system-configuration/systems/nono.scm

nono.scm

1
;;; Tyreunom's system administration and configuration tools.
2
;;;
3
;;; Copyright © 2019, 2020 Julien Lepiller <julien@lepiller.eu>
4
;;;
5
;;; This program is free software: you can redistribute it and/or modify
6
;;; it under the terms of the GNU General Public License as published by
7
;;; the Free Software Foundation, either version 3 of the License, or
8
;;; (at your option) any later version.
9
;;;
10
;;; This program is distributed in the hope that it will be useful,
11
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
;;; GNU General Public License for more details.
14
;;;
15
;;; You should have received a copy of the GNU General Public License
16
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18
(use-modules (gnu))
19
(use-modules (gnu bootloader))
20
(use-modules (gnu bootloader u-boot))
21
(use-modules (gnu services dns))
22
(use-modules (gnu services mail))
23
(use-modules (gnu services networking))
24
(use-modules (gnu services version-control))
25
(use-modules (gnu services web))
26
(use-modules (gnu system))
27
28
(use-modules (gnu packages bootloaders))
29
(use-modules (gnu packages dns))
30
(use-modules (gnu packages firmware))
31
(use-modules (gnu packages libunwind))
32
(use-modules (gnu packages linux))
33
(use-modules (gnu packages mail))
34
(use-modules (gnu packages package-management))
35
(use-modules (gnu packages php))
36
(use-modules (gnu packages tls))
37
(use-modules (gnu packages tor))
38
(use-modules (gnu packages web))
39
40
(use-modules (guix packages))
41
(use-modules (guix utils))
42
(use-modules (guix transformations))
43
44
(use-modules (config certbot) (config dns) (config iptables)
45
             (config mail) (config os) (config static-web)
46
             (config web)
47
             (packages gitile)
48
	     (services gitile))
49
50
;; Copy from (gnu bootloader u-boot)
51
52
(define-public u-boot-rock-pi-4-rk3399
53
  (let ((base (make-u-boot-package "rock-pi-4-rk3399" "aarch64-linux-gnu")))
54
    (package
55
      (inherit base)
56
      (source (origin
57
		(inherit (package-source base))
58
		(modules '((guix build utils)))
59
		(snippet
60
		  `(begin
61
		     (substitute* "configs/rock-pi-4-rk3399_defconfig"
62
		       (("CONFIG_SPL_FIT_SIGNATURE=y") ""))
63
		     #;(substitute* "include/image.h"
64
		       (("#  include <openssl/evp.h>") "")
65
		       (("IMAGE_ENABLE_SIGN\t1") "IMAGE_ENABLE_SIGN	0")
66
		       (("IMAGE_ENABLE_VERIFY\t1") "IMAGE_ENABLE_VERIFY	0")
67
		       (("IMAGE_ENABLE_ENCRYPT\t1") "IMAGE_ENABLE_ENRYPT	0")
68
		       (("IMAGE_ENABLE_DECRYPT\t1") "IMAGE_ENABLE_DERYPT	0")
69
		       )))))
70
      (arguments
71
        (substitute-keyword-arguments (package-arguments base)
72
          ((#:phases phases)
73
           #~(modify-phases #$phases
74
              (add-after 'unpack 'set-environment
75
                (lambda* (#:key inputs #:allow-other-keys)
76
                  (setenv "BL31"
77
                          (search-input-file inputs "bl31.elf"))))
78
              ;; Phases do not succeed on the bl31 ELF.
