diff options
| author | David Thompson <dthompson2@worcester.edu> | 2023-08-12 10:18:13 -0400 |
|---|---|---|
| committer | David Thompson <dthompson2@worcester.edu> | 2023-08-12 13:39:11 -0400 |
| commit | dd278fa4e3330884547db8713531efa6ee956e0b (patch) | |
| tree | b4a72c6186a4132d324104bbf5cb940d222c70ec /takemi.scm | |
| parent | 8c6ce079543ebfad4896bc9e2071a30c9ae78dbf (diff) | |
Reorganize! Delete cruft! Use guix home!
Diffstat (limited to 'takemi.scm')
| -rw-r--r-- | takemi.scm | 241 |
1 files changed, 0 insertions, 241 deletions
diff --git a/takemi.scm b/takemi.scm deleted file mode 100644 index 0b74473..0000000 --- a/takemi.scm +++ /dev/null @@ -1,241 +0,0 @@ -(use-modules (gnu)) -(use-service-modules certbot cgit networking ssh version-control web) - -(define letsencrypt-cert - "/etc/letsencrypt/live/dthompson.us/fullchain.pem") -(define letsencrypt-cert-key - "/etc/letsencrypt/live/dthompson.us/privkey.pem") -(define dave-pub-key (local-file "dave.pub")) - -(define nginx-accounts - (list (user-group (name "nginx") (system? #t)) - (user-account - (name "nginx") - (group "nginx") - (supplementary-groups '("git")) - (system? #t) - (comment "nginx server user") - (home-directory "/var/empty") - (shell (file-append (specification->package "shadow") - "/sbin/nologin"))))) - -;; Need to override the default nginx service account configuration so -;; that the nginx user is a member of the git group. -(define nginx-service-type* - (service-type - (inherit nginx-service-type) - (extensions - (map (lambda (extension) - (if (eq? (service-extension-target extension) - account-service-type) - (service-extension account-service-type - (const nginx-accounts)) - extension)) - (service-type-extensions nginx-service-type))))) - -(define takemi-os - (operating-system - (locale "en_US.utf8") - (timezone "America/New_York") - (keyboard-layout (keyboard-layout "us")) - (host-name "takemi") - (users (cons* (user-account - (name "dave") - (comment "David Thompson") - (group "users") - (home-directory "/home/dave") - (supplementary-groups - '("wheel" "netdev"))) - (user-account - (name "publish") - (comment "Web file publisher") - (group "publish") - (home-directory "/var/www") - (system? #t) - (create-home-directory? #f)) - %base-user-accounts)) - (groups (cons* (user-group - (name "publish") - (system? #t)) - %base-groups)) - (sudoers-file - (plain-file "sudoers" - (string-append (plain-file-content %sudoers-specification) - ;; 'guix deploy' requires no password - ;; sudo capability. - "dave ALL = NOPASSWD: ALL\n"))) - (packages - (append (map specification->package '("emacs" "nss-certs" "rsync")) - %base-packages)) - (services - (append - (list (service dhcp-client-service-type) - (service openssh-service-type - (openssh-configuration - (password-authentication? #f) - ;; So I can forward ports from my local host to - ;; the server and have the ports accessible from - ;; the internet. - (gateway-ports? #t) - (authorized-keys - `(("dave" ,dave-pub-key) - ("publish" ,dave-pub-key))))) - (service gitolite-service-type - (gitolite-configuration - (admin-pubkey dave-pub-key) - (rc-file (gitolite-rc-file - ;; Grant read access to git group so - ;; cgit will work. - (umask #o0027) - (git-config-keys "gitweb\\..