summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--takemi-os.scm358
1 files changed, 178 insertions, 180 deletions
diff --git a/takemi-os.scm b/takemi-os.scm
index 7bbfa55..a56c4e5 100644
--- a/takemi-os.scm
+++ b/takemi-os.scm
@@ -76,186 +76,184 @@
(append (map specification->package '("emacs" "nss-certs" "rsync"))
%base-packages))
(services
- (append
- (list (service dhcp-client-service-type)
- (service openssh-service-type
- (openssh-configuration
- (password-authentication? #f)
- ;; So I can forward ports from my local host to
- ;; the server and have the ports accessible from
- ;; the internet.
- (gateway-ports? #t)
- (authorized-keys
- `(("dave" ,dave-pub-key)
- ("publish" ,dave-pub-key)))))
- (service gitolite-service-type
- (gitolite-configuration
- (admin-pubkey dave-pub-key)
- (rc-file (gitolite-rc-file
- ;; Grant read access to git group so
- ;; cgit will work.
- (umask #o0027)
- (git-config-keys "gitweb\\..*")))))
- (service (service-type
- (inherit certbot-service-type)
- (extensions
- ;; Replace original nginx-service-type with
- ;; our modified one.
- (map (lambda (extension)
- (if (eq? (service-extension-target extension)
- nginx-service-type)
- (service-extension nginx-service-type*
- (@@ (gnu services certbot)
- certbot-nginx-server-configurations))
- extension))
- (service-type-extensions certbot-service-type))))
- (certbot-configuration
- (email "dthompson2@worcester.edu")
- (certificates
- (list
- (certificate-configuration
- (domains '("dthompson.us"
- "www.dthompson.us"
- "git.dthompson.us"
- "files.dthompson.us"
- "haunt.dthompson.us"))
- ;; Send SIGHUP signal to nginx to trigger a
- ;; configuration reload, thus loading the
- ;; updated certificates.
- (deploy-hook (program-file
- "nginx-deploy-hook"
- #~(let ((pid (call-with-input-file
- "/var/run/nginx/pid"
- read)))
- (kill pid SIGHUP)))))))
- (webroot "/var/www/certbot")))
- (service nginx-service-type*
- (nginx-configuration
- (server-blocks
- (list (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("www.dthompson.us"))
- (root "/var/www/blog")
- (ssl-certificate letsencrypt-cert)
- (ssl-certificate-key letsencrypt-cert-key))
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("files.dthompson.us"))
- (root "/var/www/files")
- (raw-content '("autoindex on;"))
- (ssl-certificate letsencrypt-cert)
- (ssl-certificate-key letsencrypt-cert-key))
- ;; I used to have the Haunt website under
- ;; its own subdomain, and some sites still
- ;; point to it.
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("haunt.dthompson.us"))
- (root "/var/www/haunt")
- (locations
- (list
- (nginx-location-configuration
- (uri "/")
- (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;")))))
- (ssl-certificate letsencrypt-cert)
- (ssl-certificate-key letsencrypt-cert-key))))))
- (service fcgiwrap-service-type
- (fcgiwrap-configuration
- ;; Use git group for read-only access to gitolite
- ;; repos.
- (group "git")
- (socket (string-append "tcp:" fcgiwrap-socket))))
- (let ((cgit (specification->package "cgit")))
- (service (service-type
- (inherit cgit-service-type)
- (extensions
- ;; Replace original nginx-service-type with
- ;; our modified one.
- (map (lambda (extension)
- (if (eq? (service-extension-target extension)
- nginx-service-type)
- (service-extension nginx-service-type*
- cgit-configuration-nginx-config)
- extension))
- (service-type-extensions cgit-service-type))))
- (cgit-configuration
- (project-list (string-append git-root "/projects.list"))
- (repository-directory (string-append git-root "/repositories"))
- (root-desc "all i wanted was a pepsi") ; just one pepsi
- (enable-git-config? #t)
- ;; Cgit only supports the old HTTP "dumb"
- ;; protocol, which notably libgit2 won't even
- ;; entertain supporting. So, we'll disable
- ;; that and use Git itself to provide the HTTP
- ;; "smart" protocol instead.
