ryan77627/guix-dotfiles
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix-config.git synced 2024-11-07 10:36:15 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

CACerts now populate correctly

Browse source
This commit is contained in:
Ryan 2023-05-16 23:52:36 -04:00
parent b081473eaa
commit 4fe3a734d1
Signed by: ryan77627
GPG key ID: 81B0E222A3E2308E
2 changed files with 39 additions and 264 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

212
sys
View file

@ -1,212 +0,0 @@
;; This is an operating system configuration generated
;; by the graphical installer.
;;
;; Once installation is complete, you can learn and modify
;; this file to tweak the system configuration, and pass it
;; to the 'guix system reconfigure' command to effect your
;; changes.
;; Indicate which modules to import to access the variables
;; used in this configuration.
(use-modules (gnu) (nongnu packages linux))
(use-modules (gnu system setuid))
(use-modules (gnu packages admin))
(use-modules (guix packages))
(use-modules (gnu services authentication))
(use-modules (gnu packages shells))
(use-modules (guix build-system trivial))
(use-modules (guix licenses))
(use-modules (srfi srfi-1))
(use-package-modules security-token)
(use-service-modules cups desktop networking ssh xorg sound security-token docker)
; Define package that installs my root ca public keys
(define my-ca-certs
(package
(name "my-ca-certs")
(version "1")
(source (local-file "./CACerts"
#:recursive? #t))
(build-system trivial-build-system)
(license mpl2.0)
(home-page "https://rschanz.org")
(arguments
`(#:modules
((guix build utils))
#:builder
(begin
(use-modules (guix build utils)
(srfi srfi-1)
(srfi srfi-26)
(ice-9 ftw))
(let* ((ca-certificates (assoc-ref %build-inputs "source"))
(crt-suffix ".crt")
(is-certificate? (cut string-suffix? crt-suffix <>))
(certificates (filter is-certificate?
(scandir ca-certificates)))
(out (assoc-ref %outputs "out"
"/etc/ssl/certs"))
(openssl (assoc-ref %build-inputs
"openssl")))
(mkdir-p certificate-directory)
(for-each
(lambda (certificate)
(invoke
openssl "x509"
"-in" (string-append ca-certificates "/" certificate)
"-outform" "PEM"
"-out" (string-append
certificate-directory "/"
(basename certificate crt-suffix) ".pem")))
certificates)
#t))))
(native-inputs
(list openssl))
(synopsis "My CA Certs")
(description synopsis)))
; Re-define the base packages to remove sudo
(define %my-base-packages
(remove (lambda (package)
(member (package-name package)
(list "sudo" "nano")))
%base-packages ))
(define %backlight-udev-rule
(udev-rule
"90-backlight.rules"
(string-append "ACTION==\"add\", SUBSYSTEM==\"backlight\", "
"RUN+=\"/run/current-system/profile/bin/chgrp video /sys/class/backlight/%k/brightness\""
"\n"
"ACTION==\"add\", SUBSYSTEM==\"backlight\", "
"RUN+=\"/run/current-system/profile/bin/chmod g+w /sys/class/backlight/%k/brightness\"")))
(operating-system
(kernel linux)
(firmware (list linux-firmware))
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "RyanThinkpad")
;; The list of user accounts ('root' is implicit).
(users (cons* (user-account
(name "ryan")
(comment "Ryan")
(group "users")
;(shell (file-append zsh "/bin/zsh"))
(home-directory "/home/ryan")
(supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "plugdev" "docker")))
%base-user-accounts))
;; Packages installed system-wide. Users can also install packages
;; under their own account: use 'guix search KEYWORD' to search
;; for packages and 'guix install PACKAGE' to install a package.
(packages (append (map specification->package (list "sway"
"swaybg"
"swayidle"
"swaylock-effects"
"fuzzel"
"alacritty"
"pinentry-qt"
"adwaita-icon-theme"
"hicolor-icon-theme"
"git"
"nss-certs"
"waybar"
"gnupg"
"light"
"mako"
"grim"
"slurp"
"wl-clipboard"
"bluez"
"blueman"
"opendoas"
"xdg-desktop-portal-wlr"
"xdg-desktop-portal"
"pipewire"
"fprintd"
"docker"
"wireplumber"
"zsh"))
(list my-ca-certs)
%my-base-packages ))
;; Below is the list of system services. To search for available
;; services, run 'guix system search KEYWORD' in a terminal.
(services
(append (list
;; To configure OpenSSH, pass an 'openssh-configuration'
;; record as a second argument to 'service' below.
(service openssh-service-type)
(service pcscd-service-type)
(service fprintd-service-type)
(service docker-service-type)
(service bluetooth-service-type)
(udev-rules-service 'fido2 libfido2 #:groups '("plugdev"))
(set-xorg-configuration
(xorg-configuration (keyboard-layout keyboard-layout))))
;; This is the default list of services we
;; are appending to.
(modify-services %desktop-services
(guix-service-type config =>
(guix-configuration
(inherit config)
(substitute-urls
(append (list "https://substitutes.nonguix.org")
%default-substitute-urls))
(authorized-keys
(cons* (plain-file "non-guix.pub"
"(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
)
)" ) %default-authorized-guix-keys))))
(udev-service-type config =>
(udev-configuration
(inherit config)
(rules (cons %backlight-udev-rule
(udev-configuration-rules config)))))
(delete pulseaudio-service-type)
(delete gdm-service-type) )))
(setuid-programs
(append (list (file-like->setuid-program
(file-append
(specification->package "swaylock-effects")
"/bin/swaylock"))
(file-like->setuid-program
(file-append
(specification->package "opendoas")
"/bin/doas")))
(delete sudo %setuid-programs)))
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets (list "/boot/efi"))
(keyboard-layout keyboard-layout)))
(mapped-devices (list (mapped-device
(source (uuid
"adcaf322-7ee5-48ec-abf6-4a9b10643878"))
(target "sysroot")
(type luks-device-mapping))))
;; The list of file systems that get "mounted". The unique
;; file system identifiers there ("UUIDs") can be obtained
;; by running 'blkid' in a terminal.
(file-systems (cons* (file-system
(mount-point "/")
(device "/dev/mapper/sysroot")
(type "ext4")
(dependencies mapped-devices))
(file-system
(mount-point "/boot/efi")
(device (uuid "DFE8-32EF"
'fat32))
(type "vfat")) %base-file-systems))
(swap-devices
(list
(swap-space (target (uuid "7e1bb7c5-da2a-4509-8263-f707fc752993"))) )))

