:system:nss:)
+ #:use-module ((gnu system pam)
+ #:prefix gnu:system:pam:)
+ #:use-module ((gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ((guix diagnostics)
+ #:prefix guix:diagnostics:)
+ #:use-module ((machines thinkpad-x200)
+ #:prefix machines:thinkpad-x200:)
+ #:use-module ((sovereign systems)
+ #:prefix sovereign:systems:))
+
+(define-public architecture "x86_64-linux")
+
+(define-public system-name "akashi")
+
+(define root-partition
+ ((@ (gnu system file-systems) file-system)
+ (mount-point "/")
+ (device ((@ (gnu system file-systems) file-system-label) "akashi-root"))
+ (type "ext4")))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(define system-keyboard-layout
+ (gnu:system:keyboard:keyboard-layout "pl"))
+
+(define offload-hub
+ #~(build-machine
+ (name "www.marekpasnikowski.pl")
+ (systems (list "x86_64-linux"
+ "i686-linux"))
+ (user "marek")
+ (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0Eh0q54myeSEironEP9DEKl+ownYuH7oSgAVuLIDNt root@aisaka")
+ (port 23)
+ (private-key "/home/marek/.ssh/id_ed25519")))
+
+(define guix-offload-targets
+ (gnu:services:base:guix-extension
+ (authorized-keys (list deployment:keys:aisaka-guix))
+ (build-machines (list offload-hub))))
+
+(define offload-extension
+ (gnu:services:simple-service 'offload-extension
+ gnu:services:base:guix-service-type
+ guix-offload-targets))
+
+(define home-environments
+ `((,uid1000-name ,uid1000-home-environment)))
+
+(define guix-home
+ (gnu:services:service gnu:services:guix:guix-home-service-type
+ home-environments))
+
+(define-public system
+ (gnu:system:operating-system
+ (kernel gnu:packages:linux:linux-libre)
+ (kernel-loadable-modules (list))
+ (kernel-arguments (cons* "thinkpad_acpi.fan_control=1"
+ "thinkpad_acpi.fan='level 7'"
+ gnu:system:%default-kernel-arguments))
+ (hurd #f)
+ (bootloader (machines:thinkpad-x200:bootloader-configuration* system-keyboard-layout))
+ (label (sovereign:systems:operating-system-label* system-name
+ gnu:system:this-operating-system))
+ (keyboard-layout system-keyboard-layout)
+ (initrd gnu:system:linux-initrd:base-initrd)
+ (initrd-modules gnu:system:linux-initrd:%base-initrd-modules)
+ (firmware (list))
+ (host-name system-name)
+ (hosts-file #f)
+ (mapped-devices (list))
+ (file-systems (cons* root-partition
+ gnu:system:file-systems:%base-file-systems))
+ (swap-devices (machines:thinkpad-x200:swap-devices* system-name))
+ (users (list uid1000-account))
+ (groups gnu:system:shadow:%base-groups)
+ (skeletons (gnu:system:shadow:default-skeletons))
+ (issue (@@ (gnu system)
+ %default-issue))
+ (packages gnu:system:%base-packages)
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (locale-libcs gnu:system:locale:%default-locale-libcs)
+ (name-service-switch gnu:system:nss:%default-nss)
+ (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system))
+ (services (cons* guix-home
+ offload-extension
+ sovereign:systems:%sovereign-services))
+ (pam-services (gnu:system:pam:base-pam-services))
+ (privileged-programs gnu:system:%default-privileged-programs)
+ (setuid-programs gnu:system:%setuid-programs)
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification)
+ (location (and=> (current-source-location)
+ guix:diagnostics:source-properties->location))))
+
+(define-public operating-system* system)
diff --git a/deployment/systems/asakura.scm b/deployment/systems/asakura.scm
new file mode 100644
index 0000000..2b8397d
--- /dev/null
+++ b/deployment/systems/asakura.scm
@@ -0,0 +1,132 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems asakura)
+ #:use-module ((gnu system) #:prefix gnu:system:)
+ #:use-module ((gnu system file-systems) #:prefix gnu:system:file-systems:)
+ #:use-module ((gnu system uuid) #:prefix gnu:system:uuid:)
+ #:use-module ((nongnu packages linux) #:prefix nongnu:packages:linux:)
+ #:use-module ((nongnu system linux-initrd) #:prefix nongnu:system:linux-initrd:)