- (enable-http-clone? #f)
- (enable-index-links? #t)
- (enable-index-owner? #f)
- (enable-commit-graph? #t)
- (enable-log-filecount? #t)
- (enable-log-linecount? #t)
- (remove-suffix? #t)
- (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL.git"))
- ;; Is there a way to avoid this wrapper script?
- (source-filter (program-file
- "cgit-syntax-highlight"
- #~(apply execl
- (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py")
- (command-line))))
- (nginx
- (list (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name '("git.dthompson.us"))
- (root cgit)
- (locations
- (list
- ;; URI paths with .git are handled by
- ;; Git's "smart" HTTP protocol.
- (nginx-location-configuration
- (uri "~ (/.*\\.git/.*)")
- (body
- `(("fastcgi_pass " ,fcgiwrap-socket ";")
- ("fastcgi_param SCRIPT_FILENAME "
- ,git "/libexec/git-core/git-http-backend;")
- "fastcgi_param QUERY_STRING $query_string;"
- "fastcgi_param REQUEST_METHOD $request_method;"
- "fastcgi_param CONTENT_TYPE $content_type;"
- "fastcgi_param CONTENT_LENGTH $content_length;"
- ("fastcgi_param GIT_PROJECT_ROOT "
- ,git-root "/repositories;")
- "fastcgi_param PATH_INFO $1;")))
- ;; Redirect old URLs to .git pages to
- ;; the new .git-less URL. This
- ;; doesn't handle deeper links but
- ;; that's okay.
- (nginx-location-configuration
- (uri "~ (/.*)\\.git")
- (body
- `("return 301 $1;")))
- ;; Serve a static file if one exists,
- ;; otherwise send the request to
- ;; cgit.
- (nginx-location-configuration
- (uri "/")
- (body
- '("try_files $uri @cgit;")))
- (nginx-location-configuration
- (uri "@cgit")
- (body `("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;"
- "fastcgi_param PATH_INFO $uri;"
- "fastcgi_param QUERY_STRING $args;"
- "fastcgi_param HTTP_HOST $server_name;"
- ("fastcgi_pass " ,fcgiwrap-socket ";"))))))
- (ssl-certificate letsencrypt-cert)
- (ssl-certificate-key letsencrypt-cert-key))))))))
- (map (lambda (s)
- (if (eq? (service-kind s) guix-service-type)
- (service guix-service-type
- (guix-configuration
- (authorized-keys (cons (local-file "keys/signing-key.pub")
- %default-authorized-guix-keys))))
- s))
- %base-services)))
+ (cons*
+ (service dhcp-client-service-type)
+ (service openssh-service-type
+ (openssh-configuration
+ (password-authentication? #f)
+ ;; So I can forward ports from my local host to
+ ;; the server and have the ports accessible from
+ ;; the internet.
+ (gateway-ports? #t)
+ (authorized-keys
+ `(("dave" ,dave-pub-key)
+ ("publish" ,dave-pub-key)))))
+ (service gitolite-service-type
+ (gitolite-configuration
+ (admin-pubkey dave-pub-key)
+ (rc-file (gitolite-rc-file
+ ;; Grant read access to git group so
+ ;; cgit will work.
+ (umask #o0027)
+ (git-config-keys "gitweb\\..*")))))
+ (service (service-type
+ (inherit certbot-service-type)
+ (extensions
+ ;; Replace original nginx-service-type with
+ ;; our modified one.
+ (map (lambda (extension)
+ (if (eq? (service-extension-target extension)
+ nginx-service-type)
+ (service-extension nginx-service-type*
+ (@@ (gnu services certbot)
+ certbot-nginx-server-configurations))
+ extension))
+ (service-type-extensions certbot-service-type))))
+ (certbot-configuration
+ (email "dthompson2@worcester.edu")
+ (certificates
+ (list
+ (certificate-configuration
+ (domains '("dthompson.us"
+ "www.dthompson.us"
+ "git.dthompson.us"
+ "files.dthompson.us"
+ "haunt.dthompson.us"))
+ ;; Send SIGHUP signal to nginx to trigger a
+ ;; configuration reload, thus loading the
+ ;; updated certificates.
