diff options
author | Kenny Ballou <kb@devnulllabs.io> | 2023-02-19 23:54:28 -0700 |
---|---|---|
committer | Kenny Ballou <kb@devnulllabs.io> | 2023-02-19 23:55:23 -0700 |
commit | 971160f662b5fe6dd71fa2c155bb3317d67b7078 (patch) | |
tree | 1314ad8dc959128a3ef71f0500dff28c515aefd4 /systems | |
parent | cc98b5b811f4a8d0282eeb33d6e27e3d9f86ca86 (diff) | |
download | dotfiles-971160f662b5fe6dd71fa2c155bb3317d67b7078.tar.gz dotfiles-971160f662b5fe6dd71fa2c155bb3317d67b7078.tar.xz |
add axo machine
laptop to replace the near bomb of the old laptop.
Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
Diffstat (limited to 'systems')
-rw-r--r-- | systems/axo.scm | 198 | ||||
-rw-r--r-- | systems/axo/nftables-rules.nft | 70 |
2 files changed, 268 insertions, 0 deletions
diff --git a/systems/axo.scm b/systems/axo.scm new file mode 100644 index 00000000..11aba572 --- /dev/null +++ b/systems/axo.scm @@ -0,0 +1,198 @@ +(define-module (systems axo) + #:use-module (guix) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (gnu) + #:use-module (gnu packages) + #:use-module (gnu services avahi) + #:use-module (gnu services base) + #:use-module (gnu services cups) + #:use-module (gnu services dbus) + #:use-module (gnu services desktop) + #:use-module (gnu services docker) + #:use-module (gnu services linux) + #:use-module (gnu services mcron) + #:use-module (gnu services networking) + #:use-module (gnu services nix) + #:use-module (gnu services pm) + #:use-module (gnu services security-token) + #:use-module (gnu services virtualization) + #:use-module (gnu services xorg) + #:use-module (gnu system nss) + #:use-module (gnu packages gnome) + #:use-module (gnu packages linux) + #:use-module (nongnu packages linux) + #:use-module (nongnu packages mozilla) + #:use-module (nongnu packages printers) + #:use-module (nongnu system linux-initrd) + #:use-module (kbg) + #:use-module (kbg packages profiles base) + #:use-module (kbg packages profiles desktop) + #:use-module (kbg services desktop) + #:use-module (kbg services dict) + #:use-module (kbg services nftables) + #:use-module ((kbg system mcron) :prefix mcron:) + #:use-module (kbg system xorg)) + +(define axo-system + (operating-system + (kernel linux) + (kernel-loadable-modules + (list v4l2loopback-linux-module)) + (firmware (list linux-firmware)) + (initrd microcode-initrd) + (host-name "axo") + (timezone "America/Boise") + (locale "en_US.utf8") + + (initrd-modules (append (list "dm-crypt") %base-initrd-modules)) + + (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps"))) + + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + (keyboard-layout keyboard-layout))) + + (mapped-devices + (list (mapped-device + (source (uuid "f1e8d842-1c63-4311-803d-938f31d48d49")) + (target "luks-f1e8d842-1c63-4311-803d-938f31d48d49") + (type luks-device-mapping)) + (mapped-device + (source "vg0") + (targets (list "vg0-guix" + "vg0-home" + "vg0-nix" + "vg0-root" + "vg0-swap" + "vg0-tmp" + "vg0-var" + "vg0-var")) + (type lvm-device-mapping)))) + + (file-systems (append + (list (file-system + (device "/dev/mapper/vg0-root") + (mount-point "/") + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-guix") + (mount-point "/gnu") + (type "xfs") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-nix") + (mount-point "/nix") + (type "xfs") + (needed-for-boot? #f) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-var") + (mount-point "/var") + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-tmp") + (mount-point "/tmp") + (type "ext4") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-opt") + (mount-point "/opt") + (type "ext4") + (needed-for-boot? #f) + (dependencies mapped-devices)) + (file-system + (device "/dev/mapper/vg0-home") + (mount-point "/home") + (type "xfs") + (needed-for-boot? #t) + (dependencies mapped-devices)) + (file-system + (device (uuid "5A5D-20AF" 'fat)) + (mount-point "/boot/efi") + (type "vfat") + (dependencies mapped-devices))) + %base-file-systems)) + + (swap-devices (list (swap-space (target "/dev/mapper/vg0-swap") + (discard? #f) + (dependencies mapped-devices)))) + + (users (cons (user-account + (name "kb") + (group "users") + (supplementary-groups '("audio" + "input" + "kvm" + "libvirt" + "lp" + "netdev" + "tty" + "video" + "wheel"))) + %base-user-accounts)) + + ;; This is where we specify system-wide packages. + (packages (append %kbg-base-packages + %kbg-bare-desktop-packages + %base-packages)) + + ;; Add GNOME and Xfce---we can choose at the log-in screen + ;; by clicking the gear. Use the "desktop" services, which + ;; include the X11 log-in service, networking with + ;; NetworkManager, and more. + (services (append (list (service gnome-desktop-service-type) + ;;(geoclue-service) + (bluetooth-service #:auto-enable? #t) + (service cups-service-type + (cups-configuration + (web-interface? #t))) + dictionary-service + (set-xorg-configuration + (xorg-configuration + (keyboard-layout keyboard-layout) + (extra-config (list %xorg-libinput-config)))) + (service nix-service-type) + (service pcscd-service-type) + (service tlp-service-type + (tlp-configuration + (cpu-scaling-governor-on-ac (list "performance")) + (cpu-scaling-governor-on-bat (list "powersave")) + ;; (cpu-scaling-min-freq-on-ac 2400000) + ;; (cpu-scaling-min-freq-on-bat 1200000) + (cpu-boost-on-ac? #t) + (cpu-boost-on-bat? #f) + (energy-perf-policy-on-ac "performance") + (energy-perf-policy-on-bat "powersave") + (pcie-aspm-on-ac "performance") + (pcie-aspm-on-bat "powersupersave"))) + (nftables-service "axo") + (simple-service 'my-cron-jobs + mcron-service-type + (list mcron:guix-gc-repair-job)) + (service singularity-service-type) + (service virtlog-service-type) + (service libvirt-service-type) + (service tor-service-type + (tor-configuration)) + (simple-service 'subordinate-ids + special-files-service-type + `(("/etc/subuid" ,(mixed-text-file "subuid" + "kb:100000:65536" + "\n")) + ("/etc/subgid" ,(mixed-text-file "subgid" + "kb:100000:65536" + "\n"))))) + %kbg-desktop-services)) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) + +axo-system diff --git a/systems/axo/nftables-rules.nft b/systems/axo/nftables-rules.nft new file mode 100644 index 00000000..b5e20c26 --- /dev/null +++ b/systems/axo/nftables-rules.nft @@ -0,0 +1,70 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid drop comment "drop invalid packets" + ct state established,related accept comment "accept related connections" + iif lo accept + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + udp dport domain ip saddr 172.16.0.0/12 accept + tcp dport 3000 ip saddr 127.0.0.1/8 accept + tcp dport 8000 ip saddr 127.0.0.1/8 accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related accept + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related accept + icmp type echo-request accept + icmp type echo-reply accept + ip daddr 127.0.0.0/8 accept + ip6 daddr ::1 accept + udp dport domain accept + tcp dport 853 accept comment "DNS over TLS" + udp dport 853 accept comment "DNS over TLS" + tcp dport http accept + tcp dport https accept + udp dport https accept + tcp dport ssh accept + tcp dport bootps accept + udp dport bootps accept + tcp dport ntp accept + udp dport ntp accept + tcp dport nntps accept + udp dport nntps accept + tcp dport submission accept + tcp dport imaps accept + tcp dport 2222 accept + tcp dport hkp accept + udp dport hkp accept + tcp dport 9100 accept + tcp dport git accept + udp dport git accept + tcp dport rsync accept + udp dport rsync accept + tcp dport 8000 accept + tcp dport http-alt accept + udp dport openvpn accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept + tcp dport 5222 accept comment "XMPP" + tcp dport 6697 accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS" + udp dport 19302-19309 accept comment "Google Meet Ports" + tcp dport 1714-1764 accept comment "KDEConnect" + udp dport 1714-1764 accept comment "KDEConnect" + udp dport 51820 accept comment "WireGuard" + } +} |