hermes.scm
| 1 | ;;; Tyreunom's system administration and configuration tools. |
| 2 | ;;; |
| 3 | ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu> |
| 4 | ;;; |
| 5 | ;;; This program is free software: you can redistribute it and/or modify |
| 6 | ;;; it under the terms of the GNU General Public License as published by |
| 7 | ;;; the Free Software Foundation, either version 3 of the License, or |
| 8 | ;;; (at your option) any later version. |
| 9 | ;;; |
| 10 | ;;; This program is distributed in the hope that it will be useful, |
| 11 | ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | ;;; GNU General Public License for more details. |
| 14 | ;;; |
| 15 | ;;; You should have received a copy of the GNU General Public License |
| 16 | ;;; along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 17 | |
| 18 | (use-modules (gnu)) |
| 19 | (use-modules (gnu system)) |
| 20 | (use-modules (gnu bootloader) (gnu bootloader grub)) |
| 21 | (use-modules (gnu services dns)) |
| 22 | (use-modules (gnu services networking)) |
| 23 | (use-modules (gnu services web)) |
| 24 | (use-modules (config certbot) (config dns) (config mail) (config network) (config os) |
| 25 | (config iptables) (config web)) |
| 26 | |
| 27 | |
| 28 | ;; NOTE: this config contains out-of band files. |
| 29 | ;; To (re-)generate /etc/mail/dkim/private.key, run: |
| 30 | ;; openssl genrsa -out /etc/mail/dkim/private.key 2048 |
| 31 | ;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key |
| 32 | ;; chmod 440 /etc/mail/dkim/private.key |
| 33 | ;; |
| 34 | ;; To (re-)generate /etc/knot/secrets.conf, run: |
| 35 | ;; keymgt -t lepiller-key > /etc/knot/secrets.conf |
| 36 | |
| 37 | (define lepiller-policy |
| 38 | (append |
| 39 | web-base-policy |
| 40 | '("# accept-language: en,en-US;q=0.8,ja;q=0.6" |
| 41 | "set $first_language '';" |
| 42 | "if ($http_accept_language ~* '(en|eo|fr)') {" |
| 43 | " set $first_language $1;" |
| 44 | "}" |
| 45 | "if ($first_language = '') {" |
| 46 | " set $first_language 'en';" |
| 47 | "}" |
| 48 | "set $my_uri $first_language/$uri;" |
| 49 | "location ~ ^/[^/]*$ {" |
| 50 | " return 301 /$first_language/$uri;" |
| 51 | "}" |
| 52 | ) |
| 53 | (web-html-policy |
| 54 | '(" try_files $my_uri $uri $uri/ =404;")) |
| 55 | '("error_page 404 /404.html;"))) |
| 56 | |
| 57 | (operating-system |
| 58 | (inherit (tyreunom-os "hermes")) |
| 59 | (bootloader |
| 60 | (bootloader-configuration |
| 61 | (target "/dev/sda") |
| 62 | (bootloader grub-bootloader))) |
| 63 | (file-systems (cons (file-system |
| 64 | (mount-point "/") |
| 65 | (device (uuid "27798665-5606-4fde-8da8-cc371e603892")) |
| 66 | (type "ext4")) |
| 67 | %base-file-systems)) |
| 68 | (services |
| 69 | (append |
| 70 | (list |
| 71 | hermes-network-service |
| 72 | lepiller-iptables-service |
| 73 | (service tor-service-type) |
| 74 | (tor-hidden-service "lepiller" |
| 75 | '((22 "127.0.0.1:22") |
| 76 | (80 "127.0.0.1:80"))) |
| 77 | (service nginx-service-type |
| 78 | (nginx-configuration |
| 79 | (server-names-hash-bucket-size 128))) |
| 80 | (service knot-service-type |
| 81 | (knot-configuration |
| 82 | (includes '("/etc/knot/secrets.conf")) |
| 83 | (acls (list slave-acl)) |
| 84 | (remotes (list ene)) |
| 85 | (zones (list lepiller-slave-zone |
| 86 | ipv4-reverse-master-zone |
| 87 | ipv6-reverse-master-zone)))) |
| 88 | (certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu") |
| 89 | ("social.lepiller.eu"))) |
| 90 | (simple-service 'social-http-server nginx-service-type |
| 91 | (list (nginx-server-configuration |
| 92 | (ssl-certificate "/etc/letsencrypt/live/social.lepiller.eu/fullchain.pem") |
| 93 | (ssl-certificate-key "/etc/letsencrypt/live/social.lepiller.eu/privkey.pem") |
| 94 | (listen '("443 ssl http2" "[::]:443 ssl http2")) |
| 95 | (server-name '("social.lepiller.eu")) |
| 96 | (root "/srv/http/social/public") |
| 97 | (locations |
| 98 | (list |
| 99 | (nginx-location-configuration |
| 100 | (uri "/content/") |
| 101 | (body '("alias /var/lib/social/user-data/public/;"))) |
| 102 | (nginx-location-configuration |
| 103 | (uri "/") |
| 104 | (body '("proxy_pass http://localhost:8080;"))))) |
| 105 | (raw-content default-web-policy)))) |
| 106 | (simple-service 'tor-lepiller-http-server nginx-service-type |
| 107 | (list (nginx-server-configuration |
| 108 | (listen '("80" "[::]:80")) |
| 109 | (server-name '("c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion")) |
| 110 | (root "/srv/http/lepiller/public") |
| 111 | (index '("index.html")) |
| 112 | (try-files '("$uri" "$uri/" "=404")) |
| 113 | (raw-content lepiller-policy)))) |
| 114 | (simple-service 'lepiller-http-server nginx-service-type |
| 115 | (list (nginx-server-configuration |
| 116 | (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem") |
| 117 | (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem") |
| 118 | (listen '("443 ssl http2" "[::]:443 ssl http2")) |
| 119 | (server-name '("lepiller.eu" "www.lepiller.eu")) |
| 120 | (root "/srv/http/lepiller/public") |
| 121 | (index '("index.html")) |
| 122 | (try-files '("$uri" "$uri/" "=404")) |
| 123 | (raw-content lepiller-policy)))) |
| 124 | (simple-service 'default-http-server nginx-service-type |
| 125 | (list (nginx-server-configuration |
| 126 | (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem") |
| 127 | (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem") |
| 128 | (listen '("443 ssl http2" "[::]:443 ssl http2")) |
| 129 | (server-name '(default)) |
| 130 | (root "/srv/http/default") |
| 131 | (raw-content default-web-policy))))) |
| 132 | (lepiller-mail-services |
| 133 | #:interface "ens18" |
| 134 | #:domain "lepiller.eu") |
| 135 | (server-services "hermes")))) |
| 136 |