Hi Pierre,
Pierre Neidhardt <m...@ambrevar.xyz> writes:
> Can you share your operating system declaration?
Sorry for the delay; here it is. I've anonymized some of the
information such as SSH public keys and usernames.
--8<---------------cut here---------------start------------->8---
;; This is an operating system configuration template
;; for a "desktop" setup with GNOME and Xfce where the
;; root partition is encrypted with LUKS.
(use-modules (guix store)
(gnu)
(gnu packages bash)
(gnu packages version-control)
(gnu system nss)
(srfi srfi-1))
(use-service-modules admin desktop docker linux ssh xorg)
(use-package-modules android certs docker java linux nfs ratpoison)
(define %my-desktop-services
(remove (lambda (service)
(eq? (service-kind service) gdm-service-type))
%desktop-services))
(operating-system
(host-name "myhost")
(timezone "America/Montreal")
(locale "en_US.utf8")
;; Choose US English keyboard layout. The "altgr-intl"
;; variant provides dead keys for accented characters.
(keyboard-layout (keyboard-layout "dvorak"))
;; Use the UEFI variant of GRUB with the EFI System
;; Partition mounted on /boot/efi.
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(target "/boot/efi")
(keyboard-layout keyboard-layout)))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "f85c0627-1f6f-48b9-a2c2-6c12594a7bd1"))
(target "btrfs-pool-1")
(type luks-device-mapping))
(mapped-device
(source (uuid "73b08e1a-ca2f-4d46-845a-44443fe14cd7"))
(target "btrfs-pool-4")
(type luks-device-mapping))))
(file-systems (cons*
;; For EFI firmware.
(file-system
(device (uuid "209E-67AD" 'fat))
(mount-point "/boot/efi")
(type "vfat"))
;; Main system, on a 500 GB SSD (dev/sda).
(file-system
(device (file-system-label "btrfs-pool-1"))
(mount-point "/")
(type "btrfs")
(options "subvol=rootfs,compress=zstd")
(dependencies mapped-devices))
(file-system
(device (file-system-label "btrfs-pool-1"))
(mount-point "/home")
(type "btrfs")
(options "subvol=homefs,compress=zstd")
(dependencies mapped-devices))
;; 1000 GB drive for builds (/dev/nvme0n1). Shared
;; between jenkins-home, jenkins-build and
;; docker-cache subvolumes.
(file-system
(device (file-system-label "btrfs-pool-4"))
(mount-point "/home/jenkins-user")
(create-mount-point? #t)
(type "btrfs")
(options "subvol=jenkins-home,compress=zstd")
(dependencies mapped-devices))
(file-system
(device (file-system-label "btrfs-pool-4"))
(mount-point "/home/jenkins-user/workspace")
(create-mount-point? #t)
(type "btrfs")
(options "subvol=jenkins-build,compress=zstd")
(dependencies mapped-devices))
(file-system
(device (file-system-label "btrfs-pool-4"))
(mount-point "/var/lib/docker")
(create-mount-point? #t)
(type "btrfs")
(options "subvol=docker-cache,compress=zstd")
(dependencies mapped-devices))
;; NFS mounts for caching the state and downloads of
;; Yocto.
;; FIXME: Must be manually mounted.
(file-system
(device "server:/mnt/scratch/yocto-sstate")
(mount-point "/mnt/scratch/yocto-sstate")
(create-mount-point? #t)
(type "nfs")
(mount? #f)
(options "soft")
(flags '(no-exec)))
(file-system
(device "server:/mnt/scratch/yocto-dldir")
(mount-point "/mnt/scratch/yocto-dldir")
(create-mount-point? #t)
(type "nfs")
(mount? #f)
(options "soft")
(flags '(no-exec)))
%base-file-systems))
(swap-devices '("/swap/swapfile"))
(users (cons* (user-account
(name "myuser")
(group "users")
(supplementary-groups '("dialout" "wheel" "netdev"
"audio" "video"
"kvm" "docker"
"adbusers")))
(user-account
(name "jenkins-user")
(comment "User for a Jenkins build slave")
(home-directory "/home/jenkins-user")
(group "users")
(supplementary-groups '("netdev" "kvm" "docker")))
%base-user-accounts))
(groups (cons* (user-group (system? #t)
(name "adbusers"))
%base-groups))
;; This is where we specify system-wide packages.
(packages (cons* ratpoison
nss-certs ;for HTTPS access
btrfs-progs
nfs-utils
cqfd
docker-cli
git
git-repo
openjdk12
%base-packages))
;; SSH, Docker
(services
(cons*
(extra-special-file "/bin/bash"
(file-append bash "/bin/bash"))
(service rottlog-service-type)
(service earlyoom-service-type)
(service openssh-service-type
(openssh-configuration
(port-number 22)
(permit-root-login #t)
(authorized-keys
`(("myuser" ,(local-file "some-key.pub"))
;; Give access to the Jenkins master.
("jenkins-user" ,(plain-file "jenkins.pub"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQA\
[...]
YK+l20fjZSu198/keqjnlTIWryC479GI3 jenk...@jenkins-user.mtl.sfl"))))))
(service docker-service-type)
;; (set-xorg-configuration (xorg-configuration
;; (keyboard-layout keyboard-layout)))
;; TODO: mcron jobs for cleaning up old docker containers, stale
;; /tmp files
(service slim-service-type
(slim-configuration
(auto-login? #f)
(default-user "mcournoyer")
(xorg-configuration
(xorg-configuration
(keyboard-layout keyboard-layout)))))
(service guix-publish-service-type
(guix-publish-configuration
(host "0.0.0.0"))) ;listen on all interfaces
(modify-services %my-desktop-services
(guix-service-type config =>
(guix-configuration
(inherit config)
(authorized-keys
(cons (local-file "some-key.pub")
%default-authorized-guix-keys))
(extra-options '("--max-jobs=8"))))
;; Enable using adb as a simple user with a multitude of devices.
(udev-service-type config =>
(udev-configuration
(inherit config)
(rules (cons* android-udev-rules
(udev-configuration-rules config))))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss))
--8<---------------cut here---------------end--------------->8---
Note that to have my root partition mounted on a subvolume, you'll need
my (yet to be merged) patches available at:
https://issues.guix.info/issue/37305. I'll post a fresh, rebased v3
(hopefully the last!) series shortly.
Maxim
