systems|homes: add yak

New machine, it's a yak. Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
author: Kenny Ballou <kb@devnulllabs.io> 2022-04-04 10:05:49 -0600
committer: Kenny Ballou <kb@devnulllabs.io> 2022-04-04 10:05:49 -0600
commit: 8345401532f6f304748b6381497ef9d516f56a5c (patch)
tree: 97a7520d6ffab5744030c5e8047e3ddf1e615606 /systems
parent: c07c96a88a68c09dc3c79378f7fbb23fb8bbb0f4 (diff)
download: dotfiles-8345401532f6f304748b6381497ef9d516f56a5c.tar.gz
dotfiles-8345401532f6f304748b6381497ef9d516f56a5c.tar.xz
2 files changed, 226 insertions, 0 deletions
diff --git a/systems/yak.scm b/systems/yak.scm
new file mode 100644
index 00000000..e0e3637f
--- /dev/null
+++ b/systems/yak.scm
@@ -0,0 +1,152 @@
+(define-module (systems daeva)
+  #:use-module (guix)
+  #:use-module (guix records)
+  #:use-module (guix utils)
+  #:use-module (gnu)
+  #:use-module (gnu packages)
+  #:use-module (gnu services avahi)
+  #:use-module (gnu services base)
+  #:use-module (gnu services cups)
+  #:use-module (gnu services dbus)
+  #:use-module (gnu services desktop)
+  #:use-module (gnu services linux)
+  #:use-module (gnu services mcron)
+  #:use-module (gnu services networking)
+  #:use-module (gnu services nix)
+  #:use-module (gnu services pm)
+  #:use-module (gnu services security-token)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu services xorg)
+  #:use-module (gnu system nss)
+  #:use-module (gnu packages cups)
+  #:use-module (gnu packages gnome)
+  #:use-module (nongnu packages linux)
+  #:use-module (nongnu packages mozilla)
+  #:use-module (nongnu packages printers)
+  #:use-module (nongnu system linux-initrd)
+  #:use-module (kbg)
+  #:use-module (kbg packages profiles base)
+  #:use-module (kbg packages profiles desktop)
+  #:use-module (kbg packages gnome)
+  #:use-module (kbg services desktop)
+  #:use-module (kbg services nftables)
+  #:use-module (kbg system setuid-programs)
+  #:use-module ((kbg system mcron) :prefix mcron:)
+  #:use-module (kbg system xorg))
+
+(define install-grub-efi-removable
+  #~(lambda (bootloader efi-dir mount-point)
+      (when efi-dir
+        (let ((grub-install (string-append bootloader "/sbin/grub-install"))
+              (install-dir (string-append mount-point "/boot"))
+              (target-esp (if (file-exists? (string-append mount-point efi-dir))
+                              (string-append mount-point efi-dir)
+                              efi-dir)))
+          (invoke/quiet grub-install "--boot-directory" install-dir
+                        "--efi-directory" target-esp
+                        "--removable")))))
+
+(define grub-efi-removable
+  (bootloader
+   (inherit grub-efi-bootloader)
+   (installer install-grub-efi-removable)))
+
+(define yak-system
+  (operating-system
+   (kernel linux)
+   (firmware (list linux-firmware))
+   (initrd microcode-initrd)
+   (host-name "yak")
+   (timezone "America/Boise")
+   (locale "en_US.utf8")
+
+   (initrd-modules %base-initrd-modules)
+
+   (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))
+
+   (bootloader (bootloader-configuration
+                (bootloader grub-efi-bootloader)
+                (targets '("/boot/efi"))
+                (keyboard-layout keyboard-layout)))
+
+   (file-systems (append
+                  (list (file-system
+                         (device (uuid "acc24667-d071-48dc-81f7-b077e838b29f"))
+                         (mount-point "/")
+                         (type "ext4"))
+                        (file-system
+                         (device (uuid "EAB6-6000" 'fat))
+                         (mount-point "/boot/efi")
+                         (type "vfat"))
+                        (file-system
+                         (device (uuid "1ca489ef-8d04-40a5-bd1c-a5ee9333a27a"))
+                         (mount-point "/home")
+                         (type "xfs")))
+                  %base-file-systems))
+
+   ;; uuid=47b44fb7-4f6f-4ef5-bb17-2c509a80bc52
+   (swap-devices (list (swap-space (target "/swapfile"))))
+
+   (users (cons (user-account
+                 (name "kb")
+                 (group "users")
+                 (supplementary-groups '("audio"
+                                         "input"
+                                         "kvm"
+                                         "lp"
+                                         "netdev"
+                                         "tty"
+                                         "video"
+                                         "wheel")))
+                %base-user-accounts))
+
+   ;; This is where we specify system-wide packages.
+   (packages (append %kbg-base-packages
+                     %kbg-bare-desktop-packages
+                     %base-packages))
+
+   ;; Add GNOME and Xfce---we can choose at the log-in screen
+   ;; by clicking the gear.  Use the "desktop" services, which
+   ;; include the X11 log-in service, networking with
+   ;; NetworkManager, and more.
