diff options
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | homes/yak.scm | 39 | ||||
-rw-r--r-- | kbg/services/config/dotfiles.scm | 19 | ||||
-rw-r--r-- | kbg/services/shepherd.scm | 9 | ||||
-rw-r--r-- | systems/yak.scm | 152 | ||||
-rw-r--r-- | systems/yak/nftables-rules.nft | 74 |
6 files changed, 294 insertions, 1 deletions
@@ -1,7 +1,7 @@ NIX_FILES = $(shell find . name -name '*.nix' -type f) MAX_AGE=14d CHANNEL_FILE=./config/guix/channels.scm -HOSTS=h4x daeva eligos baal +HOSTS=h4x daeva eligos baal yak SYSTEMS=$(patsubst %,systems/%,$(HOSTS)) HOMES=$(patsubst %,homes/%,$(HOSTS)) HOSTNAME=$(shell hostname) diff --git a/homes/yak.scm b/homes/yak.scm new file mode 100644 index 00000000..9f2293e8 --- /dev/null +++ b/homes/yak.scm @@ -0,0 +1,39 @@ +(define-module (homes daeva) + #:use-module (gnu home) + #:use-module (gnu packages) + #:use-module (gnu services) + #:use-module (guix gexp) + #:use-module (gnu services audio) + #:use-module (gnu home services) + #:use-module (gnu home services fontutils) + #:use-module (gnu home services mcron) + #:use-module (gnu home services shells) + #:use-module (gnu home services shepherd) + #:use-module (gnu home services symlink-manager) + #:use-module (gnu home services xdg) + #:use-module (kbg) + #:use-module (kbg packages profiles base) + #:use-module (kbg packages profiles development) + #:use-module (kbg packages profiles desktop) + #:use-module (kbg packages profiles fonts) + #:use-module (kbg packages profiles statistics) + #:use-module (kbg services config dotfiles) + #:use-module (kbg services emacs) + #:use-module (kbg services mcron) + #:use-module (kbg services shell) + #:use-module (kbg services shepherd)) + +(home-environment + (packages + (append %kbg-base-development-packages + %kbg-desktop-packages + %kbg-statistics-packages + %kbg-fonts)) + + (services + (append bash-service + (configs-for-host 'yak) + emacs-service + ;; mcron-service + (services-for-host 'yak)))) + ;; shepherd-user-services diff --git a/kbg/services/config/dotfiles.scm b/kbg/services/config/dotfiles.scm index 4ff7d1cd..6c463e1f 100644 --- a/kbg/services/config/dotfiles.scm +++ b/kbg/services/config/dotfiles.scm @@ -39,7 +39,26 @@ vale-config-service xdg-config-service)) +(define yak-configs + (append direnv-config-service + email-config-service + flatpak-config-service + git-config-service + ;; global-config-service + gnupg-config-service + gnuplot-config-service + guix-config-service + home-vars-service + kitty-config-service + mpd-config-service + nixpkgs-config-service + parallel-config-service + vale-config-service + xdg-config-service)) + (define (configs-for-host hostname) (cond ((eq? hostname 'daeva) daeva-configs) + ((eq? hostname 'yak) + yak-configs) (else '()))) diff --git a/kbg/services/shepherd.scm b/kbg/services/shepherd.scm index 2be5ab58..d65ddb4c 100644 --- a/kbg/services/shepherd.scm +++ b/kbg/services/shepherd.scm @@ -21,7 +21,16 @@ mpd-service syncthing-service)))))) +(define yak-shepherd-services + (list (service home-shepherd-service-type + (home-shepherd-configuration + (services (append gnupg-service + mpd-service + syncthing-service)))))) + (define (services-for-host hostname) (cond ((eq? hostname 'daeva) daeva-shepherd-services) + ((eq? hostname 'yak) + yak-shepherd-services) (else '()))) diff --git a/systems/yak.scm b/systems/yak.scm new file mode 100644 index 00000000..e0e3637f --- /dev/null +++ b/systems/yak.scm @@ -0,0 +1,152 @@ +(define-module (systems daeva) + #:use-module (guix) + #:use-module (guix records) + #:use-module (guix utils) + #:use-module (gnu) + #:use-module (gnu packages) + #:use-module (gnu services avahi) + #:use-module (gnu services base) + #:use-module (gnu services cups) + #:use-module (gnu services dbus) + #:use-module (gnu services desktop) + #:use-module (gnu services linux) + #:use-module (gnu services mcron) + #:use-module (gnu services networking) + #:use-module (gnu services nix) + #:use-module (gnu services pm) + #:use-module (gnu services security-token) + #:use-module (gnu services ssh) + #:use-module (gnu services xorg) + #:use-module (gnu system nss) + #:use-module (gnu packages cups) + #:use-module (gnu packages gnome) + #:use-module (nongnu packages linux) + #:use-module (nongnu packages mozilla) + #:use-module (nongnu packages printers) + #:use-module (nongnu system linux-initrd) + #:use-module (kbg) + #:use-module (kbg packages profiles base) + #:use-module (kbg packages profiles desktop) + #:use-module (kbg packages gnome) + #:use-module (kbg services desktop) + #:use-module (kbg services nftables) + #:use-module (kbg system setuid-programs) + #:use-module ((kbg system mcron) :prefix mcron:) + #:use-module (kbg system xorg)) + +(define install-grub-efi-removable + #~(lambda (bootloader efi-dir mount-point) + (when efi-dir + (let ((grub-install (string-append bootloader "/sbin/grub-install")) + (install-dir (string-append mount-point "/boot")) + (target-esp (if (file-exists? (string-append mount-point efi-dir)) + (string-append mount-point efi-dir) + efi-dir))) + (invoke/quiet grub-install "--boot-directory" install-dir + "--efi-directory" target-esp + "--removable"))))) + +(define grub-efi-removable + (bootloader + (inherit grub-efi-bootloader) + (installer install-grub-efi-removable))) + +(define yak-system + (operating-system + (kernel