From 0e27dec6d8bb9c767e85943a7ee4783aa2bca6d0 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Thu, 16 Nov 2023 07:57:52 -0500 Subject: takemi: os: Use modify-services form. --- takemi-os.scm | 358 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 178 insertions(+), 180 deletions(-) diff --git a/takemi-os.scm b/takemi-os.scm index 7bbfa55..a56c4e5 100644 --- a/takemi-os.scm +++ b/takemi-os.scm @@ -76,186 +76,184 @@ (append (map specification->package '("emacs" "nss-certs" "rsync")) %base-packages)) (services - (append - (list (service dhcp-client-service-type) - (service openssh-service-type - (openssh-configuration - (password-authentication? #f) - ;; So I can forward ports from my local host to - ;; the server and have the ports accessible from - ;; the internet. - (gateway-ports? #t) - (authorized-keys - `(("dave" ,dave-pub-key) - ("publish" ,dave-pub-key))))) - (service gitolite-service-type - (gitolite-configuration - (admin-pubkey dave-pub-key) - (rc-file (gitolite-rc-file - ;; Grant read access to git group so - ;; cgit will work. - (umask #o0027) - (git-config-keys "gitweb\\..*"))))) - (service (service-type - (inherit certbot-service-type) - (extensions - ;; Replace original nginx-service-type with - ;; our modified one. - (map (lambda (extension) - (if (eq? (service-extension-target extension) - nginx-service-type) - (service-extension nginx-service-type* - (@@ (gnu services certbot) - certbot-nginx-server-configurations)) - extension)) - (service-type-extensions certbot-service-type)))) - (certbot-configuration - (email "dthompson2@worcester.edu") - (certificates - (list - (certificate-configuration - (domains '("dthompson.us" - "www.dthompson.us" - "git.dthompson.us" - "files.dthompson.us" - "haunt.dthompson.us")) - ;; Send SIGHUP signal to nginx to trigger a - ;; configuration reload, thus loading the - ;; updated certificates. - (deploy-hook (program-file - "nginx-deploy-hook" - #~(let ((pid (call-with-input-file - "/var/run/nginx/pid" - read))) - (kill pid SIGHUP))))))) - (webroot "/var/www/certbot"))) - (service nginx-service-type* - (nginx-configuration - (server-blocks - (list (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("www.dthompson.us")) - (root "/var/www/blog") - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)) - (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("files.dthompson.us")) - (root "/var/www/files") - (raw-content '("autoindex on;")) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)) - ;; I used to have the Haunt website under - ;; its own subdomain, and some sites still - ;; point to it. - (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("haunt.dthompson.us")) - (root "/var/www/haunt") - (locations - (list - (nginx-location-configuration - (uri "/") - (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)))))) - (service fcgiwrap-service-type - (fcgiwrap-configuration - ;; Use git group for read-only access to gitolite - ;; repos. - (group "git") - (socket (string-append "tcp:" fcgiwrap-socket)))) - (let ((cgit (specification->package "cgit"))) - (service (service-type - (inherit cgit-service-type) - (extensions - ;; Replace original nginx-service-type with - ;; our modified one. - (map (lambda (extension) - (if (eq? (service-extension-target extension) - nginx-service-type) - (service-extension nginx-service-type* - cgit-configuration-nginx-config) - extension)) - (service-type-extensions cgit-service-type)))) - (cgit-configuration - (project-list (string-append git-root "/projects.list")) - (repository-directory (string-append git-root "/repositories")) - (root-desc "all i wanted was a pepsi") ; just one pepsi - (enable-git-config? #t) - ;; Cgit only supports the old HTTP "dumb" - ;; protocol, which notably libgit2 won't even - ;; entertain supporting. So, we'll disable - ;; that and use Git itself to provide the HTTP - ;; "smart" protocol instead. - (enable-http-clone? #f) - (enable-index-links? #t) - (enable-index-owner? #f) - (enable-commit-graph? #t) - (enable-log-filecount? #t) - (enable-log-linecount? #t) - (remove-suffix? #t) - (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL.git")) - ;; Is there a way to avoid this wrapper script? - (source-filter (program-file - "cgit-syntax-highlight" - #~(apply execl - (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") - (command-line)))) - (nginx - (list (nginx-server-configuration - (listen '("443 ssl")) - (server-name '("git.dthompson.us")) - (root cgit) - (locations - (list - ;; URI paths with .git are handled by - ;; Git's "smart" HTTP protocol. - (nginx-location-configuration - (uri "~ (/.*\\.git/.*)") - (body - `(("fastcgi_pass " ,fcgiwrap-socket ";") - ("fastcgi_param SCRIPT_FILENAME " - ,git "/libexec/git-core/git-http-backend;") - "fastcgi_param QUERY_STRING $query_string;" - "fastcgi_param REQUEST_METHOD $request_method;" - "fastcgi_param CONTENT_TYPE $content_type;" - "fastcgi_param CONTENT_LENGTH $content_length;" - ("fastcgi_param GIT_PROJECT_ROOT " - ,git-root "/repositories;") - "fastcgi_param PATH_INFO $1;"))) - ;; Redirect old URLs to .git pages to - ;; the new .git-less URL. This - ;; doesn't handle deeper links but - ;; that's okay. - (nginx-location-configuration - (uri "~ (/.