+   (services (append (list (service gnome-desktop-service-type
+                                    (gnome-desktop-configuration
+                                     (gnome gnome-sans-ssh-agent)))
+                           ;;(geoclue-service)
+                           (bluetooth-service #:auto-enable? #t)
+                           (service cups-service-type
+                                    (cups-configuration
+                                     (web-interface? #t)
+                                     (extensions
+                                      (list cups-filters hplip-minimal splix))))
+                           (set-xorg-configuration
+                            (xorg-configuration
+                             (keyboard-layout keyboard-layout)
+                             (extra-config (list %xorg-libinput-config))))
+                           (service nix-service-type)
+                           (service pcscd-service-type)
+                           (service tlp-service-type
+                                    (tlp-configuration
+                                     (cpu-scaling-governor-on-ac (list "performance"))
+                                     ;; (cpu-scaling-min-freq-on-ac  2400000)
+                                     (cpu-boost-on-ac? #t)
+                                     (energy-perf-policy-on-ac "performance")
+                                     (pcie-aspm-on-ac "performance")))
+                           (service openssh-service-type
+                                    (openssh-configuration
+                                     (x11-forwarding? #f)
+                                     (password-authentication? #f)
+                                     (permit-root-login 'prohibit-password)))
+                           (nftables-service "yak")
+                           (simple-service 'my-cron-jobs
+                                           mcron-service-type
+                                           (list mcron:guix-gc-repair-job)))
+                     %kbg-desktop-services))
+
+   ;; Allow resolution of '.local' host names with mDNS.
+   (name-service-switch %mdns-host-lookup-nss)
+
+   (setuid-programs (append %kb-setuid-programs
+                            %setuid-programs))))
+
+yak-system
diff --git a/systems/yak/nftables-rules.nft b/systems/yak/nftables-rules.nft
new file mode 100644
index 00000000..c572c647
--- /dev/null
+++ b/systems/yak/nftables-rules.nft
@@ -0,0 +1,74 @@
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid counter drop comment "drop invalid packets"
+        ct state established,related counter accept comment "accept related connections"
+        iif lo counter accept
+        iif != lo ip daddr 127.0.0.1/8 counter drop
+        iif != lo ip6 daddr ::1/128 counter drop
+        ip protocol icmp counter accept
+        ip6 nexthdr ipv6-icmp counter accept
+        udp dport domain ip saddr 172.16.0.0/12 counter accept
+        tcp dport ssh counter accept
+        tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+        udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect"
+        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        counter
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state established,related counter accept
+        counter
+    }
+
+    chain output {
+        type filter hook output priority 0; policy drop;
+        ct state established,related counter accept
+        icmp type echo-request counter accept
+        icmp type echo-reply counter accept
+        ip daddr 127.0.0.0/8 counter accept
+        ip6 daddr ::1 counter accept
+        udp dport domain counter accept
+        tcp dport 853 counter accept comment "DNS over TLS"
+        udp dport 853 counter accept comment "DNS over TLS"
+        tcp dport http counter accept
+        tcp dport https counter accept
+        udp dport https counter accept
+        tcp dport ssh counter accept
+        tcp dport bootps counter accept
+        udp dport bootps counter accept
+        tcp dport ntp counter accept
+        udp dport ntp counter accept
+        tcp dport nntps counter accept
+        udp dport nntps counter accept
+        tcp dport submission counter accept
+        tcp dport imaps counter accept
+        tcp dport 2222 counter accept
+        tcp dport hkp counter accept
+        udp dport hkp counter accept
+        tcp dport 9100 counter accept
+        tcp dport git counter accept
+        udp dport git counter accept
+        tcp dport rsync counter accept
+        udp dport rsync counter accept
+        tcp dport 8000 counter accept
+        tcp dport http-alt counter accept
+        udp dport openvpn counter accept
+        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        tcp dport 5222 counter accept comment "XMPP"
+        tcp dport 6697 counter accept comment "IRC"
+        tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS"
+        udp dport 19302-19309 counter accept comment "Google Meet Ports"
+        tcp dport 1714-1764 counter accept comment "KDEConnect"
+        udp dport 1714-1764 counter accept comment "KDEConnect"
+        udp dport 51820 counter accept comment "WireGuard"
+        counter
+    }
+}
author	Kenny Ballou <kb@devnulllabs.io>	2022-04-04 10:05:49 -0600
committer	Kenny Ballou <kb@devnulllabs.io>	2022-04-04 10:05:49 -0600
commit	8345401532f6f304748b6381497ef9d516f56a5c (patch)
tree	97a7520d6ffab5744030c5e8047e3ddf1e615606 /systems
parent	c07c96a88a68c09dc3c79378f7fbb23fb8bbb0f4 (diff)
download	dotfiles-8345401532f6f304748b6381497ef9d516f56a5c.tar.gz dotfiles-8345401532f6f304748b6381497ef9d516f56a5c.tar.xz