+ #:use-module ((sovereign devices amd64) #:prefix sovereign:devices:amd64:)
+ #:use-module ((sovereign packages protonmail) #:prefix sovereign:packages:protonmail:)
+ #:use-module ((sovereign systems) #:prefix sovereign:systems:)
+ #:use-module ((users id1000) #:prefix users:id1000:))
+
+(define efi-filesystem-uuid
+ (gnu:system:uuid:uuid
+ "B4FB-CBD9"
+ 'fat32))
+
+(define host-name
+ "asakura")
+
+(define (label number)
+ (gnu:system:file-systems:file-system-label
+ (string-append host-name
+ "-swap"
+ number)))
+
+(define root-filesystem-uuid
+ (gnu:system:uuid:uuid
+ "615a98cd-a632-4ee5-a6f4-e5ebcaa6fb8c"))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(define efi-partition
+ (gnu:system:file-systems:file-system
+ (mount-point "/boot")
+ (device efi-filesystem-uuid)
+ (type "vfat")))
+
+(define keyboard-layout
+ ((@ (gnu system keyboard) keyboard-layout)
+ "pl"))
+
+(define (libvirt-service)
+ (use-modules (gnu services virtualization))
+ ((@ (gnu services) service)
+ libvirt-service-type))
+
+(define (virtlog-service)
+ (use-modules (gnu services virtualization))
+ ((@ (gnu services) service)
+ virtlog-service-type))
+
+(define root-partition
+ (gnu:system:file-systems:file-system
+ (mount-point "/")
+ (device root-filesystem-uuid)
+ (type "ext4")))
+
+(define (swap-label number)
+ (let ((target-label (label number)))
+ (gnu:system:file-systems:swap-space
+ (target target-label))))
+
+(define (system-packages-service)
+ (use-modules (gnu packages gnupg)
+ (gnu packages kde-pim)
+ (gnu services))
+ (simple-service 'system-packages
+ profile-service-type
+ (list kgpg
+ pinentry-qt
+ pinentry-tty)))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(define (bootloader)
+ (use-modules (gnu bootloader grub))
+ ((@ (gnu bootloader) bootloader-configuration)
+ (bootloader grub-efi-bootloader)
+ (targets (list "/boot"))
+ (keyboard-layout keyboard-layout)))
+
+(define (file-systems)
+ (append gnu:system:file-systems:%base-file-systems
+ (list root-partition
+ efi-partition)))
+
+(define services
+ (let*
+ ( (l-guix-homes (list users:id1000:named-home-environment))
+ (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes)))
+ (append sovereign:systems:%sovereign-services
+ (list sovereign:packages:protonmail:nogui-profile
+ l-guix-home-service
+ (system-packages-service)))))
+
+(define swap-device-1
+ (swap-label "-1"))
+
+(define swap-device-2
+ (swap-label "-2"))
+
+(define (users)
+ (use-modules (gnu system accounts))
+ (append (@ (gnu system shadow) %base-user-accounts)
+ (list users:id1000:uid1000-account)))
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(define-public system
+ (gnu:system:operating-system
+ (kernel nongnu:packages:linux:linux)
+ (bootloader (bootloader))
+ (label (sovereign:systems:operating-system-label* host-name
+ gnu:system:this-operating-system))
+ (keyboard-layout keyboard-layout)
+ (initrd nongnu:system:linux-initrd:microcode-initrd)
+ (firmware (list nongnu:packages:linux:linux-firmware))
+ (host-name host-name)
+ (file-systems (file-systems))
+ (swap-devices (list swap-device-1
+ swap-device-2))
+ (users (users))
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (services services)
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))
+
+(define-public operating-system* system)
diff --git a/deployment/systems/cokolwiek.scm b/deployment/systems/cokolwiek.scm
new file mode 100644
index 0000000..15beb99
--- /dev/null
+++ b/deployment/systems/cokolwiek.scm
@@ -0,0 +1,105 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems cokolwiek)
+ #:use-module ( (gnu packages package-management)
+ #:prefix gnu:packages:package-management:)
+ #:use-module ( (gnu services)
+ #:prefix gnu:services:)
+ #:use-module ( (gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ( (gnu services guix)
+ #:prefix gnu:services:guix:)
+ #:use-module ( (gnu system)
