diff options
Diffstat (limited to 'px/services/base.scm')
| -rw-r--r-- | px/services/base.scm | 293 |
1 files changed, 293 insertions, 0 deletions
diff --git a/px/services/base.scm b/px/services/base.scm new file mode 100644 index 0000000..91a966e --- /dev/null +++ b/px/services/base.scm @@ -0,0 +1,293 @@ +;;; PantherX System Configuration Module +;;; This module supports configuration modules for PantherX OS definitions +;;; +;;; Reza Alizadeh Majd <r.majd@pantherx.org> +;;; Franz Geffke <franz@pantherx.org> +;;; + +(define-module (px services base) + #:use-module (gnu packages gnome) + #:use-module (gnu packages openbox) + #:use-module (gnu packages networking) + #:use-module (gnu packages security-token) + #:use-module (gnu packages xdisorg) + #:use-module (gnu services) + #:use-module (gnu services avahi) + #:use-module (gnu services base) + #:use-module (gnu services cups) + #:use-module (gnu services dbus) + #:use-module (gnu services desktop) + #:use-module (gnu services networking) + #:use-module (gnu services pm) + #:use-module (gnu services sddm) + #:use-module (gnu services sound) + #:use-module (gnu services ssh) + #:use-module (gnu services xorg) + #:use-module (px packages desktop) + #:use-module (px services desktop) + #:use-module (px services device) + #:use-module (px services security-token) + #:use-module (guix gexp) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:export (%px-core-services + + ;; for custom desktops (for ex. xfce) + ;; without lxqt + %px-desktop-services-base + + %px-desktop-services + %px-desktop-ee-services + + ;; for custom servers (for ex. docker) + ;; without nftables and dh + %px-server-services-base + + %px-server-services + ; %px-server-iptables-services + %px-server-ee-services + + %px-core-arm-services + %px-gui-arm-services + %px-desktop-arm-services) + + #:re-export (px-desktop-service-type)) + +;;; +;;; Utilities +;;; + +(define (make-firewall-rules open-ports) + + (define (make-port-rules open-ports status) + "Generate list of strings each is a port/service rule for nftables" + (reduce-right append '() + (map (match-lambda + ((protocol ports ...) + (map (lambda (port) + (string-append " " protocol " dport " port " " status)) + ports))) + open-ports))) + + (let ((port-rules (make-port-rules open-ports "accept"))) + (plain-file "nftables" + (string-append "#PantherX firewall rules\n" + "table inet filter {\n" + " chain input {\n" + " type filter hook input priority 0; policy drop;\n" + " # early drop of invalid connections\n" + " ct state invalid drop\n" + " # allow established/related connections\n" + " ct state { established, related } accept\n" + " # allow from loopback\n" + " iifname lo accept\n" + " # allow icmp\n" + " ip protocol icmp accept\n" + " ip6 nexthdr icmpv6 accept\n" + (string-join port-rules "\n" 'suffix) + " # reject everything else\n" + " reject with icmpx type port-unreachable\n" + " }\n" + " chain forward {\n" + " type filter hook forward priority 0; policy drop;\n" + " }\n" + " chain output {\n" + " type filter hook output priority 0; policy accept;\n" + " }\n" + "}\n")))) + +;;; +;;; +;;; CORE +;;; + +(define %px-core-services + (append + ;; list of services that only required to be available in px-core-os, + ;; since they are available by default in upstream's %desktop-services + (list (service dhcp-client-service-type) + (service ntp-service-type)) + %base-services)) + +;;; +;;; DESKTOP +;;; + +(define %px-desktop-services-base + (append (list + ;; Various udev rules incl. FIDO support + (simple-service 'custom-udev-rules + udev-service-type + (list libu2f-host)) + + (ledger-wallet-service) + (nitro-key-service) + + ;; Power savings + (service tlp-service-type) + + ;; Bluetooth service + ;; (bluetooth-service #:auto-enable? #t) + (service bluetooth-service-type + (bluetooth-configuration + (auto-enable? #t))) + + ;; Prevent overheating + ;; TLP does not conflict with thermald. + (service thermald-service-type) + + ; Display