system-configuration/systems/nono.scm

nono.scm

1
;;; Tyreunom's system administration and configuration tools.
2
;;;
3
;;; Copyright © 2019, 2020 Julien Lepiller <julien@lepiller.eu>
4
;;;
5
;;; This program is free software: you can redistribute it and/or modify
6
;;; it under the terms of the GNU General Public License as published by
7
;;; the Free Software Foundation, either version 3 of the License, or
8
;;; (at your option) any later version.
9
;;;
10
;;; This program is distributed in the hope that it will be useful,
11
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
;;; GNU General Public License for more details.
14
;;;
15
;;; You should have received a copy of the GNU General Public License
16
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18
(use-modules (gnu))
19
(use-modules (gnu bootloader))
20
(use-modules (gnu bootloader u-boot))
21
(use-modules (gnu services dns))
22
(use-modules (gnu services mail))
23
(use-modules (gnu services networking))
24
(use-modules (gnu services version-control))
25
(use-modules (gnu services web))
26
(use-modules (gnu system))
27
28
(use-modules (gnu packages bootloaders))
29
(use-modules (gnu packages dns))
30
(use-modules (gnu packages firmware))
31
(use-modules (gnu packages libunwind))
32
(use-modules (gnu packages linux))
33
(use-modules (gnu packages mail))
34
(use-modules (gnu packages package-management))
35
(use-modules (gnu packages php))
36
(use-modules (gnu packages tor))
37
(use-modules (gnu packages web))
38
39
(use-modules (guix packages))
40
(use-modules (guix utils))
41
(use-modules (guix transformations))
42
43
(use-modules (config certbot) (config dns) (config iptables)
44
             (config mail) (config os) (config static-web)
45
             (config web)
46
             (packages gitile))
47
48
;; Copy from (gnu bootloader u-boot)
49
50
(define-public u-boot-rock-pi-4-rk3399
51
  (let ((base (make-u-boot-package "rock-pi-4-rk3399" "aarch64-linux-gnu")))
52
    (package
53
      (inherit base)
54
      (arguments
55
        (substitute-keyword-arguments (package-arguments base)
56
          ((#:phases phases)
57
           `(modify-phases ,phases
58
              (add-after 'unpack 'set-environment
59
                (lambda* (#:key inputs #:allow-other-keys)
60
                  (setenv "BL31"
61
                          (search-input-file inputs "/bl31.elf"))))
62
              ;; Phases do not succeed on the bl31 ELF.
63
              (delete 'strip)
64
              (delete 'validate-runpath)))))
65
      (native-inputs
66
       `(("firmware" ,arm-trusted-firmware-rk3399)
67
         ,@(package-native-inputs base))))))
68
69
;; Same as install-rockpro64-rk3399-u-boot
70
(define install-rock-pi-4-rk3399-u-boot
71
  #~(lambda (bootloader root-index image)
72
      (let ((idb (string-append bootloader "/libexec/idbloader.img"))
73
            (u-boot (string-append bootloader "/libexec/u-boot.itb")))
74
	;(write-file-on-device idb (stat:size (stat idb))
75
        ;                      (string-append image "boot0") 0)
76
        ;(write-file-on-device u-boot (stat:size (stat u-boot))
77
        ;                      (string-append image "boot1") 0))))
78
	(write-file-on-device idb (stat:size (stat idb))
79
                              image (* 64 512))
80
        (write-file-on-device u-boot (stat:size (stat u-boot))
81
                              image (* 16384 512)))))
82
83
(define u-boot-rockpi4-bootloader
84
  (bootloader
85
    (inherit u-boot-bootloader)
86
    (package u-boot-rock-pi-4-rk3399)
87
    (disk-image-installer install-rock-pi-4-rk3399-u-boot)))
88
89
(operating-system
90
  (inherit (tyreunom-os "nono"))
91
  (bootloader
92
    (bootloader-configuration
93
      (targets '("/dev/mmcblk2"))
94
      (bootloader u-boot-rockpi4-bootloader)))
95
  (kernel-arguments '("modprobe.blacklist=usbmouse"
96
		      "modprobe.blacklist=usbkbd"
97
		      ))
98
  (kernel linux-libre-arm64-generic)
99
  (initrd-modules '())
100
  #;(initrd-modules
101
    '("phy-rockchip-emmc"
102
      "phy-rockchip-usb"
103
      "phy-rockchip-inno-usb2"
104
      "dw_mmc-rockchip"
105
      "sdhci"
106
      "sdhci-pltfm"))
107
  (file-systems (cons* (file-system
108
                         (mount-point "/")
109
                         (device (file-system-label "my-root"))
110
                         (type "ext4"))
111
                       %base-file-systems))
112
  (services
113
    (append
114
      (list
115
        (service dhcp-client-service-type)
116
        lepiller-iptables-service
117
        (agetty-service
118
          (agetty-configuration
119
            (baud-rate "1500000,n8")
120
            (term "vt100")
121
            (tty "ttyS2")))
122
        (service tor-service-type)
123
        (tor-hidden-service "mail"
124
                            '((25 "127.0.0.1:25")
125
                              (143 "127.0.0.1:143")
126
                              (587 "127.0.0.1:587")
127
                              (993 "127.0.0.1:993")))
128
        (tor-hidden-service "ssh"
129
                            '(("22" "127.0.0.1:22")))
130
        (service knot-service-type
131
                 (knot-configuration
132
                   (includes '("/etc/knot/secrets.conf"))
133
                   (acls (list slave-acl))
134
                   (remotes (list hermes))
135
                   (zones (list lepiller-slave-zone
136
                                ipv4-reverse-master-zone
137
                                ipv6-reverse-master-zone))))
138
        (certbot-service `(("courriel.lepiller.eu" "imap.lepiller.eu")
139
                           ("nono.lepiller.eu" "toulouse.lepiller.eu")
140
