system-configuration

hermes.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

(use-modules (gnu))
(use-modules (gnu system))
(use-modules (gnu bootloader) (gnu bootloader grub))
(use-modules (gnu services dns))
(use-modules (gnu services networking))
(use-modules (gnu services web))
(use-modules (config certbot) (config dns) (config mail) (config network) (config os)
             (config iptables) (config web))


;; NOTE: this config contains out-of band files.
;; To (re-)generate /etc/mail/dkim/private.key, run:
;; openssl genrsa -out /etc/mail/dkim/private.key 2048
;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key
;; chmod 440 /etc/mail/dkim/private.key
;;
;; To (re-)generate /etc/knot/secrets.conf, run:
;; keymgt -t lepiller-key > /etc/knot/secrets.conf

(define lepiller-policy
  (append
    web-base-policy
    '("add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
      "# accept-language: en,en-US;q=0.8,ja;q=0.6"
      "set $first_language '';"
      "if ($http_accept_language ~* '(en|eo|fr)') {"
      "  set $first_language $1;"
      "}"
      "if ($first_language = '') {"
      "  set $first_language 'en';"
      "}"
      "set $my_uri $first_language/$uri;"
      "location ~ ^/[^/]*$ {"
      "  return 301 /$first_language/$uri;"
      "}"
      )
    (web-html-policy
      '("    add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
        "    try_files $my_uri $uri $uri/ =404;"))
    '("error_page 404 /404.html;")))