+ (deploy-hook (program-file
+ "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file
+ "/var/run/nginx/pid"
+ read)))
+ (kill pid SIGHUP)))))))
+ (webroot "/var/www/certbot")))
+ (service nginx-service-type*
+ (nginx-configuration
+ (server-blocks
+ (list (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("www.dthompson.us"))
+ (root "/var/www/blog")
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("files.dthompson.us"))
+ (root "/var/www/files")
+ (raw-content '("autoindex on;"))
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))
+ ;; I used to have the Haunt website under
+ ;; its own subdomain, and some sites still
+ ;; point to it.
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("haunt.dthompson.us"))
+ (root "/var/www/haunt")
+ (locations
+ (list
+ (nginx-location-configuration
+ (uri "/")
+ (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;")))))
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key))))))
+ (service fcgiwrap-service-type
+ (fcgiwrap-configuration
+ ;; Use git group for read-only access to gitolite
+ ;; repos.
+ (group "git")
+ (socket (string-append "tcp:" fcgiwrap-socket))))
+ (let ((cgit (specification->package "cgit")))
+ (service (service-type
+ (inherit cgit-service-type)
+ (extensions
+ ;; Replace original nginx-service-type with
+ ;; our modified one.
+ (map (lambda (extension)
+ (if (eq? (service-extension-target extension)
+ nginx-service-type)
+ (service-extension nginx-service-type*
+ cgit-configuration-nginx-config)
+ extension))
+ (service-type-extensions cgit-service-type))))
+ (cgit-configuration
+ (project-list (string-append git-root "/projects.list"))
+ (repository-directory (string-append git-root "/repositories"))
+ (root-desc "all i wanted was a pepsi") ; just one pepsi
+ (enable-git-config? #t)
+ ;; Cgit only supports the old HTTP "dumb"
+ ;; protocol, which notably libgit2 won't even
+ ;; entertain supporting. So, we'll disable
+ ;; that and use Git itself to provide the HTTP
+ ;; "smart" protocol instead.
+ (enable-http-clone? #f)
+ (enable-index-links? #t)
+ (enable-index-owner? #f)
+ (enable-commit-graph? #t)
+ (enable-log-filecount? #t)
+ (enable-log-linecount? #t)
+ (remove-suffix? #t)
+ (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL.git"))
+ ;; Is there a way to avoid this wrapper script?
+ (source-filter (program-file
+ "cgit-syntax-highlight"
+ #~(apply execl
+ (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py")
+ (command-line))))
+ (nginx
+ (list (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("git.dthompson.us"))
+ (root cgit)
+ (locations
+ (list
+ ;; URI paths with .git are handled by
+ ;; Git's "smart" HTTP protocol.
+ (nginx-location-configuration
+ (uri "~ (/.*\\.git/.*)")
+ (body
+ `(("fastcgi_pass " ,fcgiwrap-socket ";")
+ ("fastcgi_param SCRIPT_FILENAME "
+ ,git "/libexec/git-core/git-http-backend;")
+ "fastcgi_param QUERY_STRING $query_string;"
+ "fastcgi_param REQUEST_METHOD $request_method;"
+ "fastcgi_param CONTENT_TYPE $content_type;"
+ "fastcgi_param CONTENT_LENGTH $content_length;"
+ ("fastcgi_param GIT_PROJECT_ROOT "
+ ,git-root "/repositories;")
+ "fastcgi_param PATH_INFO $1;")))
+ ;; Redirect old URLs to .git pages to
+ ;; the new .git-less URL. This
+ ;; doesn't handle deeper links but
+ ;; that's okay.
+ (nginx-location-configuration
+ (uri "~ (/.*)\\.git")
+ (body
+ `("return 301 $1;")))
+ ;; Serve a static file if one exists,
+ ;; otherwise send the request to
+ ;; cgit.
+ (nginx-location-configuration
+ (uri "/")
+ (body
+ '("try_files $uri @cgit;")))
+ (nginx-location-configuration
+ (uri "@cgit")
+ (body `("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;"
+ "fastcgi_param PATH_INFO $uri;"
+ "fastcgi_param QUERY_STRING $args;"
+ "fastcgi_param HTTP_HOST $server_name;"
+ ("fastcgi_pass " ,fcgiwrap-socket ";"))))))
+ (ssl-certificate letsencrypt-cert)
+ (ssl-certificate-key letsencrypt-cert-key)))))))
+ (modify-services %base-services
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (authorized-keys (cons (local-file "keys/signing-key.pub")
+ %default-authorized-guix-keys)))))))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)