91
system.scm
View file

@ -15,9 +15,9 @@
(use-modules (guix packages))
(use-modules (gnu services authentication))
(use-modules (gnu packages shells))
(use-modules (gnu packages perl))
(use-modules (guix build-system trivial))
(use-modules (guix licenses))
(use-modules (gnu packages tls))
(use-modules (srfi srfi-1))
(use-package-modules security-token)
(use-service-modules cups desktop networking ssh xorg sound security-token docker)
@ -25,57 +25,44 @@
; Define package that installs my root ca public keys
(define my-ca-certs
(package
(name "my-ca-certs")
(version "1")
(source (local-file "./CACerts/"
#:recursive? #t))
(home-page "https://rschanz.org")
(license agpl3+)
(build-system trivial-build-system)
(arguments
`(#:modules
((guix build utils))
#:builder
(begin
(use-modules (guix build utils)
(srfi srfi-1)
(srfi srfi-26)
(ice-9 ftw))
(let* ((ca-certificates (assoc-ref %build-inputs "source"))
(crt-suffix ".crt")
(is-certificate? (cut string-suffix? crt-suffix <>))
(certificates (filter is-certificate?
(scandir ca-certificates)))
(out (assoc-ref %outputs "out"))
(certificate-directory (string-append out
"/etc/ssl/certs"))
(openssl (string-append (assoc-ref %build-inputs
"openssl")
"/bin/openssl")))
(mkdir-p certificate-directory)
;; When this package is installed into a profile, any files in the
;; package output's etc/ssl/certs directory ending in ".pem" will
;; also be put into a ca-certificates.crt bundle. In the case of a
;; system profile, this bundle will be made available to the system
;; at activation time. See the profile hooks defined in (guix
;; profiles) and the etc-service-type define in (gnu services) for
;; details.
(for-each
;; Ensure the certificate is in an appropriate format.
(lambda (certificate)
(invoke
openssl "x509"
"-in" (string-append ca-certificates "/" certificate)
"-outform" "PEM"
"-out" (string-append
certificate-directory "/"
(basename certificate crt-suffix) ".pem")))
certificates)
#t))))
(inputs
(list openssl))
(synopsis "My certificate authority certificates")
(description synopsis)))
(name "my-ca-certs")
(version "1")
(source (local-file "./CACerts"
#:recursive? #t))
(build-system trivial-build-system)
(license mpl2.0)
(home-page "https://rschanz.org")
(arguments
`(#:modules
((guix build utils))
#:builder
(begin
(use-modules (guix build utils)
(srfi srfi-1)
(srfi srfi-26)
(ice-9 ftw))
(let* ((ca-certificates (assoc-ref %build-inputs "source"))
(crt-suffix ".crt")
(is-certificate? (cut string-suffix? crt-suffix <>))
(certificates (filter is-certificate?
(scandir ca-certificates)))
(out (assoc-ref %outputs "out"))
(certificate-directory (string-append out "/etc/ssl/certs"))
(openssl (string-append (assoc-ref %build-inputs "openssl") "/bin/openssl")))
(mkdir-p certificate-directory)
(for-each
(lambda (cert)
(invoke
openssl "x509"
"-in" (string-append ca-certificates "/" cert)
"-outform" "PEM"
"-out" (string-append certificate-directory "/" cert ".pem")))
certificates)
#t))))
(native-inputs
(list openssl))
(synopsis "My CA Certs")
(description synopsis)))
; Re-define the base packages to remove sudo
(define %my-base-packages