aboutsummaryrefslogtreecommitdiff
path: root/systems
diff options
context:
space:
mode:
authorKenny Ballou <kb@devnulllabs.io>2023-02-19 23:54:28 -0700
committerKenny Ballou <kb@devnulllabs.io>2023-02-19 23:55:23 -0700
commit971160f662b5fe6dd71fa2c155bb3317d67b7078 (patch)
tree1314ad8dc959128a3ef71f0500dff28c515aefd4 /systems
parentcc98b5b811f4a8d0282eeb33d6e27e3d9f86ca86 (diff)
downloaddotfiles-971160f662b5fe6dd71fa2c155bb3317d67b7078.tar.gz
dotfiles-971160f662b5fe6dd71fa2c155bb3317d67b7078.tar.xz
add axo machine
laptop to replace the near bomb of the old laptop. Signed-off-by: Kenny Ballou <kb@devnulllabs.io>
Diffstat (limited to 'systems')
-rw-r--r--systems/axo.scm198
-rw-r--r--systems/axo/nftables-rules.nft70
2 files changed, 268 insertions, 0 deletions
diff --git a/systems/axo.scm b/systems/axo.scm
new file mode 100644
index 00000000..11aba572
--- /dev/null
+++ b/systems/axo.scm
@@ -0,0 +1,198 @@
+(define-module (systems axo)
+ #:use-module (guix)
+ #:use-module (guix records)
+ #:use-module (guix utils)
+ #:use-module (gnu)
+ #:use-module (gnu packages)
+ #:use-module (gnu services avahi)
+ #:use-module (gnu services base)
+ #:use-module (gnu services cups)
+ #:use-module (gnu services dbus)
+ #:use-module (gnu services desktop)
+ #:use-module (gnu services docker)
+ #:use-module (gnu services linux)
+ #:use-module (gnu services mcron)
+ #:use-module (gnu services networking)
+ #:use-module (gnu services nix)
+ #:use-module (gnu services pm)
+ #:use-module (gnu services security-token)
+ #:use-module (gnu services virtualization)
+ #:use-module (gnu services xorg)
+ #:use-module (gnu system nss)
+ #:use-module (gnu packages gnome)
+ #:use-module (gnu packages linux)
+ #:use-module (nongnu packages linux)
+ #:use-module (nongnu packages mozilla)
+ #:use-module (nongnu packages printers)
+ #:use-module (nongnu system linux-initrd)
+ #:use-module (kbg)
+ #:use-module (kbg packages profiles base)
+ #:use-module (kbg packages profiles desktop)
+ #:use-module (kbg services desktop)
+ #:use-module (kbg services dict)
+ #:use-module (kbg services nftables)
+ #:use-module ((kbg system mcron) :prefix mcron:)
+ #:use-module (kbg system xorg))
+
+(define axo-system
+ (operating-system
+ (kernel linux)
+ (kernel-loadable-modules
+ (list v4l2loopback-linux-module))
+ (firmware (list linux-firmware))
+ (initrd microcode-initrd)
+ (host-name "axo")
+ (timezone "America/Boise")
+ (locale "en_US.utf8")
+
+ (initrd-modules (append (list "dm-crypt") %base-initrd-modules))
+
+ (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps")))
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ (keyboard-layout keyboard-layout)))
+
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "f1e8d842-1c63-4311-803d-938f31d48d49"))
+ (target "luks-f1e8d842-1c63-4311-803d-938f31d48d49")
+ (type luks-device-mapping))
+ (mapped-device
+ (source "vg0")
+ (targets (list "vg0-guix"
+ "vg0-home"
+ "vg0-nix"
+ "vg0-root"
+ "vg0-swap"
+ "vg0-tmp"
+ "vg0-var"
+ "vg0-var"))
+ (type lvm-device-mapping))))
+
+ (file-systems (append
+ (list (file-system
+ (device "/dev/mapper/vg0-root")
+ (mount-point "/")
+ (type "ext4")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-guix")
+ (mount-point "/gnu")
+ (type "xfs")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-nix")
+ (mount-point "/nix")
+ (type "xfs")
+ (needed-for-boot? #f)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-var")
+ (mount-point "/var")
+ (type "ext4")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-tmp")
+ (mount-point "/tmp")
+ (type "ext4")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-opt")
+ (mount-point "/opt")
+ (type "ext4")
+ (needed-for-boot? #f)
+ (dependencies mapped-devices))
+ (file-system
+ (device "/dev/mapper/vg0-home")
+ (mount-point "/home")
+ (type "xfs")
+ (needed-for-boot? #t)
+ (dependencies mapped-devices))
+ (file-system
+ (device (uuid "5A5D-20AF" 'fat))
+ (mount-point "/boot/efi")
+ (type "vfat")
+ (dependencies mapped-devices)))
+ %base-file-systems))
+
+ (swap-devices (list (swap-space (target "/dev/mapper/vg0-swap")
+ (discard? #f)
+ (dependencies mapped-devices))))
+
+ (users (cons (user-account
+ (name "kb")
+ (group "users")
+ (supplementary-groups '("audio"
+ "input"
+ "kvm"
+ "libvirt"
+ "lp"
+ "netdev"
+ "tty"
+ "video"
+ "wheel")))
+ %base-user-accounts))
+
+ ;; This is where we specify system-wide packages.