*)\\.git") - (body - `("return 301 $1;"))) - ;; Serve a static file if one exists, - ;; otherwise send the request to - ;; cgit. - (nginx-location-configuration - (uri "/") - (body - '("try_files $uri @cgit;"))) - (nginx-location-configuration - (uri "@cgit") - (body `("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" - "fastcgi_param PATH_INFO $uri;" - "fastcgi_param QUERY_STRING $args;" - "fastcgi_param HTTP_HOST $server_name;" - ("fastcgi_pass " ,fcgiwrap-socket ";")))))) - (ssl-certificate letsencrypt-cert) - (ssl-certificate-key letsencrypt-cert-key)))))))) - (map (lambda (s) - (if (eq? (service-kind s) guix-service-type) - (service guix-service-type - (guix-configuration - (authorized-keys (cons (local-file "keys/signing-key.pub") - %default-authorized-guix-keys)))) - s)) - %base-services))) + (cons* + (service dhcp-client-service-type) + (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + ;; So I can forward ports from my local host to + ;; the server and have the ports accessible from + ;; the internet. + (gateway-ports? #t) + (authorized-keys + `(("dave" ,dave-pub-key) + ("publish" ,dave-pub-key))))) + (service gitolite-service-type + (gitolite-configuration + (admin-pubkey dave-pub-key) + (rc-file (gitolite-rc-file + ;; Grant read access to git group so + ;; cgit will work. + (umask #o0027) + (git-config-keys "gitweb\\..*"))))) + (service (service-type + (inherit certbot-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations)) + extension)) + (service-type-extensions certbot-service-type)))) + (certbot-configuration + (email "dthompson2@worcester.edu") + (certificates + (list + (certificate-configuration + (domains '("dthompson.us" + "www.dthompson.us" + "git.dthompson.us" + "files.dthompson.us" + "haunt.dthompson.us")) + ;; Send SIGHUP signal to nginx to trigger a + ;; configuration reload, thus loading the + ;; updated certificates. + (deploy-hook (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file + "/var/run/nginx/pid" + read))) + (kill pid SIGHUP))))))) + (webroot "/var/www/certbot"))) + (service nginx-service-type* + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("www.dthompson.us")) + (root "/var/www/blog") + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)) + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("files.dthompson.us")) + (root "/var/www/files") + (raw-content '("autoindex on;")) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)) + ;; I used to have the Haunt website under + ;; its own subdomain, and some sites still + ;; point to it. + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("haunt.dthompson.us")) + (root "/var/www/haunt") + (locations + (list + (nginx-location-configuration + (uri "/") + (body '("rewrite .* https://dthompson.us/projects/haunt.html permanent;"))))) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)))))) + (service fcgiwrap-service-type + (fcgiwrap-configuration + ;; Use git group for read-only access to gitolite + ;; repos. + (group "git") + (socket (string-append "tcp:" fcgiwrap-socket)))) + (let ((cgit (specification->package "cgit"))) + (service (service-type + (inherit cgit-service-type) + (extensions + ;; Replace original nginx-service-type with + ;; our modified one. + (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + cgit-configuration-nginx-config) + extension)) + (service-type-extensions cgit-service-type)))) + (cgit-configuration + (project-list (string-append git-root "/projects.list")) + (repository-directory (string-append git-root "/repositories")) + (root-desc "all i wanted was a pepsi") ; just one pepsi + (enable-git-config? #t) + ;; Cgit only supports the old HTTP "dumb" + ;; protocol, which notably libgit2 won't even + ;; entertain supporting. So, we'll disable + ;; that and use Git itself to provide the HTTP + ;; "smart" protocol instead. + (enable-http-clone? #f) + (enable-index-links? #t) + (enable-index-owner? #f) + (enable-commit-graph? #t) + (enable-log-filecount? #t) + (enable-log-linecount? #t) + (remove-suffix? #t) + (clone-url '("https://git.dthompson.us/$CGIT_REPO_URL.git")) + ;; Is there a way to avoid this wrapper script? + (source-filter (program-file + "cgit-syntax-highlight" + #~(apply execl + (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") + (command-line)))) + (nginx + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("git.dthompson.us")) + (root cgit) + (locations + (list + ;; URI paths with .git are handled by + ;; Git's "smart" HTTP protocol. + (nginx-location-configuration + (uri "~ (/.*\\.git/.*)") + (body + `(("fastcgi_pass " ,fcgiwrap-socket ";") + ("fastcgi_param SCRIPT_FILENAME " + ,git "/libexec/git-core/git-http-backend;") + "fastcgi_param QUERY_STRING $query_string;" + "fastcgi_param REQUEST_METHOD $request_method;" + "fastcgi_param CONTENT_TYPE $content_type;" + "fastcgi_param CONTENT_LENGTH $content_length;" + ("fastcgi_param GIT_PROJECT_ROOT " + ,git-root "/repositories;") + "fastcgi_param PATH_INFO $1;"))) + ;; Redirect old URLs to .git pages to + ;; the new .git-less URL. This + ;; doesn't handle deeper links but + ;; that's okay. + (nginx-location-configuration + (uri "~ (/.*)\\.git") + (body + `("return 301 $1;"))) + ;; Serve a static file if one exists, + ;; otherwise send the request to + ;; cgit. + (nginx-location-configuration + (uri "/") + (body + '("try_files $uri @cgit;"))) + (nginx-location-configuration + (uri "@cgit") + (body `("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" + "fastcgi_param PATH_INFO $uri;" + "fastcgi_param QUERY_STRING $args;" + "fastcgi_param HTTP_HOST $server_name;" + ("fastcgi_pass " ,fcgiwrap-socket ";")))))) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key))))))) + (modify-services %base-services + (guix-service-type config => + (guix-configuration + (inherit config) + (authorized-keys (cons (local-file "keys/signing-key.pub") + %default-authorized-guix-keys))))))) (bootloader (bootloader-configuration (bootloader grub-bootloader) -- cgit v1.2.3