#+title: Configuration of the Aisaka computer -*- mode: org -*- #+startup: overview #+property: header-args:scheme :noweb yes #+property: header-args:scheme+ :noweb-prefix yes #+property: header-args:shell :noweb yes #+property: Header-args:shell+ :noweb-prefix yes * TODO Guix https://guix.gnu.org/en/manual/en/html_node/ ** TODO Installation https://guix.gnu.org/en/manual/en/html_node/Installation.html *** TODO Invoking guix-daemon https://guix.gnu.org/en/manual/en/html_node/Invoking-guix_002ddaemon.html #+begin_src scheme :noweb-ref guix-options "--gc-keep-derivations=yes" "--gc-keep-outputs=yes" #+end_src ** TODO System configuration https://guix.gnu.org/en/manual/en/html_node/System-Configuration.html #+begin_src scheme :noweb-ref system-dump :tangle system-configuration.scm (define-module (systems aisaka system-configuration) #:use-module (gnu) #:use-module (gnu packages commencement) #:use-module (gnu packages cups) #:use-module (gnu packages finance) #:use-module (gnu services cups) #:use-module (gnu services configuration) #:use-module (gnu services desktop) #:use-module (gnu services networking) #:use-module (gnu services nix) #:use-module (gnu services ssh) #:use-module (gnu services version-control) #:use-module (gnu services xorg)) (define keyboard-layout (keyboard-layout "pl")) (operating-system (locale "pl_PL.utf8") (timezone "Europe/Warsaw") (keyboard-layout keyboard-layout) (host-name "aisaka") (users (cons* (user-account (name "marek") (comment "Marek Paśnikowski") (group "users") (home-directory "/home/marek") (supplementary-groups '("audio" "netdev" "tor" "video" "wheel"))) %base-user-accounts)) (packages (append (map <> '(;; "netcat-openbsd" "ntfs-3g")) ( map <> ( list ) ) %base-packages)) (services <>) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sda")) (keyboard-layout keyboard-layout))) (swap-devices (list <>)) (mapped-devices (list <>)) (file-systems (append %base-file-systems (list <> <>)))) #+end_src *** TODO Services https://guix.gnu.org/en/manual/en/html_node/Services.html #+begin_src scheme :noweb-ref system-services (append (list (extra-special-file "/lib64/ld-linux-x86-64.so.2" (file-append (canonical-package glibc) "/lib/ld-linux-x86-64.so.2")) (extra-special-file "/lib64/libstdc++.so.6" (file-append (canonical-package gcc-toolchain) "/lib/libstdc++.so.6")) (extra-special-file "/usr/lib64/libstdc++.so.6" (file-append (canonical-package gcc-toolchain) "/lib/libstdc++.so.6")) <> <> <> <> (service cups-service-type (cups-configuration (extensions (list cups-filters epson-inkjet-printer-escpr)) (web-interface? #t))) (service git-daemon-service-type (git-daemon-configuration (export-all? #t))) (service gnome-desktop-service-type) (service plasma-desktop-service-type) (service tor-service-type (tor-configuration (control-socket? #t)))) (modify-services %desktop-services (elogind-service-type configuration => (elogind-configuration (inherit configuration) (handle-lid-switch 'ignore))) (gdm-service-type configuration => (gdm-configuration (inherit configuration) (wayland? #t))) (delete guix-service-type))) #+end_src **** TODO Base Services https://guix.gnu.org/en/manual/en/html_node/Base-Services.html #+begin_src scheme :noweb-ref system-base-services <> (service guix-service-type (guix-configuration (extra-options (list <>)))) #+end_src **** TODO Miscellaneous Services https://guix.gnu.org/en/manual/en/html_node/Miscellaneous-Services.html #+begin_src scheme :noweb-ref system-miscellaneous-services (service nix-service-type) #+end_src ** TODO Home configuration https://guix.gnu.org/en/manual/devel/en/html_node/Home-Configuration.html #+begin_src scheme :noweb-ref home-dump :tangle home-configuration.scm (define-module (systems aisaka home-configuration) #:use-module (gnu home) #:use-module (gnu home services) #:use-module (gnu home services shells) #:use-module (gnu packages) #:use-module (gnu services) #:use-module (guix gexp)) (define allow-downgrades "--allow-downgrades ") (define config-prefix "/home/marek/Publiczny/src/deployment/systems/aisaka/") (define pull-guix "guix pull ") (define pull-guix- (string-append pull-guix allow-downgrades "--disable-authentication ")) (define guix-home "guix home reconfigure ") (define home-configuration "home-configuration.scm ") (define reconfigure-home (string-append guix-home config-prefix home-configuration)) (define reconfigure-home- (string-append reconfigure-home allow-downgrades)) (define guix-system "sudo guix system reconfigure ") (define system-configuration "system-configuration.scm ") (define reconfigure-system (string-append guix-system config-prefix system-configuration)) (define reconfigure-system- (string-append reconfigure-system allow-downgrades)) (define and "&& ") (define system-update (string-append pull-guix and reconfigure-system and reconfigure-home and "sudo guix gc -d 7d")) (define system-update- (string-append pull-guix- and reconfigure-system- and reconfigure-home- and "sudo guix gc -d 7d")) (home-environment (packages (map <> '("adwaita-icon-theme" "alacritty" "clamav" "cpupower" "dconf-editor" "emacs-next" "emacs-aggressive-indent" "emacs-eldoc" "emacs-geiser" "emacs-geiser-guile" "emacs-nix-mode" "emacs-nov-el" "emacs-org-contacts" "emacs-org-contrib" "emacs-paredit" "font-google-noto" "git" "git-lfs" "gnome-tweaks" "gnupg" "hicolor-icon-theme" "icecat" "jami" "libadwaita" "libreoffice" "nm-tray" "pwgen" "seahorse" "sicp" "strace" "unzip" "zip"))) (services (list <> <> (service (service-type (name 'org-fc-tn-package) (extensions (list (service-extension home-profile-service-type (lambda (_) (map specification->package (list ;; "emacs-org-fc-tn" )))))) (description "Custom version of ORG-FC.") (default-value #f))) <> ;; <> (service home-bash-service-type (home-bash-configuration (environment-variables '(("EDITOR" . "emacs -nw") ("GUILE_AUTO_COMPILE" . "0") ("PATH" . "$PATH:/home/marek/.nix-profile/bin"))) (aliases `(("grep" . "grep --color=auto ") ("ll" . "ls -l ") ("ls" . "ls -p --color=auto ") ("nix" . "nix --extra-experimental-features flakes --extra-experimental-features nix-command") ("pull-guix" . ,pull-guix) ("pull-guix-" . ,pull-guix-) ("reconfigure-home" . ,reconfigure-home) ("reconfigure-home-" . ,reconfigure-home-) ("reconfigure-system" . ,reconfigure-system) ("reconfigure-system-" . ,reconfigure-system-) ("system-update" . ,system-update) ("system-update-" . ,system-update-))) (bashrc (list (local-file "data/bashrc"))))) ;; (service ;; home-channels-service-type ;; (list ;; (channel ;; (name 'guix) ;; (url "https://git.savannah.gnu.org/git/guix.git")) ;; (channel ;; (name 'jeko) ;; (url "https://framagit.org/Jeko/guix-jeko-channel.git")) ;; (channel ;; (name 'nonguix) ;; (url "https://gitlab.com/nonguix/nonguix") ;; ;; Enable signature verification: ;; (introduction ;; (make-channel-introduction ;; "897c1a470da759236cc11798f4e0a5f7d4d59fbc" ;; (openpgp-fingerprint "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))) ;; (channel (name 'org-fc-tn) ;; (url "file:///home/marek/src/org-fc") ;; (branch "repository")) ;; (channel (name 'packages) ;; (url "file:///home/marek/src/packages") ;; (branch "master")) ;; (channel (name 'channel) ;; (url "https://git.marekpasnikowski.pl/git/channel.git") ;; (branch "wip-channel") ;; ( introduction ;; ( make-channel-introduction ;; "f8ccfe8f3e5c8bafe06665cbd4b0c9301e1a64b6" ;; ( openpgp-fingerprint ;; "590E 500F E39D 26B3 E60B 743B 6D81 B120 7711 899F" ) ) )))) (simple-service 'configuration-files home-files-service-type `((".config/git/config" ,(local-file "data/git-config")) (".emacs" ,(local-file "data/emacs-config"))))))) #+end_src *** TODO bashrc #+begin_src shell :tangle data/bashrc export LD_LIBRARY_PATH=$LIBRARY_PATH #+end_src *** TODO emacs #+begin_src elisp :tangle data/emacs-config ;;; Disable auto-backup (setq-default make-backup-files nil) ;;; https://github.com/fimblo/dot.emacs ;;; Theme Activation (load-theme 'manoj-dark) ;;; Enable ParEdit (add-hook 'prog-mode-hook 'enable-paredit-mode) ;;; https://elpa.gnu.org/packages/aggressive-indent.html ;;; Automatic Activation of Aggressive Indent (global-aggressive-indent-mode) ;; Highlight the pair of delimiters under the cursor (setq-default show-paren-mode 1 show-paren-delay 0) ;;; https://guix.gnu.org/manual/en/html_node/The-Perfect-Setup.html ;;; Copyright Information (setq-default user-full-name "Marek Paśnikowski" user-mail-address "marekpasnikowski@protonmail.com") ;;; Startup Screen Inhibition (setq-default inhibit-startup-screen t) ;; Enable the column-80 line (setq-default display-fill-column-indicator 1 display-fill-column-indicator-column 80) (global-display-fill-column-indicator-mode) ;; Prepare Literate Programming (setq-default org-startup-indented t org-confirm-babel-evaluate nil org-src-fontify-natively t org-src-tab-acts-natively t) (org-babel-do-load-languages 'org-babel-load-languages '((emacs-lisp . t) (scheme . t ) (shell . t ))) (add-to-list 'auto-mode-alist '("\\.epub\\'" . nov-mode)) ;; Monospace Font in Ebook Reader (setq-default nov-variable-pitch nil) ;; Disable Toolbar (tool-bar-mode -1) ;; GNUS Configuration (setq-default gnus-auto-select-first nil gnus-select-method '(nnnil "") gnus-secondary-select-methods '((nnimap "outlook" (nnimap-address "outlook.office365.com") (nnimap-server-port 993) (nnimap-stream ssl) (nnimap-authinfo-file "~/.authinfo")) (nnimap "home" (nnimap-address "serwer1930490.home.pl") (nnimap-server-port 993) (nnimap-stream ssl) (nnimap-authinfo-file "~/.authinfo"))) nnmail-split-method 'nnmail-split-fancy nnmail-split-fancy '(| "normal")) (add-hook 'gnus-group-mode-hook 'gnus-topic-mode) ;; Org Configuration (setq-default org-contacts-files '("~/Dokumenty/UWM/filia w Ełku/Samorząd 2022/starostowie.org")) ;; ORG-FC Configuration (require 'org-fc-hydra) (setq-default org-fc-algorithm 'tn org-fc-directories '("~/Dokumenty/fiszki")) ;; Nix Mode (require 'nix-mode) (add-to-list 'auto-mode-alist '("\\.nix\\'" . nix-mode)) #+end_src *** TODO git-config #+begin_src shell :tangle data/git-config <> <> #+end_src **** TODO User Configuration #+begin_src shell :noweb-ref git-user-config [user] name = "Marek Paśnikowski" email = "marekpasnikowski@protonmail.com" #+end_src * TODO Git Send Email https://git-send-email.io/ ** TODO Installation https://git-send-email.io/#step-1 #+begin_src scheme :noweb-ref git-sendemail-packages (service (service-type (name 'git-sendemail-packages) (extensions (list (service-extension home-profile-service-type (lambda (_) (map <> (list "git" "git:send-email")))))) (description "Git Send Email") (default-value #f))) #+end_src ** TODO Configuration https://git-send-email.io/#step-2 #+begin_src shell :noweb-ref git-sendemail-config [sendemail] smtpencryption = tls smtpserver = localhost smtpserverport = 1025 smtpsslcertpath = "" smtpuser = marekpasnikowski@protonmail.com #+end_src * TODO LIBREBOOT The first layer of computing is the firmware. The Lenovo Thinkpad X200 has a free Libreboot firmware installed. It is a good idea to keep it up to date. ** TODO Flashrom Flashrom program is needed to write the computer firmware. The program needs a relaxed kernel security feature. #+begin_src scheme :noweb-ref flashrom-package (service (service-type (name 'flashrom-package) (extensions `(,(service-extension home-profile-service-type (lambda (_) (map specification->package '("flashrom")))))) (description "Flashrom installation.") (default-value #f))) #+end_src * TODO File Systems This system has a very simple file system - a boot partition, main partition for everything else and swap. The main partition is encrypted. ** Mapped Devices Data encryption layer, password protected. The LUKS encryption type is used. #+begin_src scheme :noweb-ref luks (mapped-device (source (uuid "887ac37f-2919-41a0-a62a-e1ff5ea2d6cc")) (target "aisaka-root") (type luks-device-mapping)) #+end_src ** File Systems The data is split into an unencrypted boot partition and encrypted root filesystem. *** Root File System The root filesystem is mounted on the encryption layer. Its type is BTRFS. #+begin_src scheme :noweb-ref rootfs (file-system (mount-point "/") (device "/dev/mapper/aisaka-root") (type "btrfs") (dependencies mapped-devices)) #+end_src *** Boot File System The boot partition is on EXT4 filesystem. #+begin_src scheme :noweb-ref bootfs (file-system (mount-point "/boot") (device (uuid "4f77b5fc-56ad-43ae-b6ec-e5adc8c48587")) (type "ext4")) #+end_src ** Swap Devices Swap takes half the storage space in order to facilitate edge cases of memory without overprovisioning, as well as to prolog the lifetime of SSD. #+begin_src scheme :noweb-ref swap (swap-space (target (uuid "73bed3f9-be07-40ad-a228-577cd24f2e1d"))) #+end_src * TODO System Servers ** TODO Secure Shell *** TODO SSH Installation #+begin_src scheme :noweb-ref ssh-system-service (service openssh-service-type) #+end_src *** TODO SSH Configuration #+begin_src scheme :noweb-ref ssh-user-configuration (simple-service 'ssh-configuration* home-files-service-type `((".ssh/config" ,(plain-file "ssh-config" "\ <>\n")))) #+end_src **** TODO SSH Configuration File #+begin_src shell :noweb-ref ssh-config Host *.onion ProxyCommand nc -x localhost:9050 -X5 %h %p Host kynio.onion User kynio Hostname prnpi5oblk35gzcihbgu3227xvanisouxgbejri57bnzjawcksq4l7yd.onion Port 22 #+end_src * TODO Device Management https://www.linuxfromscratch.org/lfs/view/11.1/chapter09/symlinks.html ** TODO Trezor https://trezor.io/trezor-model-t *** TODO Trezor System Packages #+begin_src scheme :noweb-ref trezor-system-packages (service (service-type (name 'trezor-system-packages) (extensions (list (service-extension profile-service-type (lambda (_) (map specification->package (list "trezord" "trezord-udev-rules")))))) (description "TrezorD packages needed by the system.") (default-value #f))) #+end_src *** TODO Trezor User Packages #+begin_src scheme :noweb-ref trezor-user-packages (service (service-type (name 'trezor-user-packages) (extensions (list (service-extension home-profile-service-type (lambda (_) (map specification->package (list "trezor-agent")))))) (description "Trezor packages for the user.") (default-value #f))) #+end_src *** TODO Trezor Udev Services #+begin_src scheme :noweb-ref trezor-udev-rules (udev-rules-service 'trezord trezord-udev-rules) #+end_src * TODO Helpers ** TODO String to Package #+begin_src scheme :noweb-ref to-package+output (compose list specification->package+output) #+end_src