+ #:prefix gnu:system:)
+ #:use-module ( (gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ( (gnu system linux-initrd)
+ #:prefix gnu:system:linux-initrd:)
+ #:use-module ( (gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ( (nongnu packages linux)
+ #:prefix nongnu:packages:linux:)
+ #:use-module ( (nongnu system linux-initrd)
+ #:prefix nongnu:system:linux-initrd:)
+ #:use-module ( (sovereign channels)
+ #:prefix sovereign:channels:)
+ #:use-module ( (sovereign devices)
+ #:prefix sovereign:devices:)
+ #:use-module ( (sovereign devices amd64)
+ #:prefix sovereign:devices:amd64:)
+ #:use-module ( (sovereign packages protonmail)
+ #:prefix sovereign:packages:protonmail:)
+ #:use-module ( (sovereign systems)
+ #:prefix sovereign:systems:)
+ #:use-module ( (users id1000)
+ #:prefix users:id1000:)
+ #:use-module ( (users id1001)
+ #:prefix users:id1001:))
+
+(define system-name
+ "cokolwiek")
+
+(define file-system-efi
+ (let*
+ ( (l-system-name (string-upcase system-name))
+ (l-device (sovereign:devices:file-system-label l-system-name)))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/efi)
+ (device l-device))))
+
+(define file-system-root
+ (let
+ ( (l-device (sovereign:devices:file-system-label system-name
+ "root")))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/root)
+ (device l-device))))
+
+(define swap
+ (let
+ ( (l-target (sovereign:devices:file-system-label system-name
+ "swap")))
+ (gnu:system:file-systems:swap-space
+ (inherit sovereign:devices:swap/no-trim)
+ (target l-target))))
+
+(define-public system
+ (let*
+ ( (l-guix-homes (list users:id1000:named-home-environment
+ users:id1001:named-home-environment))
+ (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes))
+ (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name))
+ (l-file-systems (cons* file-system-root
+ file-system-efi
+ gnu:system:file-systems:%base-file-systems))
+ (l-firmware (list nongnu:packages:linux:linux-firmware))
+ (l-initrd-modules (cons* "mei_me"
+ gnu:system:linux-initrd:%base-initrd-modules))
+ (l-services (cons* l-guix-home-service
+ sovereign:packages:protonmail:nogui-profile
+ sovereign:systems:%sovereign-services))
+ (l-swap-devices (list swap))
+ (l-users (cons* users:id1000:uid1000-account
+ users:id1001:user-account
+ gnu:system:shadow:%base-user-accounts)))
+ (gnu:system:operating-system
+ (kernel nongnu:packages:linux:linux)
+ (bootloader l-bootloader)
+ (label (sovereign:systems:operating-system-label* system-name
+ gnu:system:this-operating-system))
+ (keyboard-layout sovereign:devices:pl-keyboard-layout)
+ (initrd nongnu:system:linux-initrd:microcode-initrd)
+ (initrd-modules l-initrd-modules)
+ (firmware l-firmware)
+ (host-name system-name)
+ (file-systems l-file-systems)
+ (swap-devices l-swap-devices)
+ (users l-users)
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (services l-services)
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification))))
+
+(define-public operating-system* system)
diff --git a/deployment/systems/git-ignore.conf b/deployment/systems/git-ignore.conf
new file mode 100644
index 0000000..98e588f
--- /dev/null
+++ b/deployment/systems/git-ignore.conf
@@ -0,0 +1,48 @@
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive
+
+# flymake-mode
+*_flymake.*
+
+# eshell files
+/eshell/history
+/eshell/lastdir
+
+# elpa packages
+/elpa/
+
+# reftex files
+*.rel
+
+# AUCTeX auto folder
+/auto/
+
+# cask packages
+.cask/
+dist/
+
+# Flycheck
+flycheck_*.el
+
+# server auth directory
+/server/
+
+# projectiles files
+.projectile
+
+# directory configuration
+.dir-locals.el
+
+# network security
+/network-security.data
diff --git a/deployment/systems/gitconfig b/deployment/systems/gitconfig
new file mode 100644
index 0000000..300f906
--- /dev/null
+++ b/deployment/systems/gitconfig
@@ -0,0 +1,10 @@
+[commit]
+ gpgsign = true
+
+[user]