79
              (delete 'strip)
80
              (delete 'validate-runpath)))))
81
      (inputs
82
	(modify-inputs (package-inputs base)
83
	  (append arm-trusted-firmware-rk3399))))))
84
85
;; Same as install-rockpro64-rk3399-u-boot
86
(define install-rock-pi-4-rk3399-u-boot
87
  #~(lambda (bootloader root-index image)
88
      (let ((idb (string-append bootloader "/libexec/idbloader.img"))
89
            (u-boot (string-append bootloader "/libexec/u-boot.itb")))
90
	;(write-file-on-device idb (stat:size (stat idb))
91
        ;                      (string-append image "boot0") 0)
92
        ;(write-file-on-device u-boot (stat:size (stat u-boot))
93
        ;                      (string-append image "boot1") 0))))
94
	(write-file-on-device idb (stat:size (stat idb))
95
                              image (* 64 512))
96
        (write-file-on-device u-boot (stat:size (stat u-boot))
97
                              image (* 16384 512)))))
98
99
(define u-boot-rockpi4-bootloader
100
  (bootloader
101
    (inherit u-boot-bootloader)
102
    (package u-boot-rock-pi-4-rk3399)
103
    (disk-image-installer install-rock-pi-4-rk3399-u-boot)))
104
105
(operating-system
106
  (inherit (tyreunom-os "nono"))
107
  (bootloader
108
    (bootloader-configuration
109
      (targets '("/dev/mmcblk2"))
110
      (bootloader u-boot-rockpi4-bootloader)))
111
  (kernel-arguments '("modprobe.blacklist=usbmouse"
112
		      "modprobe.blacklist=usbkbd"
113
		      ))
114
  (kernel linux-libre-arm64-generic)
115
  (initrd-modules '())
116
  #;(initrd-modules
117
    '("phy-rockchip-emmc"
118
      "phy-rockchip-usb"
119
      "phy-rockchip-inno-usb2"
120
      "dw_mmc-rockchip"
121
      "sdhci"
122
      "sdhci-pltfm"))
123
  (file-systems (cons* (file-system
124
                         (mount-point "/")
125
                         (device (file-system-label "my-root"))
126
                         (type "ext4"))
127
                       %base-file-systems))
128
  (services
129
    (append
130
      (list
131
        (service dhcp-client-service-type)
132
        lepiller-iptables-service
133
        (agetty-service
134
          (agetty-configuration
135
            (baud-rate "1500000,n8")
136
            (term "vt100")
137
            (tty "ttyS2")))
138
        (service tor-service-type)
139
        (tor-hidden-service "mail"
140
                            '((25 "127.0.0.1:25")
141
                              (143 "127.0.0.1:143")
142
                              (587 "127.0.0.1:587")
143
                              (993 "127.0.0.1:993")))
144
        (tor-hidden-service "ssh"
145
                            '(("22" "127.0.0.1:22")))
146
        (service knot-service-type
147
                 (knot-configuration
148
                   (includes '("/etc/knot/secrets.conf"))
149
                   (acls (list slave-acl))
150
                   (remotes (list hermes))
151
                   (zones (list lepiller-slave-zone
152
                                ipv4-reverse-master-zone
153
                                ipv6-reverse-master-zone))))
154
        (certbot-service `(("courriel.lepiller.eu" "imap.lepiller.eu")
155
                           ("nono.lepiller.eu" "toulouse.lepiller.eu")
156
                           ("avatar.lepiller.eu")
157
                           ("git.lepiller.eu")
158
                           #;("social.lepiller.eu")))
159
        (service nginx-service-type)
160
        (service php-fpm-service-type)
161
        (service fcgiwrap-service-type
162
                 (fcgiwrap-configuration
163
                   (group "git")))
164
        (cat-avatar-generator-service
165
          #:configuration
166
          (nginx-server-configuration
167
            (server-name '("avatar.lepiller.eu"))
168
            (ssl-certificate
169
              "/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem")
170
            (ssl-certificate-key
171
              "/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem")
172
            (listen '("443 ssl http2" "[::]:443 ssl http2"))))
173
        (simple-service 'default-http-server nginx-service-type
174
          (list (nginx-server-configuration
175
                  (ssl-certificate
176
                    "/etc/letsencrypt/live/nono.lepiller.eu/fullchain.pem")
177
                  (ssl-certificate-key
178
                    "/etc/letsencrypt/live/nono.lepiller.eu/privkey.pem")
179
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