manager + (service sddm-service-type + (sddm-configuration + (minimum-uid 1000) + (theme "px-sddm-theme"))) + + ;; Printing + (service cups-service-type + (cups-configuration + (web-interface? #t) + (browsing? #t) + (default-paper-size "a4"))) + + ;; Keychain + (service gnome-keyring-service-type + (gnome-keyring-configuration + (pam-services '(("passwd" . passwd) + ("sddm" . login))))) + + ;; SSH is enabled by default but only with SSH key + (service openssh-service-type + (openssh-configuration + (permit-root-login 'prohibit-password))) + + ;; Firewall + (service nftables-service-type + (nftables-configuration + (ruleset (make-firewall-rules '())))) + + ;; Screensaver + (service screen-locker-service-type + (screen-locker-configuration + (name "xlock") + (program (file-append xlockmore "/bin/xlock"))))) + + (modify-services %desktop-services + ;; GDM is default on upstream, on x86_64 + (delete gdm-service-type) + (delete screen-locker-service-type) + (dbus-root-service-type config => (dbus-configuration (inherit config) + (services (list blueman)))) + (network-manager-service-type config => + (network-manager-configuration + (inherit config) + (vpn-plugins (list network-manager-openvpn + network-manager-openconnect))))))) + +(define %px-desktop-services + (append + %px-desktop-services-base)) + +(define %px-desktop-ee-services + (append (list (service px-device-identity-service-type) + (service px-user-identity-service-type) + ;; Desktop + (service px-desktop-service-type)) + %px-desktop-services-base)) + +;;; +;;; SERVER +;;; + +(define %px-server-services-base + (append (list + ;; OpenSSH is enabled by default but only with SSH key + (service openssh-service-type + (openssh-configuration + (permit-root-login 'prohibit-password))) + + ;; Time service + (service ntp-service-type)) + + %base-services)) + +(define %px-server-services + (append (list + ;; Firewall + (service nftables-service-type) + ;; DHCP + (service dhcp-client-service-type)) + %px-server-services-base)) + +; (define %px-server-iptables-services +; (append (list +; ;; Firewall +; ;; nftables doesn't work well with Docker +; (service iptables-service-type)) +; %px-server-services-base)) + +(define %px-server-ee-services + (append (list (service px-device-identity-service-type) + ;; Firewall + (service nftables-service-type) + ;; DHCP + (service dhcp-client-service-type)) + %px-server-services-base)) + +;;; +;;; ARM-SPECIFIC +;;; + +(define %px-core-arm-services + (cons* + ;; networking + (service wpa-supplicant-service-type) + (service network-manager-service-type) + (service modem-manager-service-type) + (service usb-modeswitch-service-type) + (service ntp-service-type) + + ;; remote access + (service openssh-service-type + (openssh-configuration + (x11-forwarding? #t) + (permit-root-login #t))) + + %base-services)) + +(define %px-gui-arm-services + (cons* + (service slim-service-type + (slim-configuration + (vt "vt7") + (auto-login? #t) + (auto-login-session (file-append openbox "/bin/openbox-session")) + (default-user "default"))) + (service avahi-service-type) + (service udisks-service-type) + (service upower-service-type) + (service accountsservice-service-type) + (service polkit-service-type) + (service elogind-service-type) + (service dbus-root-service-type) + polkit-wheel-service + polkit-network-manager-service ;; control network without sudo + polkit-elogind-service ;; reboot without sudo + + (service pulseaudio-service-type) + (service alsa-service-type) + %px-core-arm-services)) + +(define %px-desktop-arm-services + (append + (list (service dhcp-client-service-type) + (service sddm-service-type + (sddm-configuration + (minimum-uid 1000) + (theme "px-sddm-theme"))) + (service px-desktop-service-type + (px-desktop-configuration + (lxqt lxqt-modified) + (default-packages '())))) + (modify-services %desktop-services + (delete gdm-service-type) + (delete network-manager-service-type))))
\ No newline at end of file |