diff options
| author | David Thompson <dthompson2@worcester.edu> | 2023-08-12 10:18:13 -0400 |
|---|---|---|
| committer | David Thompson <dthompson2@worcester.edu> | 2023-08-12 13:39:11 -0400 |
| commit | dd278fa4e3330884547db8713531efa6ee956e0b (patch) | |
| tree | b4a72c6186a4132d324104bbf5cb940d222c70ec /takemi-os.scm | |
| parent | 8c6ce079543ebfad4896bc9e2071a30c9ae78dbf (diff) | |
Reorganize! Delete cruft! Use guix home!
Diffstat (limited to 'takemi-os.scm')
| -rw-r--r-- | takemi-os.scm | 241 |
1 files changed, 241 insertions, 0 deletions
diff --git a/takemi-os.scm b/takemi-os.scm new file mode 100644 index 0000000..bd24040 --- /dev/null +++ b/takemi-os.scm @@ -0,0 +1,241 @@ +(use-modules (gnu)) +(use-service-modules certbot cgit networking ssh version-control web) + +(define letsencrypt-cert + "/etc/letsencrypt/live/dthompson.us/fullchain.pem") +(define letsencrypt-cert-key + "/etc/letsencrypt/live/dthompson.us/privkey.pem") +(define dave-pub-key (local-file "keys/dave.pub")) + +(define nginx-accounts + (list (user-group (name "nginx") (system? #t)) + (user-account + (name "nginx") + (group "nginx") + (supplementary-groups '("git")) + (system? #t) + (comment "nginx server user") + (home-directory "/var/empty") + (shell (file-append (specification->package "shadow") + "/sbin/nologin"))))) + +;; Need to override the default nginx service account configuration so +;; that the nginx user is a member of the git group. +(define nginx-service-type* + (service-type + (inherit nginx-service-type) + (extensions + (map (lambda (extension) + (if (eq? (service-extension-target extension) + account-service-type) + (service-extension account-service-type + (const nginx-accounts)) + extension)) + (service-type-extensions nginx-service-type))))) + +(define takemi-os + (operating-system + (locale "en_US.utf8") + (timezone "America/New_York") + (keyboard-layout (keyboard-layout "us")) + (host-name "takemi") + (users (cons* (user-account + (name "dave") + (comment "David Thompson") + (group "users") + (home-directory "/home/dave") + (supplementary-groups + '("wheel" "netdev"))) + (user-account + (name "publish") + (comment "Web file publisher") + (group "publish") + (home-directory "/var/www") + (system? #t) + (create-home-directory? #f)) + %base-user-accounts)) + (groups (cons* (user-group + (name "publish") + (system? #t)) + %base-groups)) + (sudoers-file + (plain-file "sudoers" + (string-append (plain-file-content %sudoers-specification) + ;; 'guix deploy' requires no password + ;; sudo capability. + "dave ALL = NOPASSWD: ALL\n"))) + (packages + (append (map specification->package '("emacs" "nss-certs" "rsync")) + %base-packages)) + (services + (append + (list (service dhcp-client-service-type) + (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + ;; So I can forward ports from my local host to + ;; the server and have the ports accessible from + ;; the internet. + (gateway-ports? #t) + (authorized-keys + `(("dave" ,dave-pub-key) + ("publish" ,dave-pub-key))))) + (service gitolite-service-type + (gitolite-configuration + (admin-pubkey dave-pub-key) + (rc-file (gitolite-rc-file + ;; Grant read access to git group so + ;; cgit will work. + (umask #o0027) + (git-config-keys "gitweb\\..*"))))) + (service (service-type + (inherit certbot-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations)) + extension)) + (service-type-extensions certbot-service-type)))) + (certbot-configuration + (email "dthompson2@worcester.edu") + (certificates + (list + (certificate-configuration + (domains '("dthompson.us" + "www.dthompson.us" + "git.dthompson.us" + "files.dthompson.us" + "haunt.dthompson.us")) + ;; Send SIGHUP signal to nginx to trigger a + ;; configuration reload, thus loading the + ;; updated certificates. + (deploy-hook (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file + "/var/run/nginx/pid" + read))) + (kill pid SIGHUP))))))) + (webroot "/var/www/certbot"))) + (service nginx-service-type* + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("www.dthompson.us")) + (root "/var/www/blog") + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)) + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("files.dthompson.us")) + (root "/var/www/files") + (raw-content '("autoindex on;")) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)) + ;; I used to have the Haunt website under + ;; its own subdomain, and some sites still + ;; point to it. + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("haunt.dthompson.us")) + (root "/var/www/haunt") + (locations + (list + (nginx-location-configuration + (uri "/") + (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)))))) + (service fcgiwrap-service-type + (fcgiwrap-configuration + ;; Use git group for read-only access to gitolite + ;; repos. + (group "git"))) + (let ((cgit (specification->package "cgit"))) + (service (service-type + (inherit cgit-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + cgit-configuration-nginx-config) + extension)) + (service-type-extensions cgit-service-type)))) + (cgit-configuration + (project-list "/var/lib/gitolite/projects.list") + (repository-directory "/var/lib/gitolite/repositories") + (root-desc "all i wanted was a pepsi") + (enable-git-config? #t) + (enable-index-links? #t) + (enable-index-owner? #f) + (enable-commit-graph? #t) + (enable-log-filecount? #t) + (enable-log-linecount? #t) + (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL")) + ;; Is there a way to avoid this wrapper script? + (source-filter (program-file + "cgit-syntax-highlight" + #~(apply execl + (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") + (command-line)))) + (nginx + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("git.dthompson.us")) + (root cgit) + (locations + (list + (nginx-location-configuration + (uri "@cgit") + (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" + "fastcgi_param PATH_INFO $uri;" + "fastcgi_param QUERY_STRING $args;" + "fastcgi_param HTTP_HOST $server_name;" + "fastcgi_pass 127.0.0.1:9000;"))))) + (try-files (list "$uri" "@cgit")) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)))))))) + (map (lambda (s) + (if (eq? (service-kind s) guix-service-type) + (service guix-service-type + (guix-configuration + (authorized-keys (cons (local-file "keys/signing-key.pub") + %default-authorized-guix-keys)))) + s)) + %base-services))) + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/vda")) + (keyboard-layout keyboard-layout))) + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + (swap-devices (list "/dev/vda2")) + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f99d3ff5-57ea-4b20-bca7-bc2d58b4c364" + 'ext4)) + (type "ext4")) + %base-file-systems)))) + +(define takemi-host-key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrptBAMgs8dGDerBkcmZQ2W/0nEXtOBCl8nLlEwjKdI") + +(list (machine + (operating-system takemi-os) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "dthompson.us") + (system "x86_64-linux") + (user "dave") + (host-key takemi-host-key))))) |