summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--signing-key.pub6
-rw-r--r--takemi.scm67
2 files changed, 69 insertions, 4 deletions
diff --git a/signing-key.pub b/signing-key.pub
new file mode 100644
index 0000000..a115953
--- /dev/null
+++ b/signing-key.pub
@@ -0,0 +1,6 @@
+(public-key
+ (ecc
+ (curve Ed25519)
+ (q #CB65A917945D0ECA62BC5CC9A5F09B6FA421CAF90BF6EEC36107691D6DF0B543#)
+ )
+ )
diff --git a/takemi.scm b/takemi.scm
index e2de19f..7e283f8 100644
--- a/takemi.scm
+++ b/takemi.scm
@@ -7,6 +7,32 @@
"/etc/letsencrypt/live/dthompson.us/privkey.pem")
(define dave-pub-key (local-file "dave.pub"))
+(define nginx-accounts
+ (list (user-group (name "nginx") (system? #t))
+ (user-account
+ (name "nginx")
+ (group "nginx")
+ (supplementary-groups '("git"))
+ (system? #t)
+ (comment "nginx server user")
+ (home-directory "/var/empty")
+ (shell (file-append (specification->package "shadow")
+ "/sbin/nologin")))))
+
+;; Need to override the default nginx service account configuration so
+;; that the nginx user is a member of the git group.
+(define nginx-service-type*
+ (service-type
+ (inherit nginx-service-type)
+ (extensions
+ (map (lambda (extension)
+ (if (eq? (service-extension-target extension)
+ account-service-type)
+ (service-extension account-service-type
+ (const nginx-accounts))
+ extension))
+ (service-type-extensions nginx-service-type)))))
+
(define takemi-os
(operating-system
(locale "en_US.utf8")
@@ -58,7 +84,19 @@
;; cgit will work.
(umask #o0027)
(git-config-keys "gitweb\\..*")))))
- (service certbot-service-type
+ (service (service-type
+ (inherit certbot-service-type)
+ (extensions
+ ;; Replace original nginx-service-type with
+ ;; our modified one.
+ (map (lambda (extension)
+ (if (eq? (service-extension-target extension)
+ nginx-service-type)
+ (service-extension nginx-service-type*
+ (@@ (gnu services certbot)
+ certbot-nginx-server-configurations))
+ extension))
+ (service-type-extensions certbot-service-type))))
(certbot-configuration
(email "dthompson2@worcester.edu")
(certificates
@@ -78,7 +116,7 @@
read)))
(kill pid SIGHUP)))))))
(webroot "/var/www/certbot")))
- (service nginx-service-type
+ (service nginx-service-type*
(nginx-configuration
(server-blocks
(list (nginx-server-configuration
@@ -100,7 +138,18 @@
;; repos.
(group "git")))
(let ((cgit (specification->package "cgit")))
- (service cgit-service-type
+ (service (service-type
+ (inherit cgit-service-type)
+ (extensions
+ ;; Replace original nginx-service-type with
+ ;; our modified one.
+ (map (lambda (extension)
+ (if (eq? (service-extension-target extension)
+ nginx-service-type)
+ (service-extension nginx-service-type*
+ cgit-configuration-nginx-config)
+ extension))
+ (service-type-extensions cgit-service-type))))
(cgit-configuration
(project-list "/var/lib/gitolite/projects.list")
(repository-directory "/var/lib/gitolite/repositories")
@@ -135,7 +184,17 @@
(try-files (list "$uri" "@cgit"))
(ssl-certificate letsencrypt-cert)
(ssl-certificate-key letsencrypt-cert-key))))))))
- %base-services))
+ ;; For some reason I have to override the guix service config to
+ ;; authorize my local signing key even though I've already
+ ;; authorized it on the server in the past...
+ (map (lambda (s)
+ (if (eq? (service-kind s) guix-service-type)
+ (service guix-service-type
+ (guix-configuration
+ (authorized-keys (cons (local-file "signing-key.pub")
+ %default-authorized-guix-keys))))
+ s))
+ %base-services)))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)