(operating-system
  (inherit (tyreunom-os "hermes"))
  (bootloader
    (bootloader-configuration
      (targets '("/dev/sda"))
      (bootloader grub-bootloader)))
  (file-systems (cons (file-system
                        (mount-point "/")
                        (device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
                        (type "ext4"))
                      %base-file-systems))
  (services
    (append
      (list
        hermes-network-service
        lepiller-iptables-service
        (service tor-service-type)
        (tor-hidden-service "lepiller"
                            '((22 "127.0.0.1:22")
                              (80 "127.0.0.1:80")))
        (tor-hidden-service "mail"
                            '((25 "127.0.0.1:25")
                              (143 "127.0.0.1:143")
                              (587 "127.0.0.1:587")
                              (993 "127.0.0.1:993")))
        (service nginx-service-type
          (nginx-configuration
            (server-names-hash-bucket-size 128)))
        (service knot-service-type
                 (knot-configuration
                   (includes '("/etc/knot/secrets.conf"))
                   (acls (list master-acl))
                   (remotes (list nono))
                   (zones (list lepiller-master-zone
                                ipv4-reverse-master-zone
                                ipv6-reverse-master-zone))))
        (certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu")
                           ("dico.lepiller.eu")))
        (simple-service 'dico-http-server nginx-service-type
          (list (nginx-server-configuration
                  (ssl-certificate "/etc/letsencrypt/live/dico.lepiller.eu/fullchain.pem")
                  (ssl-certificate-key "/etc/letsencrypt/live/dico.lepiller.eu/privkey.pem")
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
                  (server-name '("dico.lepiller.eu"))
                  (root "/srv/http/dico/public")
                  (locations
                    (list
		      (nginx-location-configuration
			(uri "/css/")
			(body '("alias /srv/http/dico/public/css/;")))
                      (nginx-location-configuration
                        (uri "/")
                        (body '("proxy_pass http://localhost:8080;")))))
                  (raw-content default-web-policy))))
        (simple-service 'tor-lepiller-http-server nginx-service-type
          (list (nginx-server-configuration
                  (listen '("80" "[::]:80"))
                  (server-name '("c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion"))
                  (root "/srv/http/lepiller/public")
                  (index '("index.html"))
                  (try-files '("$uri" "$uri/" "=404"))
                  (raw-content lepiller-policy))))
        (simple-service 'lepiller-http-server nginx-service-type
          (list (nginx-server-configuration
                  (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
                  (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
                  (server-name '("lepiller.eu" "www.lepiller.eu"))
                  (root "/srv/http/lepiller/public")
                  (index '("index.html"))
                  (try-files '("$uri" "$uri/" "=404"))
                  (raw-content lepiller-policy))))
        (simple-service 'default-http-server nginx-service-type
          (list (nginx-server-configuration
                  (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
                  (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
                  (server-name '(default))
                  (root "/srv/http/default")
                  (raw-content default-web-policy)))))
      (lepiller-mail-services
        #:interface "ens18"
        #:domain "lepiller.eu")
      (server-services "hermes"))))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	(use-modules (gnu))
19	(use-modules (gnu system))
20	(use-modules (gnu bootloader) (gnu bootloader grub))
21	(use-modules (gnu services dns))
22	(use-modules (gnu services networking))
23	(use-modules (gnu services web))
24	(use-modules (config certbot) (config dns) (config mail) (config network) (config os)
25	(config iptables) (config web))
26
27
28	;; NOTE: this config contains out-of band files.
29	;; To (re-)generate /etc/mail/dkim/private.key, run:
30	;; openssl genrsa -out /etc/mail/dkim/private.key 2048
31	;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key
32	;; chmod 440 /etc/mail/dkim/private.key
33	;;
34	;; To (re-)generate /etc/knot/secrets.conf, run:
35	;; keymgt -t lepiller-key > /etc/knot/secrets.conf
36
37	(define lepiller-policy
38	(append
39	web-base-policy
40	'("add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
41	"# accept-language: en,en-US;q=0.8,ja;q=0.6"
42	"set $first_language '';"
43	"if ($http_accept_language ~* '(en\|eo\|fr)') {"
44	" set $first_language $1;"
45	"}"
46	"if ($first_language = '') {"
47	" set $first_language 'en';"
48	"}"
49	"set $my_uri $first_language/$uri;"
50	"location ~ ^/[^/]*$ {"
51	" return 301 /$first_language/$uri;"
52	"}"
53	)
54	(web-html-policy
55	'(" add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
56	" try_files $my_uri $uri $uri/ =404;"))
57	'("error_page 404 /404.html;")))
58
59	(operating-system
60	(inherit (tyreunom-os "hermes"))
61	(bootloader
62	(bootloader-configuration
63	(targets '("/dev/sda"))
64	(bootloader grub-bootloader)))
65	(file-systems (cons (file-system
66	(mount-point "/")
67	(device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
68	(type "ext4"))
69	%base-file-systems))
70	(services
71	(append
72	(list
73	hermes-network-service
74	lepiller-iptables-service
75	(service tor-service-type)
76	(tor-hidden-service "lepiller"
77	'((22 "127.0.0.1:22")
78	(80 "127.0.0.1:80")))
79	(tor-hidden-service "mail"
80	'((25 "127.0.0.1:25")
81	(143 "127.0.0.1:143")
82	(587 "127.0.0.1:587")
83	(993 "127.0.0.1:993")))
84	(service nginx-service-type
85	(nginx-configuration
86	(server-names-hash-bucket-size 128)))
87	(service knot-service-type
88	(knot-configuration
89	(includes '("/etc/knot/secrets.conf"))
90	(acls (list master-acl))
91	(remotes (list nono))
92	(zones (list lepiller-master-zone
93	ipv4-reverse-master-zone
94	ipv6-reverse-master-zone))))
95	(certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu")
96	("dico.lepiller.eu")))
97	(simple-service 'dico-http-server nginx-service-type
98	(list (nginx-server-configuration
99	(ssl-certificate "/etc/letsencrypt/live/dico.lepiller.eu/fullchain.pem")
100	(ssl-certificate-key "/etc/letsencrypt/live/dico.lepiller.eu/privkey.pem")
101	(listen '("443 ssl http2" "[::]:443 ssl http2"))
102	(server-name '("dico.lepiller.eu"))
103	(root "/srv/http/dico/public")
104	(locations
105	(list
106	(nginx-location-configuration
107	(uri "/css/")
108	(body '("alias /srv/http/dico/public/css/;")))
109	(nginx-location-configuration
110	(uri "/")
111	(body '("proxy_pass http://localhost:8080;")))))
112	(raw-content default-web-policy))))
113	(simple-service 'tor-lepiller-http-server nginx-service-type
114	(list (nginx-server-configuration
115	(listen '("80" "[::]:80"))
116	(server-name '("c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion"))
117	(root "/srv/http/lepiller/public")
118	(index '("index.html"))
119	(try-files '("$uri" "$uri/" "=404"))
120	(raw-content lepiller-policy))))
121	(simple-service 'lepiller-http-server nginx-service-type
122	(list (nginx-server-configuration
123	(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
124	(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
125	(listen '("443 ssl http2" "[::]:443 ssl http2"))
126	(server-name '("lepiller.eu" "www.lepiller.eu"))
127	(root "/srv/http/lepiller/public")
128	(index '("index.html"))
129	(try-files '("$uri" "$uri/" "=404"))
130	(raw-content lepiller-policy))))
131	(simple-service 'default-http-server nginx-service-type
132	(list (nginx-server-configuration
133	(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
134	(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
135	(listen '("443 ssl http2" "[::]:443 ssl http2"))
136	(server-name '(default))
137	(root "/srv/http/default")
138	(raw-content default-web-policy)))))
139	(lepiller-mail-services
140	#:interface "ens18"
141	#:domain "lepiller.eu")
142	(server-services "hermes"))))
143