+ email = marek@marekpasnikowski.pl
+ name = Marek Paśnikowski
+ signingkey = 6D81B1207711899F
+
+[push]
+ autoSetupRemote = true
diff --git a/deployment/systems/mcdowell.scm b/deployment/systems/mcdowell.scm
new file mode 100644
index 0000000..341bb50
--- /dev/null
+++ b/deployment/systems/mcdowell.scm
@@ -0,0 +1,121 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems mcdowell)
+ #:use-module ( (deployment keys)
+ #:prefix deployment:keys:)
+ #:use-module ( (gnu packages package-management)
+ #:prefix gnu:packages:package-management:)
+ #:use-module ( (gnu services)
+ #:prefix gnu:services:)
+ #:use-module ( (gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ( (gnu services guix)
+ #:prefix gnu:services:guix:)
+ #:use-module ( (gnu system)
+ #:prefix gnu:system:)
+ #:use-module ( (gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ( (gnu system linux-initrd)
+ #:prefix gnu:system:linux-initrd:)
+ #:use-module ( (gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ( (nongnu packages linux)
+ #:prefix nongnu:packages:linux:)
+ #:use-module ( (nongnu system linux-initrd)
+ #:prefix nongnu:system:linux-initrd:)
+ #:use-module ( (sovereign channels)
+ #:prefix sovereign:channels:)
+ #:use-module ( (sovereign devices)
+ #:prefix sovereign:devices:)
+ #:use-module ( (sovereign devices amd64)
+ #:prefix sovereign:devices:amd64:)
+ #:use-module ( (sovereign packages protonmail)
+ #:prefix sovereign:packages:protonmail:)
+ #:use-module ( (sovereign systems)
+ #:prefix sovereign:systems:)
+ #:use-module ( (users id1000)
+ #:prefix users:id1000:)
+ #:use-module (guix gexp))
+
+(define system-name
+ "mcdowell")
+
+(define file-system-efi
+ (let*
+ ( (l-system-name (string-upcase system-name))
+ (l-device (sovereign:devices:file-system-label l-system-name)))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/efi)
+ (device l-device))))
+
+(define file-system-root
+ (let
+ ( (l-device (sovereign:devices:file-system-label system-name
+ "root")))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/root)
+ (device l-device))))
+
+(define swap
+ (let
+ ( (l-target (sovereign:devices:file-system-label system-name
+ "swap")))
+ (gnu:system:file-systems:swap-space
+ (inherit sovereign:devices:swap/no-trim)
+ (target l-target))))
+
+(define rakan-machine
+ #~(build-machine
+ (name "rakan")
+ (systems (list "x86_64-linux"
+ "i686-linux"))
+ (user "marek")
+ (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@mcdowell")
+ (private-key "/home/marek/.ssh/id_ed25519")))
+
+(define guix-offload-rakan
+ (gnu:services:base:guix-extension
+ (authorized-keys (list deployment:keys:rakan-guix))
+ (build-machines (list rakan-machine))))
+
+(define-public system
+ (let*
+ ( (l-guix-homes (list users:id1000:named-home-environment))
+ (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes))
+ (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name))
+ (l-file-systems (cons* file-system-root
+ file-system-efi
+ gnu:system:file-systems:%base-file-systems))
+ (l-firmware (list nongnu:packages:linux:linux-firmware))
+ (l-initrd-modules (cons* "mei_me"
+ gnu:system:linux-initrd:%base-initrd-modules))
+ (l-services (cons* l-guix-home-service
+ sovereign:packages:protonmail:nogui-profile
+ (gnu:services:simple-service 'offload-rakan
+ gnu:services:base:guix-service-type
+ guix-offload-rakan)
+ sovereign:systems:%sovereign-services))
+ (l-swap-devices (list swap))
+ (l-users (cons* users:id1000:uid1000-account
+ gnu:system:shadow:%base-user-accounts)))
+ (gnu:system:operating-system
+ (kernel nongnu:packages:linux:linux)
+ (bootloader l-bootloader)
+ (label (sovereign:systems:operating-system-label* system-name
+ gnu:system:this-operating-system))
+ (keyboard-layout sovereign:devices:pl-keyboard-layout)
+ (initrd nongnu:system:linux-initrd:microcode-initrd)
+ (initrd-modules l-initrd-modules)
+ (firmware l-firmware)