+ (packages (append %kbg-base-packages
+ %kbg-bare-desktop-packages
+ %base-packages))
+
+ ;; Add GNOME and Xfce---we can choose at the log-in screen
+ ;; by clicking the gear. Use the "desktop" services, which
+ ;; include the X11 log-in service, networking with
+ ;; NetworkManager, and more.
+ (services (append (list (service gnome-desktop-service-type)
+ ;;(geoclue-service)
+ (bluetooth-service #:auto-enable? #t)
+ (service cups-service-type
+ (cups-configuration
+ (web-interface? #t)))
+ dictionary-service
+ (set-xorg-configuration
+ (xorg-configuration
+ (keyboard-layout keyboard-layout)
+ (extra-config (list %xorg-libinput-config))))
+ (service nix-service-type)
+ (service pcscd-service-type)
+ (service tlp-service-type
+ (tlp-configuration
+ (cpu-scaling-governor-on-ac (list "performance"))
+ (cpu-scaling-governor-on-bat (list "powersave"))
+ ;; (cpu-scaling-min-freq-on-ac 2400000)
+ ;; (cpu-scaling-min-freq-on-bat 1200000)
+ (cpu-boost-on-ac? #t)
+ (cpu-boost-on-bat? #f)
+ (energy-perf-policy-on-ac "performance")
+ (energy-perf-policy-on-bat "powersave")
+ (pcie-aspm-on-ac "performance")
+ (pcie-aspm-on-bat "powersupersave")))
+ (nftables-service "axo")
+ (simple-service 'my-cron-jobs
+ mcron-service-type
+ (list mcron:guix-gc-repair-job))
+ (service singularity-service-type)
+ (service virtlog-service-type)
+ (service libvirt-service-type)
+ (service tor-service-type
+ (tor-configuration))
+ (simple-service 'subordinate-ids
+ special-files-service-type
+ `(("/etc/subuid" ,(mixed-text-file "subuid"
+ "kb:100000:65536"
+ "\n"))
+ ("/etc/subgid" ,(mixed-text-file "subgid"
+ "kb:100000:65536"
+ "\n")))))
+ %kbg-desktop-services))
+
+ ;; Allow resolution of '.local' host names with mDNS.
+ (name-service-switch %mdns-host-lookup-nss)))
+
+axo-system
diff --git a/systems/axo/nftables-rules.nft b/systems/axo/nftables-rules.nft
new file mode 100644
index 00000000..b5e20c26
--- /dev/null
+++ b/systems/axo/nftables-rules.nft
@@ -0,0 +1,70 @@
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ ct state invalid drop comment "drop invalid packets"
+ ct state established,related accept comment "accept related connections"
+ iif lo accept
+ iif != lo ip daddr 127.0.0.1/8 drop
+ iif != lo ip6 daddr ::1/128 drop
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
+ udp dport domain ip saddr 172.16.0.0/12 accept
+ tcp dport 3000 ip saddr 127.0.0.1/8 accept
+ tcp dport 8000 ip saddr 127.0.0.1/8 accept
+ tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+ tcp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
+ udp dport 1714-1764 ip saddr 10.0.0.0/8 accept comment "KDEConnect"
+ tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+ }
+
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ ct state established,related accept
+ }
+
+ chain output {
+ type filter hook output priority 0; policy drop;
+ ct state established,related accept
+ icmp type echo-request accept
+ icmp type echo-reply accept
+ ip daddr 127.0.0.0/8 accept
+ ip6 daddr ::1 accept
+ udp dport domain accept
+ tcp dport 853 accept comment "DNS over TLS"
+ udp dport 853 accept comment "DNS over TLS"
+ tcp dport http accept
+ tcp dport https accept
+ udp dport https accept
+ tcp dport ssh accept
+ tcp dport bootps accept
+ udp dport bootps accept
+ tcp dport ntp accept
+ udp dport ntp accept
+ tcp dport nntps accept
+ udp dport nntps accept
+ tcp dport submission accept
+ tcp dport imaps accept
+ tcp dport 2222 accept
+ tcp dport hkp accept
+ udp dport hkp accept
+ tcp dport 9100 accept
+ tcp dport git accept
+ udp dport git accept
+ tcp dport rsync accept
+ udp dport rsync accept
+ tcp dport 8000 accept
+ tcp dport http-alt accept
+ udp dport openvpn accept
+ tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } accept
+ tcp dport 5222 accept comment "XMPP"
+ tcp dport 6697 accept comment "IRC"
+ tcp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
+ udp dport 2049 ip daddr 10.0.0.0/8 accept comment "NFS"
+ tcp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
+ udp dport 20048 ip daddr 10.0.0.0/8 accept comment "NFS"
+ udp dport 19302-19309 accept comment "Google Meet Ports"
+ tcp dport 1714-1764 accept comment "KDEConnect"
+ udp dport 1714-1764 accept comment "KDEConnect"
+ udp dport 51820 accept comment "WireGuard"
+ }
+}
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-26 20:00:01 +0000