(use-modules (gnu)) (use-service-modules certbot cgit networking ssh version-control web) (define letsencrypt-cert "/etc/letsencrypt/live/dthompson.us/fullchain.pem") (define letsencrypt-cert-key "/etc/letsencrypt/live/dthompson.us/privkey.pem") (define takemi-os (operating-system (locale "en_US.utf8") (timezone "America/New_York") (keyboard-layout (keyboard-layout "us")) (host-name "takemi") (users (cons* (user-account (name "dave") (comment "David Thompson") (group "users") (home-directory "/home/dave") (supplementary-groups '("wheel" "netdev"))) (user-account (name "publish") (comment "Web file publisher") (group "publish") (home-directory "/var/www") (system? #t) (create-home-directory? #f)) %base-user-accounts)) (groups (cons* (user-group (name "publish") (system? #t)) %base-groups)) (sudoers-file (plain-file "sudoers" (string-append (plain-file-content %sudoers-specification) ;; 'guix deploy' requires no password ;; sudo capability. "dave ALL = NOPASSWD: ALL\n"))) (packages (append (map specification->package '("nss-certs" "emacs")) %base-packages)) (services (append (list (service dhcp-client-service-type) (service openssh-service-type (openssh-configuration (password-authentication? #f) (authorized-keys `(("dave" ,(local-file "dave.pub")) ("publish" ,(local-file "dave.pub")))))) (service gitolite-service-type (gitolite-configuration (admin-pubkey (local-file "dave.pub")) (rc-file (gitolite-rc-file ;; Grant read access to git group so ;; cgit will work. (umask #o0027))))) (service certbot-service-type (certbot-configuration (email "dthompson2@worcester.edu") (certificates (list (certificate-configuration (domains '("dthompson.us" "www.dthompson.us" "git.dthompson.us" "files.dthompson.us")) ;; Send SIGHUP signal to nginx to trigger a ;; configuration reload, thus loading the ;; updated certificates. (deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP))))))) (webroot "/var/www/certbot"))) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen '("443 ssl")) (server-name '("www.dthompson.us")) (root "/var/www/blog") (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)) (nginx-server-configuration (listen '("443 ssl")) (server-name '("files.dthompson.us")) (root "/var/www/files") (raw-content '("autoindex on;")) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)))))) (service fcgiwrap-service-type (fcgiwrap-configuration ;; Use git group for read-only access to gitolite ;; repos. (group "git"))) (let ((cgit (specification->package "cgit"))) (service cgit-service-type (cgit-configuration (project-list "/var/lib/gitolite/projects.list") (repository-directory "/var/lib/gitolite/repositories") (remove-suffix? #t) ;; Is there a way to avoid this wrapper script? (source-filter (program-file "cgit-syntax-highlight" #~(apply execl (string-append #$cgit "/lib/cgit/filters/syntax-highlighting.py") (command-line)))) (nginx (list (nginx-server-configuration (listen '("443 ssl")) (server-name '("git.dthompson.us")) (root cgit) (locations (list (nginx-location-configuration (uri "@cgit") (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;" "fastcgi_param PATH_INFO $uri;" "fastcgi_param QUERY_STRING $args;" "fastcgi_param HTTP_HOST $server_name;" "fastcgi_pass 127.0.0.1:9000;"))))) (try-files (list "$uri" "@cgit")) (ssl-certificate letsencrypt-cert) (ssl-certificate-key letsencrypt-cert-key)))))))) %base-services)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/vda") (keyboard-layout keyboard-layout))) (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) (swap-devices (list "/dev/vda2")) (file-systems (cons* (file-system (mount-point "/") (device (uuid "f99d3ff5-57ea-4b20-bca7-bc2d58b4c364" 'ext4)) (type "ext4")) %base-file-systems)))) (define takemi-host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrptBAMgs8dGDerBkcmZQ2W/0nEXtOBCl8nLlEwjKdI") (list (machine (operating-system takemi-os) (environment managed-host-environment-type) (configuration (machine-ssh-configuration (host-name "64.225.6.170") (system "x86_64-linux") (user "dave") (host-key takemi-host-key)))))