From 96bf2a2318fffc8194137338648a5cd44ea0dc30 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Sun, 12 Jul 2020 09:02:13 -0400 Subject: takemi: Enable letsencrypt and get basic blog and git hosting working. --- takemi.scm | 115 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 106 insertions(+), 9 deletions(-) (limited to 'takemi.scm') diff --git a/takemi.scm b/takemi.scm index 0f860fc..ff749be 100644 --- a/takemi.scm +++ b/takemi.scm @@ -1,5 +1,10 @@ (use-modules (gnu)) -(use-service-modules desktop networking ssh xorg) +(use-service-modules certbot cgit networking ssh version-control web) + +(define letsencrypt-cert + "/etc/letsencrypt/live/dthompson.us/fullchain.pem") +(define letsencrypt-cert-key + "/etc/letsencrypt/live/dthompson.us/privkey.pem") (define takemi-os (operating-system @@ -13,24 +18,112 @@ (group "users") (home-directory "/home/dave") (supplementary-groups - '("wheel" "netdev" "audio" "video"))) + '("wheel" "netdev"))) + (user-account + (name "publish") + (comment "Web file publisher") + (group "publish") + (home-directory "/var/www") + (system? #t) + (create-home-directory? #f)) %base-user-accounts)) + (groups (cons* (user-group + (name "publish") + (system? #t)) + %base-groups)) (sudoers-file (plain-file "sudoers" (string-append (plain-file-content %sudoers-specification) + ;; 'guix deploy' requires no password + ;; sudo capability. "dave ALL = NOPASSWD: ALL\n"))) (packages - (append - (list (specification->package "nss-certs")) - %base-packages)) + (append (map specification->package '("nss-certs" "emacs")) + %base-packages)) (services (append - (list (service openssh-service-type + (list (service dhcp-client-service-type) + (service openssh-service-type (openssh-configuration (password-authentication? #f) (authorized-keys - `(("dave" ,(local-file "dave.pub")))))) - (service dhcp-client-service-type)) + `(("dave" ,(local-file "dave.pub")) + ("publish" ,(local-file "dave.pub")))))) + (service gitolite-service-type + (gitolite-configuration + (admin-pubkey (local-file "dave.pub")) + (rc-file (gitolite-rc-file + ;; Grant read access to git group so + ;; cgit will work. + (umask #o0027))))) + (service certbot-service-type + (certbot-configuration + (email "dthompson2@worcester.edu") + (certificates + (list + (certificate-configuration + (domains '("dthompson.us" + "www.dthompson.us" + "git.dthompson.us" + "files.dthompson.us")) + ;; Send SIGHUP signal to nginx to trigger a + ;; configuration reload, thus loading the + ;; updated certificates. + (deploy-hook (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file + "/var/run/nginx/pid" + read))) + (kill pid SIGHUP))))))) + (webroot "/var/www/certbot"))) + (service nginx-service-type + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("www.dthompson.us")) + (root "/var/www/blog") + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)) + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("files.dthompson.us")) + (root "/var/www/files") + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)))))) + (service fcgiwrap-service-type + (fcgiwrap-configuration + ;; Use git group for read-only access to gitolite + ;; repos. + (group "git"))) + (let ((cgit (specification->package "cgit"))) + (service cgit-service-type + (cgit-configuration + (project-list "/var/lib/gitolite/projects.list") + (repository-directory "/var/lib/gitolite/repositories") + ;; Is there a way to avoid this wrapper script? + (source-filter (program-file + "cgit-syntax-highlight" + #~(apply execl + (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") + (command-line)))) + (nginx + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("git.dthompson.us")) + (root cgit) + (locations + (list + (nginx-location-configuration + (uri "@cgit") + (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" + "fastcgi_param PATH_INFO $uri;" + "fastcgi_param QUERY_STRING $args;" + "fastcgi_param HTTP_HOST $server_name;" + "fastcgi_pass 127.0.0.1:9000;"))))) + (try-files (list "$uri" "@cgit")) + (ssl-certificate letsencrypt-cert) + (ssl-certificate-key letsencrypt-cert-key)))))))) %base-services)) (bootloader (bootloader-configuration @@ -49,10 +142,14 @@ (type "ext4")) %base-file-systems)))) +(define takemi-host-key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrptBAMgs8dGDerBkcmZQ2W/0nEXtOBCl8nLlEwjKdI") + (list (machine (operating-system takemi-os) (environment managed-host-environment-type) (configuration (machine-ssh-configuration (host-name "64.225.6.170") (system "x86_64-linux") - (user "dave"))))) + (user "dave") + (host-key takemi-host-key))))) -- cgit v1.2.3