                           ("avatar.lepiller.eu")
141
                           ("git.lepiller.eu")
142
                           ("social.lepiller.eu")))
143
        (service nginx-service-type)
144
        (service php-fpm-service-type)
145
        (service fcgiwrap-service-type
146
                 (fcgiwrap-configuration
147
                   (group "git")))
148
        (cat-avatar-generator-service
149
          #:configuration
150
          (nginx-server-configuration
151
            (server-name '("avatar.lepiller.eu"))
152
            (ssl-certificate
153
              "/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem")
154
            (ssl-certificate-key
155
              "/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem")
156
            (listen '("443 ssl http2" "[::]:443 ssl http2"))))
157
        (simple-service 'default-http-server nginx-service-type
158
          (list (nginx-server-configuration
159
                  (ssl-certificate
160
                    "/etc/letsencrypt/live/nono.lepiller.eu/fullchain.pem")
161
                  (ssl-certificate-key
162
                    "/etc/letsencrypt/live/nono.lepiller.eu/privkey.pem")
163
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
164
                  (server-name '(default))
165
		  (root "/srv/http/default"))))
166
        (simple-service 'social-http-server nginx-service-type
167
          (list (nginx-server-configuration
168
                  (ssl-certificate "/etc/letsencrypt/live/social.lepiller.eu/fullchain.pem")
169
                  (ssl-certificate-key "/etc/letsencrypt/live/social.lepiller.eu/privkey.pem")
170
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
171
                  (server-name '("social.lepiller.eu"))
172
                  (root "/srv/http/social/public")
173
                  (locations
174
                    (list
175
                      (nginx-location-configuration
176
                        (uri "/content/")
177
                        (body '("alias /var/lib/social/user-data/public/;")))
178
                      (nginx-location-configuration
179
                        (uri "/")
180
                        (body '("proxy_pass http://localhost:8081;")))))
181
                  (raw-content default-web-policy))))
182
        (service gitile-service-type
183
                 (gitile-configuration
184
		   (package gitile)
185
                   (base-git-url "https://git.lepiller.eu/git")
186
                   (intro '((p "Hey there, I'm Julien, also known as "
187
                               (code "roptat") " or " (code "tyreunom")
188
                               " on the internet. If you reached this page, it
189
probably means you are interested in the kind of software projects I make. Thank
190
you for your interest! Here is a list of projects I host here.")
191
                            (p "Note that I am in the process of migrating from
192
framagit. Every new project will appear here, but older projects might take
193
time to migrate. I'm also planning to add some features at some point, like
194
issues and merge requests, but that will take some time. I'd like to implement
195
these features myself, using " (a (@ (href "https://notabug.org/peers/forgefed")) "forgefed") ".")))
196
                   (footer '((p (a (@ (href "https://lepiller.eu")) "Who am I?"))))
197
                   (nginx
198
                     (nginx-server-configuration
199
                       (ssl-certificate
200
                         "/etc/letsencrypt/live/git.lepiller.eu/fullchain.pem")
201
                       (ssl-certificate-key
202
                         "/etc/letsencrypt/live/git.lepiller.eu/privkey.pem")
203
                       (listen '("443 ssl http2" "[::]:443 ssl http2"))
204
                       (server-name '("git.lepiller.eu"))
205
                       (root "/srv/http/git/public")
206
                       (locations
207
                         (list
208
                           (git-http-nginx-location-configuration
209
                             (git-http-configuration
210
                               (uri-path "/git/")
211
                               (git-root "/var/lib/gitolite/repositories")))
212
                           (nginx-location-configuration
213
                             (uri "~* .*/manual/.*")
214
                             (body
215
                               (list
216
                                 "root /srv/http/git/public;")))))))))
217
        (service static-web-site-service-type
218
                 (static-web-site-configuration
219
                  (git-url "https://git.lepiller.eu/git/guile-netlink")
220
                  (git-ref '(branch . "master"))
221
                  (directory "/srv/http/git/guile-netlink-manual")
222
                  (build-file "doc/build.scm")))
223
        ;; on activation, gitolite chmods its home directory to #o700, disabling
224
        ;; access to git-http-backend.  Re-enable that access.
225
        (simple-service 'gitolite-home-permissions
226
                        activation-service-type
227
                        #~(chmod "/var/lib/gitolite" #o750))
228
        (service gitolite-service-type
229
          (gitolite-configuration
230
            (admin-pubkey (local-file "../keys/tyreunom.pub"))
231
            (rc-file
232
              (local-file "../files/gitolite.rc")
233
              #;(gitolite-rc-file
234
                (umask #o0027)
235
                (git-config-keys ".*"))))))
236
      (lepiller-mail-services
237
        #:interface "eth0"
238
        #:domain "courriel.lepiller.eu")
239
      (server-services "nono"))))
240