*"))))) - (service (service-type - (inherit certbot-service-type) - (extensions - ;; Replace original nginx-service-type with - ;; our modified one. - (map (lambda (extension) - (if (eq? (service-extension-target extension) - nginx-service-type) - (service-extension nginx-service-type* - (@@ (gnu services certbot) - certbot-nginx-server-configurations)) - extension)) - (service-type-extensions certbot-service-type)))) - (certbot-configuration - (email "dthompson2@worcester.edu") - (certificates - (list - (certificate-configuration - (domains '("dthompson.us" - "www.dthompson.us" - "git.dthompson.us" - "files.dthompson.us" - "haunt.dthompson.us")) - ;; Send SIGHUP signal to nginx to trigger a - ;; configuration reload, thus loading the - ;; updated certificates. - (deploy-hook (program-file - "nginx-deploy-hook" - #~(let ((pid (call-with-input-file - "/var/run/nginx/pid" - read))) - (kill pid SIGHUP))))))) - (webroot "/var/www/certbot"))) - (service nginx-service-type* - (nginx-configuration - (server-blocks - (list (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("www.dthompson.us")) - (root "/var/www/blog") - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)) - (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("files.dthompson.us")) - (root "/var/www/files") - (raw-content '("autoindex on;")) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)) - ;; I used to have the Haunt website under - ;; its own subdomain, and some sites still - ;; point to it. - (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("haunt.dthompson.us")) - (root "/var/www/haunt") - (locations - (list - (nginx-location-configuration - (uri "/") - (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)))))) - (service fcgiwrap-service-type - (fcgiwrap-configuration - ;; Use git group for read-only access to gitolite - ;; repos. - (group "git"))) - (let ((cgit (specification->package "cgit"))) - (service (service-type - (inherit cgit-service-type) - (extensions - ;; Replace original nginx-service-type with - ;; our modified one. - (map (lambda (extension) - (if (eq? (service-extension-target extension) - nginx-service-type) - (service-extension nginx-service-type* - cgit-configuration-nginx-config) - extension)) - (service-type-extensions cgit-service-type)))) - (cgit-configuration - (project-list "/var/lib/gitolite/projects.list") - (repository-directory "/var/lib/gitolite/repositories") - (root-desc "all i wanted was a pepsi") - (enable-git-config? #t) - (enable-index-links? #t) - (enable-index-owner? #f) - (enable-commit-graph? #t) - (enable-log-filecount? #t) - (enable-log-linecount? #t) - (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL")) - ;; Is there a way to avoid this wrapper script? - (source-filter (program-file - "cgit-syntax-highlight" - #~(apply execl - (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") - (command-line)))) - (nginx - (list (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("git.dthompson.us")) - (root cgit) - (locations - (list - (nginx-location-configuration - (uri "@cgit") - (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" - "fastcgi_param PATH_INFO $uri;" - "fastcgi_param QUERY_STRING $args;" - "fastcgi_param HTTP_HOST $server_name;" - "fastcgi_pass 127.0.0.1:9000;"))))) - (try-files (list "$uri" "@cgit")) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)))))))) - (map (lambda (s) - (if (eq? (service-kind s) guix-service-type) - (service guix-service-type - (guix-configuration - (authorized-keys (cons (local-file "signing-key.pub") - %default-authorized-guix-keys)))) - s)) - %base-services))) - (bootloader - (bootloader-configuration - (bootloader grub-bootloader) - (targets '("/dev/vda")) - (keyboard-layout keyboard-layout))) - (initrd-modules - (append '("virtio_scsi") %base-initrd-modules)) - (swap-devices (list "/dev/vda2")) - (file-systems - (cons* (file-system - (mount-point "/") - (device - (uuid "f99d3ff5-57ea-4b20-bca7-bc2d58b4c364" - 'ext4)) - (type "ext4")) - %base-file-systems)))) - -(define takemi-host-key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrptBAMgs8dGDerBkcmZQ2W/0nEXtOBCl8nLlEwjKdI") - -(list (machine - (operating-system takemi-os) - (environment managed-host-environment-type) - (configuration (machine-ssh-configuration - (host-name "dthompson.us") - (system "x86_64-linux") - (user "dave") - (host-key takemi-host-key))))) |