(define-module (system base-system) #:use-module (metznet) #:use-module (gnu) #:use-module (guix gexp) #:use-module (nongnu packages linux) #:use-module (gnu packages linux) #:use-module (gnu packages vim) #:use-module (gnu system nss) #:use-module (gnu packages certs) #:use-module (gnu services pm) #:use-module (gnu services authentication) #:use-module (gnu services vpn) #:use-module (gnu packages vpn) #:use-module (gnu services networking) #:use-module (gnu packages networking) #:use-module (gnu services ssh) #:use-module (gnu packages dns) #:use-module (gnu packages base) #:use-module (gnu packages openldap) #:use-module (gnu services kerberos) #:use-module (gnu packages kerberos) #:use-module (gnu packages admin) #:use-module (gnu packages shells) #:use-module (gnu services desktop) #:use-module (gnu packages gnome) #:use-module (gnu packages wm) #:use-module (gnu services xorg) #:use-module (gnu packages suckless) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages terminals) #:use-module (gnu packages virtualization) #:use-module (gnu packages version-control) #:use-module (nongnu system linux-initrd) #:use-module (gnu system setuid) #:use-module (ice-9 exceptions) #:export (%domain-realm) #:export (%domain-name) #:export (%domain-kadmin) #:export (%domain-kdc) #:export (%metznet-base-user-accounts) #:export (%metznet-base-groups) #:export (%metznet-base-packages) #:export (%metznet-desktop-packages) #:export (%metznet-server-packages) #:export (%metznet-setuid-programs) #:export (%default-keyboard-layout) #:export (%kvm-udev-rule) #:export (%usb-udev-rule) #:export (%tun-udev-rule) #:export (%metznet-desktop-services) #:export (%metznet-server-services) #:export (%metznet-base-server-system) #:export (%metznet-base-desktop-system)) (define %domain-realm "METZNET.CA") (define %domain-name "metznet.ca") (define %domain-kadmin (string-append "kerberos." %domain-name)) (define %domain-kdc (string-append "kerberos." %domain-name)) (define %metznet-base-user-accounts (append (list (user-account (name "root") (group "root") (uid 0) (password (crypt "root" "$6$salt")) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (define %metznet-base-groups (append (list (user-group (system? #t) (name "realtime")) (user-group (system? #t) (name "usb"))) %base-groups)) (define %metznet-base-packages (append (list glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) (define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages)) (define %metznet-server-packages (append (list isc-dhcp) %metznet-base-packages)) (define %desktop-setuid-programs (append (list (setuid-program (program #~(string-append #$openvpn "/sbin/openvpn"))) (setuid-program (program #~(string-append #$openresolv "/sbin/resolvconf")))) %setuid-programs)) (define %metznet-krb5-config (krb5-configuration (default-realm %domain-realm) (allow-weak-crypto? #t) (rdns? #f) (realms (list (krb5-realm (name %domain-realm) (admin-server %domain-kadmin) (kdc %domain-kdc)))))) (define %default-keyboard-layout (keyboard-layout "us")) (define %kvm-udev-rule (udev-rule "65-kvm.rules" "KERNEL==\"KVM\", GROUP=\"libvirt\", MODE=\"0660\"")) (define %usb-udev-rule (udev-rule "51-usb.rules" (string-append "SUBSYSTEM==\"usb\", GROUP=\"usb\"\n" "SUBSYSTEM==\"usbmisc\", GROUP=\"usb\""))) (define %tun-udev-rule (udev-rule "90-tun.rules" "KERNEL==\"tun\", GROUP=\"netdev\", MODE=\"0660\", OPTIONS+=\"static_node=net/tun\"")) (define %backlight-udev-rule (udev-rule "55-backlight.rules" "RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\"")) (define %metznet-name-service-switch (let ((services (list (name-service (name "files")) (name-service (name "ldap"))))) (name-service-switch (password services) (shadow services) (group services)))) ; 1) need to create user directory on login ; 2) need to have /bin/zsh available to use as shell (define %metznet-nslcd-config (nslcd-configuration (base "dc=metznet,dc=ca") (log '("/var/log/nslcd" debug)) (pam-services (list "su" "login" "password" "ssh" "passwd")) (binddn (or (getenv "LDAP_BINDDN") "")) (bindpw (or (getenv "LDAP_BINDPW") "")) (uri (list "ldap://ldap.metznet.ca")))) (define %metznet-desktop-services (append (list (service openssh-service-type) (service krb5-service-type %metznet-krb5-config) (service nslcd-service-type %metznet-nslcd-config)) (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (plain-file "nonguix.pub" "(public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) %default-authorized-guix-keys)))) (elogind-service-type config => (elogind-configuration (inherit config) (handle-lid-switch-external-power 'suspend))) (udev-service-type config => (udev-configuration (inherit config) (rules (append (list %tun-udev-rule %backlight-udev-rule) (udev-configuration-rules config))))) (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn))))))) (define %metznet-server-services (append (list (service openssh-service-type) (service krb5-service-type %metznet-krb5-config) (service nslcd-service-type %metznet-nslcd-config) (service dhcp-client-service-type) (openvpn-client-service #:config (openvpn-client-configuration (openvpn openvpn) (pid-file "/var/run/openvpn/client.pid") (persist-key? #f) (tls-auth "/etc/openvpn/ta.key")))) %base-services)) (define %metznet-base-operating-system (operating-system ;; Hostname and localization information (host-name "base") (timezone "America/Edmonton") (locale "en_CA.utf8") (keyboard-layout %default-keyboard-layout) (name-service-switch %metznet-name-service-switch) ;; Kernel and firmware definitions (kernel linux) (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) (firmware (list linux-firmware)) (initrd microcode-initrd) ;; Grub UEFI Bootloader installed to /boot/efi (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets '("/boot/efi")) (keyboard-layout keyboard-layout))) (file-systems (cons* (file-system (mount-point "/boot/efi") (device "/dev/vda1") (type "vfat") (check? #f)) (file-system (mount-point "/") (device "/dev/vda3") (type "xfs") (check? #f)) %base-file-systems)) (users %metznet-base-user-accounts) (groups %metznet-base-groups) (packages %metznet-base-packages) (services %metznet-base-services))) (define %metznet-base-server-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-server") (packages %metznet-server-packages) (services %metznet-server-services))) (define %metznet-base-desktop-system (operating-system (inherit %metznet-base-operating-system) (host-name "metznet-base-desktop") (setuid-programs %desktop-setuid-programs) (packages %metznet-desktop-packages) (services %metznet-desktop-services)))