diff options
| author | Franz Geffke <franz@pantherx.org> | 2023-10-04 17:03:50 +0100 |
|---|---|---|
| committer | Franz Geffke <franz@pantherx.org> | 2023-10-04 17:03:50 +0100 |
| commit | d44717eb7695c49b7d57d665c21e2f8328187348 (patch) | |
| tree | 628f5d0d3f045f352d3f1e0b4363fa46b8dc7eee /px/services/base.scm | |
| parent | 0a1e1dc353a34f494796b1a3447183b87828644e (diff) | |
service modules: rework desktop base not to include gdm
Diffstat (limited to 'px/services/base.scm')
| -rw-r--r-- | px/services/base.scm | 174 |
1 files changed, 25 insertions, 149 deletions
diff --git a/px/services/base.scm b/px/services/base.scm index 91a966e..f007e43 100644 --- a/px/services/base.scm +++ b/px/services/base.scm @@ -28,23 +28,19 @@ #:use-module (px services device) #:use-module (px services security-token) #:use-module (guix gexp) + #:use-module (guix utils) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:export (%px-core-services ;; for custom desktops (for ex. xfce) ;; without lxqt - %px-desktop-services-base + ; %px-desktop-services-base %px-desktop-services %px-desktop-ee-services - - ;; for custom servers (for ex. docker) - ;; without nftables and dh - %px-server-services-base %px-server-services - ; %px-server-iptables-services %px-server-ee-services %px-core-arm-services @@ -54,139 +50,34 @@ #:re-export (px-desktop-service-type)) ;;; -;;; Utilities -;;; - -(define (make-firewall-rules open-ports) - - (define (make-port-rules open-ports status) - "Generate list of strings each is a port/service rule for nftables" - (reduce-right append '() - (map (match-lambda - ((protocol ports ...) - (map (lambda (port) - (string-append " " protocol " dport " port " " status)) - ports))) - open-ports))) - - (let ((port-rules (make-port-rules open-ports "accept"))) - (plain-file "nftables" - (string-append "#PantherX firewall rules\n" - "table inet filter {\n" - " chain input {\n" - " type filter hook input priority 0; policy drop;\n" - " # early drop of invalid connections\n" - " ct state invalid drop\n" - " # allow established/related connections\n" - " ct state { established, related } accept\n" - " # allow from loopback\n" - " iifname lo accept\n" - " # allow icmp\n" - " ip protocol icmp accept\n" - " ip6 nexthdr icmpv6 accept\n" - (string-join port-rules "\n" 'suffix) - " # reject everything else\n" - " reject with icmpx type port-unreachable\n" - " }\n" - " chain forward {\n" - " type filter hook forward priority 0; policy drop;\n" - " }\n" - " chain output {\n" - " type filter hook output priority 0; policy accept;\n" - " }\n" - "}\n")))) - -;;; ;;; ;;; CORE +;;; px-core-os services ;;; (define %px-core-services (append - ;; list of services that only required to be available in px-core-os, - ;; since they are available by default in upstream's %desktop-services (list (service dhcp-client-service-type) (service ntp-service-type)) %base-services)) ;;; +;;; ;;; DESKTOP +;;; px-desktop-os services +;;; px-new-desktop services ;;; -(define %px-desktop-services-base - (append (list - ;; Various udev rules incl. FIDO support - (simple-service 'custom-udev-rules - udev-service-type - (list libu2f-host)) - - (ledger-wallet-service) - (nitro-key-service) - - ;; Power savings - (service tlp-service-type) - - ;; Bluetooth service - ;; (bluetooth-service #:auto-enable? #t) - (service bluetooth-service-type - (bluetooth-configuration - (auto-enable? #t))) - - ;; Prevent overheating - ;; TLP does not conflict with thermald. - (service thermald-service-type) - - ; Display manager - (service sddm-service-type - (sddm-configuration - (minimum-uid 1000) - (theme "px-sddm-theme"))) - - ;; Printing - (service cups-service-type - (cups-configuration - (web-interface? #t) - (browsing? #t) - (default-paper-size "a4"))) - - ;; Keychain - (service gnome-keyring-service-type - (gnome-keyring-configuration - (pam-services '(("passwd" . passwd) - ("sddm" . login))))) - - ;; SSH is enabled by default but only with SSH key - (service openssh-service-type - (openssh-configuration - (permit-root-login 'prohibit-password))) - - ;; Firewall - (service nftables-service-type - (nftables-configuration - (ruleset (make-firewall-rules '())))) - - ;; Screensaver - (service screen-locker-service-type - (screen-locker-configuration - (name "xlock") - (program (file-append xlockmore "/bin/xlock"))))) - - (modify-services %desktop-services - ;; GDM is default on upstream, on x86_64 - (delete gdm-service-type) - (delete screen-locker-service-type) - (dbus-root-service-type config => (dbus-configuration (inherit config) - (services (list blueman)))) - (network-manager-service-type config => - (network-manager-configuration - (inherit config) - (vpn-plugins (list network-manager-openvpn - network-manager-openconnect))))))) - (define %px-desktop-services (append %px-desktop-services-base)) +;;; +;;; +;;; ENTERPRISE +;;; px-desktop-ee-o services +;;; + (define %px-desktop-ee-services (append (list (service px-device-identity-service-type) (service px-user-identity-service-type) @@ -196,42 +87,28 @@ ;;; ;;; SERVER +;;; px-server-os services +;;; px-server-ee-os services ;;; -(define %px-server-services-base +(define %px-server-services (append (list - ;; OpenSSH is enabled by default but only with SSH key - (service openssh-service-type + ;; OpenSSH is enabled by default but only with SSH key + (service openssh-service-type (openssh-configuration (permit-root-login 'prohibit-password))) - ;; Time service - (service ntp-service-type)) - + ;; Time service + (service ntp-service-type) + ;; Firewall + (service nftables-service-type) + ;; DHCP + (service dhcp-client-service-type)) %base-services)) -(define %px-server-services - (append (list - ;; Firewall - (service nftables-service-type) - ;; DHCP - (service dhcp-client-service-type)) - %px-server-services-base)) - -; (define %px-server-iptables-services -; (append (list -; ;; Firewall -; ;; nftables doesn't work well with Docker -; (service iptables-service-type)) -; %px-server-services-base)) - (define %px-server-ee-services - (append (list (service px-device-identity-service-type) - ;; Firewall - (service nftables-service-type) - ;; DHCP - (service dhcp-client-service-type)) - %px-server-services-base)) + (append (list (service px-device-identity-service-type)) + %px-server-services)) ;;; ;;; ARM-SPECIFIC @@ -289,5 +166,4 @@ (lxqt lxqt-modified) (default-packages '())))) (modify-services %desktop-services - (delete gdm-service-type) (delete network-manager-service-type))))
\ No newline at end of file |