summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Thompson <dthompson@vistahigherlearning.com>2020-07-12 09:02:13 -0400
committerDavid Thompson <dthompson@vistahigherlearning.com>2020-07-12 09:07:46 -0400
commit96bf2a2318fffc8194137338648a5cd44ea0dc30 (patch)
treee6bade6cc11ee08d584b911c54b8aa355e1f6b9d
parent478fdd3c9d2a754a52eb31b5586f6f3f50df982e (diff)
takemi: Enable letsencrypt and get basic blog and git hosting working.
-rw-r--r--takemi.scm115
1 files changed, 106 insertions, 9 deletions
diff --git a/takemi.scm b/takemi.scm
index 0f860fc..ff749be 100644
--- a/takemi.scm
+++ b/takemi.scm
@@ -1,5 +1,10 @@
(use-modules (gnu))
-(use-service-modules desktop networking ssh xorg)
+(use-service-modules certbot cgit networking ssh version-control web)
+
+(define letsencrypt-cert
+ "/etc/letsencrypt/live/dthompson.us/fullchain.pem")
+(define letsencrypt-cert-key
+ "/etc/letsencrypt/live/dthompson.us/privkey.pem")
(define takemi-os
(operating-system
@@ -13,24 +18,112 @@
(group "users")
(home-directory "/home/dave")
(supplementary-groups
- '("wheel" "netdev" "audio" "video")))
+ '("wheel" "netdev")))
+ (user-account
+ (name "publish")
+ (comment "Web file publisher")
+ (group "publish")
+ (home-directory "/var/www")
+ (system? #t)
+ (create-home-directory? #f))
%base-user-accounts))
+ (groups (cons* (user-group
+ (name "publish")
+ (system? #t))
+ %base-groups))
(sudoers-file
(plain-file "sudoers"
(string-append (plain-file-content %sudoers-specification)
+ ;; 'guix deploy' requires no password
+ ;; sudo capability.
"dave ALL = NOPASSWD: ALL\n")))
(packages
- (append
- (list (specification->package "nss-certs"))
- %base-packages))
+ (append (map specification->package '("nss-certs" "emacs"))
+ %base-packages))
(services
(append
- (list (service openssh-service-type
+ (list (service dhcp-client-service-type)
+ (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
- `(("dave" ,(local-file "dave.pub"))))))
- (service dhcp-client-service-type))
+ `(("dave" ,(local-file "dave.pub"))
+ ("publish" ,(local-file "dave.pub"))))))
+ (service gitolite-service-type
+ (gitolite-configuration
+ (admin-pubkey (local-file "dave.pub"))
+ (rc-file (gitolite-rc-file
+ ;; Grant read access to git group so
+ ;; cgit will work.
+ (umask #o0027)))))
+ (service certbot-service-type
+ (certbot-configuration
+ (email "dthompson2@worcester.edu")
+ (certificates
+ (list
+ (certificate-configuration
+ (domains '("dthompson.us"
+ "www.dthompson.us"
+ "git.dthompson.us"
+ "files.dthompson.us"))
+ ;; Send SIGHUP signal to nginx to trigger a
+ ;; configuration reload, thus loading the
+ ;; updated certificates.
+ (deploy-hook (program-file
+ "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file
+ "/var/run/nginx/pid"
+ read)))
+ (kill pid SIGHUP)))))))
+ (webroot "/var/www/certbot")))
+ (service nginx-service-type
+ (nginx-configuration
+ (server-blocks
+ (list (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("www.dthompson.us"))
+ (root "/var/www/blog")
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("files.dthompson.us"))
+ (root "/var/www/files")
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))))))
+ (service fcgiwrap-service-type
+ (fcgiwrap-configuration
+ ;; Use git group for read-only access to gitolite
+ ;; repos.
+ (group "git")))
+ (let ((cgit (specification->package "cgit")))
+ (service cgit-service-type
+ (cgit-configuration
+ (project-list "/var/lib/gitolite/projects.list")
+ (repository-directory "/var/lib/gitolite/repositories")
+ ;; Is there a way to avoid this wrapper script?
+ (source-filter (program-file
+ "cgit-syntax-highlight"
+ #~(apply execl
+ (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py")
+ (command-line))))
+ (nginx
+ (list (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("git.dthompson.us"))
+ (root cgit)
+ (locations
+ (list
+ (nginx-location-configuration
+ (uri "@cgit")
+ (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;"
+ "fastcgi_param PATH_INFO $uri;"
+ "fastcgi_param QUERY_STRING $args;"
+ "fastcgi_param HTTP_HOST $server_name;"
+ "fastcgi_pass 127.0.0.1:9000;")))))
+ (try-files (list "$uri" "@cgit"))
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))))))))
%base-services))
(bootloader
(bootloader-configuration
@@ -49,10 +142,14 @@
(type "ext4"))
%base-file-systems))))
+(define takemi-host-key
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrptBAMgs8dGDerBkcmZQ2W/0nEXtOBCl8nLlEwjKdI")
+
(list (machine
(operating-system takemi-os)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "64.225.6.170")
(system "x86_64-linux")
- (user "dave")))))
+ (user "dave")
+ (host-key takemi-host-key)))))