+ (host-name system-name)
+ (file-systems l-file-systems)
+ (swap-devices l-swap-devices)
+ (users l-users)
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (services l-services)
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification))))
+
+(define-public operating-system* system)
diff --git a/deployment/systems/rakan.scm b/deployment/systems/rakan.scm
new file mode 100644
index 0000000..a10fbc7
--- /dev/null
+++ b/deployment/systems/rakan.scm
@@ -0,0 +1,241 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment systems rakan)
+ #:use-module (guix gexp)
+ #:use-module ( (deployment keys)
+ #:prefix deployment:keys:)
+ #:use-module ( (gnu home)
+ #:prefix gnu:home:)
+ #:use-module ( (gnu home services)
+ #:prefix gnu:home:services:)
+ #:use-module ( (gnu packages mail)
+ #:prefix gnu:packages:mail:)
+ #:use-module ( (gnu services)
+ #:prefix gnu:services:)
+ #:use-module ( (gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ( (gnu services guix)
+ #:prefix gnu:services:guix:)
+ #:use-module ( (gnu services samba)
+ #:prefix gnu:services:samba:)
+ #:use-module ( (gnu system)
+ #:prefix gnu:system:)
+ #:use-module ( (gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ( (gnu system linux-initrd)
+ #:prefix gnu:system:linux-initrd:)
+ #:use-module ( (gnu system locale)
+ #:prefix gnu:system:locale:)
+ #:use-module ( (gnu system nss)
+ #:prefix gnu:system:nss:)
+ #:use-module ( (gnu system pam)
+ #:prefix gnu:system:pam:)
+ #:use-module ( (gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ( (guix diagnostics)
+ #:prefix guix:diagnostics:)
+ #:use-module ( (nongnu packages linux)
+ #:prefix nongnu:packages:linux:)
+ #:use-module ( (nongnu system linux-initrd)
+ #:prefix nongnu:system:linux-initrd:)
+ #:use-module ( (gnu home-services mail)
+ #:prefix rde/gnu:home-services:mail:)
+ #:use-module ( (sovereign devices)
+ #:prefix sovereign:devices:)
+ #:use-module ( (sovereign devices amd64)
+ #:prefix sovereign:devices:amd64:)
+ #:use-module ( (sovereign packages emacs)
+ #:prefix sovereign:packages:emacs:)
+ #:use-module ( (sovereign packages protonmail)
+ #:prefix sovereign:packages:protonmail:)
+ #:use-module ( (sovereign services)
+ #:prefix sovereign:services:)
+ #:use-module ( (sovereign systems)
+ #:prefix sovereign:systems:)
+ #:use-module ( (users id1000)
+ #:prefix users:id1000:))
+
+(define system-name
+ "rakan")
+
+(define file-system-efi
+ (let*
+ ( (l-system-name (string-upcase system-name))
+ (l-device (sovereign:devices:file-system-label l-system-name)))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/efi)
+ (device l-device))))
+
+(define file-system-root
+ (let
+ ( (l-device (sovereign:devices:file-system-label system-name
+ "root")))
+ (gnu:system:file-systems:file-system
+ (inherit sovereign:devices:file-system/root)
+ (device l-device))))
+
+(define swap
+ (let
+ ( (l-target (sovereign:devices:file-system-label system-name
+ "swap")))
+ (gnu:system:file-systems:swap-space
+ (inherit sovereign:devices:swap/no-trim)
+ (target l-target))))
+
+(define guix-offload-authorizations
+ (gnu:services:base:guix-extension
+ (authorized-keys (list deployment:keys:aisaka-guix))))
+
+(define (l2md-maildir name)
+ (string-append "~/Publiczne/l2md/"
+ name))
+
+(define l2md-repo-guile-user
+ (rde/gnu:home-services:mail:l2md-repo
+ (name "guile-user")
+ (urls "https://yhetil.org/guile-user/0")
+ (maildir (l2md-maildir name))
+ (pipe "")
+ (initial-import 0)
+ (sync-enabled? #t)))
+
+(define l2md-repo-guix-devel
+ (rde/gnu:home-services:mail:l2md-repo
+ (name "guix-devel")
+ (urls "https://yhetil.org/guix-devel/0")
+ (maildir (l2md-maildir name))
+ (pipe "")
+ (initial-import 0)
+ (sync-enabled? #t)))
+
+(define l2md-repo-guix-user
+ (rde/gnu:home-services:mail:l2md-repo
+ (name "guix-user")
+ (urls "https://yhetil.org/guix-user/0")
+ (maildir (l2md-maildir name))
+ (pipe "")
+ (initial-import 0)