180
                  (server-name '(default "nono.lepiller.eu" "toulouse.lepiller.eu"))
181
		  (root "/srv/http/default"))))
182
        #;(simple-service 'social-http-server nginx-service-type
183
          (list (nginx-server-configuration
184
                  (ssl-certificate "/etc/letsencrypt/live/social.lepiller.eu/fullchain.pem")
185
                  (ssl-certificate-key "/etc/letsencrypt/live/social.lepiller.eu/privkey.pem")
186
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
187
                  (server-name '("social.lepiller.eu"))
188
                  (root "/srv/http/social/public")
189
                  (locations
190
                    (list
191
                      (nginx-location-configuration
192
                        (uri "/content/")
193
                        (body '("alias /var/lib/social/user-data/public/;")))
194
                      (nginx-location-configuration
195
                        (uri "/")
196
                        (body '("proxy_pass http://localhost:8081;")))))
197
                  (raw-content default-web-policy))))
198
        (service gitile-service-type
199
                 (gitile-configuration
200
		   (package gitile)
201
                   (base-git-url "https://git.lepiller.eu/git")
202
                   (intro '((p "Hey there, I'm Julien, also known as "
203
                               (code "roptat") " or " (code "tyreunom")
204
                               " on the internet. If you reached this page, it
205
probably means you are interested in the kind of software projects I make. Thank
206
you for your interest! Here is a list of projects I host here.")
207
                            (p "Note that I am in the process of migrating from
208
framagit. Every new project will appear here, but older projects might take
209
time to migrate. I'm also planning to add some features at some point, like
210
issues and merge requests, but that will take some time. I'd like to implement
211
these features myself, using " (a (@ (href "https://notabug.org/peers/forgefed")) "forgefed") ".")))
212
                   (footer '((p (a (@ (href "https://lepiller.eu")) "Who am I?"))))
213
                   (nginx
214
                     (nginx-server-configuration
215
                       (ssl-certificate
216
                         "/etc/letsencrypt/live/git.lepiller.eu/fullchain.pem")
217
                       (ssl-certificate-key
218
                         "/etc/letsencrypt/live/git.lepiller.eu/privkey.pem")
219
                       (listen '("443 ssl http2" "[::]:443 ssl http2"))
220
                       (server-name '("git.lepiller.eu"))
221
                       (root "/srv/http/git/public")
222
                       (locations
223
                         (list
224
                           (git-http-nginx-location-configuration
225
                             (git-http-configuration
226
                               (uri-path "/git/")
227
                               (git-root "/var/lib/gitolite/repositories")))
228
                           (nginx-location-configuration
229
                             (uri "~* .*/manual/.*")
230
                             (body
231
                               (list
232
                                 "root /srv/http/git/public;")))))))))
233
        (service static-web-site-service-type
234
                 (static-web-site-configuration
235
                  (git-url "https://git.lepiller.eu/git/guile-netlink")
236
                  (git-ref '(branch . "master"))
237
                  (directory "/srv/http/git/guile-netlink-manual")
238
                  (build-file "doc/build.scm")))
239
        ;; on activation, gitolite chmods its home directory to #o700, disabling
240
        ;; access to git-http-backend.  Re-enable that access.
241
        (simple-service 'gitolite-home-permissions
242
                        activation-service-type
243
                        #~(chmod "/var/lib/gitolite" #o750))
244
        (service gitolite-service-type
245
          (gitolite-configuration
246
            (admin-pubkey (local-file "../keys/tyreunom.pub"))
247
            (rc-file
248
              (local-file "../files/gitolite.rc")
249
              #;(gitolite-rc-file
250
                (umask #o0027)
251
                (git-config-keys ".*"))))))
252
      (lepiller-mail-services
253
        #:interface "eth0"
254
        #:domain "courriel.lepiller.eu")
255
      (server-services "nono"))))
256