linux) + (firmware (list linux-firmware)) + (initrd microcode-initrd) + (host-name "yak") + (timezone "America/Boise") + (locale "en_US.utf8") + + (initrd-modules %base-initrd-modules) + + (keyboard-layout (keyboard-layout "us" #:options '("ctrl:nocaps"))) + + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + (keyboard-layout keyboard-layout))) + + (file-systems (append + (list (file-system + (device (uuid "acc24667-d071-48dc-81f7-b077e838b29f")) + (mount-point "/") + (type "ext4")) + (file-system + (device (uuid "EAB6-6000" 'fat)) + (mount-point "/boot/efi") + (type "vfat")) + (file-system + (device (uuid "1ca489ef-8d04-40a5-bd1c-a5ee9333a27a")) + (mount-point "/home") + (type "xfs"))) + %base-file-systems)) + + ;; uuid=47b44fb7-4f6f-4ef5-bb17-2c509a80bc52 + (swap-devices (list (swap-space (target "/swapfile")))) + + (users (cons (user-account + (name "kb") + (group "users") + (supplementary-groups '("audio" + "input" + "kvm" + "lp" + "netdev" + "tty" + "video" + "wheel"))) + %base-user-accounts)) + + ;; This is where we specify system-wide packages. + (packages (append %kbg-base-packages + %kbg-bare-desktop-packages + %base-packages)) + + ;; Add GNOME and Xfce---we can choose at the log-in screen + ;; by clicking the gear. Use the "desktop" services, which + ;; include the X11 log-in service, networking with + ;; NetworkManager, and more. + (services (append (list (service gnome-desktop-service-type + (gnome-desktop-configuration + (gnome gnome-sans-ssh-agent))) + ;;(geoclue-service) + (bluetooth-service #:auto-enable? #t) + (service cups-service-type + (cups-configuration + (web-interface? #t) + (extensions + (list cups-filters hplip-minimal splix)))) + (set-xorg-configuration + (xorg-configuration + (keyboard-layout keyboard-layout) + (extra-config (list %xorg-libinput-config)))) + (service nix-service-type) + (service pcscd-service-type) + (service tlp-service-type + (tlp-configuration + (cpu-scaling-governor-on-ac (list "performance")) + ;; (cpu-scaling-min-freq-on-ac 2400000) + (cpu-boost-on-ac? #t) + (energy-perf-policy-on-ac "performance") + (pcie-aspm-on-ac "performance"))) + (service openssh-service-type + (openssh-configuration + (x11-forwarding? #f) + (password-authentication? #f) + (permit-root-login 'prohibit-password))) + (nftables-service "yak") + (simple-service 'my-cron-jobs + mcron-service-type + (list mcron:guix-gc-repair-job))) + %kbg-desktop-services)) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss) + + (setuid-programs (append %kb-setuid-programs + %setuid-programs)))) + +yak-system diff --git a/systems/yak/nftables-rules.nft b/systems/yak/nftables-rules.nft new file mode 100644 index 00000000..c572c647 --- /dev/null +++ b/systems/yak/nftables-rules.nft @@ -0,0 +1,74 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter drop comment "drop invalid packets" + ct state established,related counter accept comment "accept related connections" + iif lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + ip protocol icmp counter accept + ip6 nexthdr ipv6-icmp counter accept + udp dport domain ip saddr 172.16.0.0/12 counter accept + tcp dport ssh counter accept + tcp dport 3000 ip saddr 127.0.0.1/8 counter accept + tcp dport 8000 ip saddr 127.0.0.1/8 counter accept + tcp dport 8080 ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + tcp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" + udp dport 1714-1764 ip saddr 10.0.0.0/8 counter accept comment "KDEConnect" + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + counter + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related counter accept + counter + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related counter accept + icmp type echo-request counter accept + icmp type echo-reply counter accept + ip daddr 127.0.0.0/8 counter accept + ip6 daddr ::1 counter accept + udp dport domain counter accept + tcp dport 853 counter accept comment "DNS over TLS" + udp dport 853 counter accept comment "DNS over TLS" + tcp dport http counter accept + tcp dport https counter accept + udp dport https counter accept + tcp dport ssh counter accept + tcp dport bootps counter accept + udp dport bootps counter accept + tcp dport ntp counter accept + udp dport ntp counter accept + tcp dport nntps counter accept + udp dport nntps counter accept + tcp dport submission counter accept + tcp dport imaps counter accept + tcp dport 2222 counter accept + tcp dport hkp counter accept + udp dport hkp counter accept + tcp dport 9100 counter accept + tcp dport git counter accept + udp dport git counter accept + tcp dport rsync counter accept + udp dport rsync counter accept + tcp dport 8000 counter accept + tcp dport http-alt counter accept + udp dport openvpn counter accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + tcp dport 5222 counter accept comment "XMPP" + tcp dport 6697 counter accept comment "IRC" + tcp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 2049 ip daddr 10.0.0.0/8 counter accept comment "NFS" + tcp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 20048 ip daddr 10.0.0.0/8 counter accept comment "NFS" + udp dport 19302-19309 counter accept comment "Google Meet Ports" + tcp dport 1714-1764 counter accept comment "KDEConnect" + udp dport 1714-1764 counter accept comment "KDEConnect" + udp dport 51820 counter accept comment "WireGuard" + counter + } +} |