+ (sync-enabled? #t)))
+
+(define l2md-configuration
+ (rde/gnu:home-services:mail:home-l2md-configuration
+ (l2md gnu:packages:mail:l2md)
+ (autostart? #t)
+ (period 180)
+ (oneshot 0)
+ (maildir "")
+ (pipe "")
+ (base "~/Publiczne/l2md")
+ (repos (list l2md-repo-guile-user
+ l2md-repo-guix-devel
+ l2md-repo-guix-user))))
+
+(define home-l2md
+ (gnu:services:service
+ rde/gnu:home-services:mail:home-l2md-service-type
+ l2md-configuration))
+
+(define samba-configuration
+ (gnu:services:samba:samba-configuration
+ (enable-smbd? #t)
+ (config-file (mixed-text-file "smb.conf"
+ "[global]\n"
+ "map to guest = Bad User\n"
+ "logging = syslog@1\n"
+ "\n"
+ "[public]\n"
+ "browsable = yes\n"
+ "path = /tmp\n"
+ "read only = no\n"
+ "guest ok = yes\n"
+ "guest only = yes\n"))))
+
+(define samba-service
+ (gnu:services:service
+ gnu:services:samba:samba-service-type
+ samba-configuration))
+
+(define named-home-environment-1000
+ (let
+ ( (named-home-environment- users:id1000:named-home-environment))
+ (let
+ ( (home-environment- (car (cdr named-home-environment-)))
+ (name- (car named-home-environment-)))
+ (let*
+ ( (services- (gnu:home:home-environment-user-services home-environment-))
+ (packages- (gnu:home:home-environment-packages home-environment-))
+ (home-environment-* (gnu:home:home-environment
+ (inherit home-environment-)
+ (packages packages-)
+ (services (cons* home-l2md
+ services-)))))
+ (list name-
+ home-environment-*)))))
+
+(define guix-homes
+ (list named-home-environment-1000))
+
+(define guix-home-service
+ (sovereign:systems:guix-home-service guix-homes))
+
+(define offload-auth
+ (gnu:services:simple-service 'offload-authorizations
+ gnu:services:base:guix-service-type
+ guix-offload-authorizations))
+
+(define guix-publish-configuration
+ (gnu:services:base:guix-publish-configuration
+ (host "0.0.0.0")
+ (port 8080)
+ (advertise? #t)))
+
+(define-public guix-publish-service
+ (sovereign:services:guix-publish-service guix-publish-configuration))
+
+(define-public system
+ (gnu:system:operating-system
+ (kernel nongnu:packages:linux:linux)
+ (kernel-loadable-modules (list))
+ (kernel-arguments gnu:system:%default-kernel-arguments)
+ (hurd #f)
+ (bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name))
+ (label (sovereign:systems:operating-system-label* system-name
+ gnu:system:this-operating-system))
+ (keyboard-layout sovereign:devices:pl-keyboard-layout)
+ (initrd nongnu:system:linux-initrd:microcode-initrd)
+ (initrd-modules (cons* "mei_me"
+ gnu:system:linux-initrd:%base-initrd-modules))
+ (firmware (list nongnu:packages:linux:linux-firmware))
+ (host-name system-name)
+ (hosts-file #f)
+ (mapped-devices (list))
+ (file-systems (cons* file-system-root
+ file-system-efi
+ gnu:system:file-systems:%base-file-systems))
+ (swap-devices (list swap))
+ (users (cons* users:id1000:uid1000-account
+ gnu:system:shadow:%base-user-accounts))
+ (groups gnu:system:shadow:%base-groups)
+ (skeletons (gnu:system:shadow:default-skeletons))
+ (issue (@@ (gnu system) %default-issue))
+ (packages gnu:system:%base-packages)
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (locale-libcs gnu:system:locale:%default-locale-libcs)
+ (name-service-switch gnu:system:nss:%default-nss)
+ (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system))
+ (services (cons* guix-home-service
+ guix-publish-service
+ offload-auth
+ sovereign:packages:protonmail:nogui-profile
+ samba-service
+ sovereign:systems:%sovereign-services))
+ (pam-services (gnu:system:pam:base-pam-services))
+ (privileged-programs gnu:system:%default-privileged-programs)
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification)
+ (location (and=> (current-source-location)
+ guix:diagnostics:source-properties->location))))
+
+(define-public operating-system* system)
generated by cgit v1.3 (git 2.53.0) at 2026-03-28 06:01:24 +0000