(use-modules (gnu) (nongnu packages linux) (nongnu system linux-initrd) ;; (gnu home) (gnu services mcron) (gnu services sysctl) (gnu services virtualization) (gnu packages firmware) (gnu packages file-systems) (gnu packages admin) (gnu packages cryptsetup) (gnu packages rsync)) (use-service-modules cups desktop networking ssh xorg) (define %sudoers-specification (plain-file "sudoers" "\ root ALL=(ALL) ALL %wheel ALL=(ALL) ALL guix ALL=NOPASSWD: /home/guix/.guix-home/profile/sbin/nvme smart-log /dev/nvme0, /run/current-system/profile/sbin/zpool status ")) ;; (define guix-home ;; (home-environment ;; ...)) (define garbage-collector-job #~(job '(next-hour '(3)) "guix gc --collect-garbage" "garbagecollector")) (define clean-history-job #~(job '(next-minute '(0 30)) "bash /home/guix/bin/cleanhistory" "clean history" #:user "guix")) (operating-system (kernel linux) (kernel-arguments '("intel_iommu=on")) (kernel-loadable-modules (list (list zfs "module"))) (initrd microcode-initrd) (initrd-modules (cons* "vfio_pci" "vfio" "vfio_iommu_type1" %base-initrd-modules)) (firmware (list linux-firmware)) (locale "en_US.utf8") (timezone "US") (keyboard-layout (keyboard-layout "us")) (host-name "fileserver") (sudoers-file %sudoers-specification) (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) (targets (list "/boot/efi")) (keyboard-layout keyboard-layout))) (swap-devices (list (swap-space (target (uuid "[redacted]"))))) (mapped-devices (list (mapped-device (source (uuid "[redacted]")) (target "cryptroot") (type luks-device-mapping)))) (file-systems (cons* (file-system (mount-point "/") (device "/dev/mapper/cryptroot") (type "ext4") (dependencies mapped-devices)) (file-system (mount-point "/boot/efi") (device (uuid "[redacted]" 'fat32)) (type "vfat")) %base-file-systems)) (users (cons* (user-account (name "guix") (comment "Guix") (group "users") (home-directory "/home/guix") (supplementary-groups '("wheel" "netdev" "audio" "video" "libvirt"))) %base-user-accounts)) (packages (cons* zfs cryptsetup tree rsync %base-packages)) (services (cons* ;; (service guix-home-service-type ;; `(("guix" ,guix-home))) ;; Virtualization (service libvirt-service-type) (service virtlog-service-type) (extra-special-file "/usr/share/OVMF/OVMF_CODE.fd" (file-append ovmf "/share/firmware/ovmf_code_x64.bin")) (extra-special-file "/usr/share/OVMF/OVMF_VARS.fd" (file-append ovmf "/share/firmware/ovmf_vars_x64.bin")) ;; SSH (service openssh-service-type (openssh-configuration (password-authentication? #false) (port-number [redacted]) (authorized-keys `(("guix" ,(plain-file "[redacted].pub" "ssh-rsa [redacted]")))))) ;; Firewall (service iptables-service-type) ;; Scheduled jobs (simple-service 'my-cron-jobs mcron-service-type (list garbage-collector-job clean-history-job)) ;; Service modifications (modify-services %desktop-services (delete gdm-service-type) (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (append (list "https://substitutes.nonguix.org") %default-substitute-urls)) (authorized-keys (append (list (plain-file "non-guix.pub" "(public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#) ) ) ")) %default-authorized-guix-keys)))) (sysctl-service-type config => (sysctl-configuration (settings (append '(("net.ipv4.ip_forward" . "1")) %default-sysctl-settings))))))))