hermes.scm
1 | ;;; Tyreunom's system administration and configuration tools. |
2 | ;;; |
3 | ;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu> |
4 | ;;; |
5 | ;;; This program is free software: you can redistribute it and/or modify |
6 | ;;; it under the terms of the GNU General Public License as published by |
7 | ;;; the Free Software Foundation, either version 3 of the License, or |
8 | ;;; (at your option) any later version. |
9 | ;;; |
10 | ;;; This program is distributed in the hope that it will be useful, |
11 | ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | ;;; GNU General Public License for more details. |
14 | ;;; |
15 | ;;; You should have received a copy of the GNU General Public License |
16 | ;;; along with this program. If not, see <http://www.gnu.org/licenses/>. |
17 | |
18 | (use-modules (gnu)) |
19 | (use-modules (gnu system)) |
20 | (use-modules (gnu bootloader) (gnu bootloader grub)) |
21 | (use-modules (gnu services dns)) |
22 | (use-modules (gnu services web)) |
23 | (use-modules (config certbot) (config dns) (config mail) (config network) (config os)) |
24 | |
25 | |
26 | ;; NOTE: this config contains out-of band files. |
27 | ;; To (re-)generate /etc/mail/dkim/private.key, run: |
28 | ;; openssl genrsa -out /etc/mail/dkim/private.key 2048 |
29 | ;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key |
30 | ;; chmod 440 /etc/mail/dkim/private.key |
31 | ;; |
32 | ;; To (re-)generate /etc/knot/secrets.conf, run: |
33 | ;; keymgt -t lepiller-key > /etc/knot/secrets.conf |
34 | |
35 | (operating-system |
36 | (inherit (tyreunom-os "hermes")) |
37 | (bootloader |
38 | (bootloader-configuration |
39 | (target "/dev/sda") |
40 | (bootloader grub-bootloader))) |
41 | (file-systems (cons (file-system |
42 | (mount-point "/") |
43 | (device (uuid "27798665-5606-4fde-8da8-cc371e603892")) |
44 | (type "ext4")) |
45 | %base-file-systems)) |
46 | (services |
47 | (append |
48 | (list |
49 | hermes-network-service |
50 | (service nginx-service-type) |
51 | (service knot-service-type |
52 | (knot-configuration |
53 | (includes '("/etc/knot/secrets.conf")) |
54 | (acls (list slave-acl)) |
55 | (remotes (list ene)) |
56 | (zones (list lepiller-slave-zone |
57 | ipv4-reverse-master-zone |
58 | ipv6-reverse-master-zone)))) |
59 | (certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu"))) |
60 | (simple-service 'lepiller-http-server nginx-service-type |
61 | (list (nginx-server-configuration |
62 | (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem") |
63 | (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem") |
64 | (listen '("443 ssl http2" "[::]:443 ssl http2")) |
65 | (server-name '("lepiller.eu" "www.lepiller.eu")) |
66 | (root "/srv/http/lepiller/public") |
67 | (index '("index.$language_suffix.html" "index.html")) |
68 | (try-files '("$uri.$language_suffix.html" "$uri" "$uri/" "=404")) |
69 | (raw-content |
70 | '("add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;" |
71 | "add_header X-Frame-Options DENY;" |
72 | "add_header X-Content-Type-Options nosniff;" |
73 | "add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" |
74 | "add_header Referrer-Policy no-referrer;" |
75 | "set $first_language $http_accept_language;" |
76 | "if ($http_accept_language ~* '(en|eo|fr)') {" |
77 | " set $first_language $1;" |
78 | "}" |
79 | "set $language_suffix $first_language;" |
80 | "if ($cookie_language) {" |
81 | " set $language_suffix $cookie_language;" |
82 | "}" |
83 | "if ($uri ~ \\.en.html$) {" |
84 | " set $language_suffix 'en';" |
85 | "}" |
86 | "if ($uri ~ \\.eo.html$) {" |
87 | " set $language_suffix 'eo';" |
88 | "}" |
89 | "if ($uri ~ \\.fr.html$) {" |
90 | " set $language_suffix 'fr';" |
91 | "}" |
92 | "if ($uri ~ (.*).html) {" |
93 | " set $my_uri $1.$language_suffix.html;" |
94 | "}" |
95 | "location ~ \\.html$ {" |
96 | " add_header Set-Cookie 'language=$language_suffix;HttpOnly;Secure';" |
97 | " add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';" |
98 | " add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;" |
99 | " add_header X-Frame-Options DENY;" |
100 | " add_header X-Content-Type-Options nosniff;" |
101 | " add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" |
102 | " add_header Referrer-Policy no-referrer;" |
103 | " expires off;" |
104 | " try_files $my_uri $uri $uri/ =404;" |
105 | "}" |
106 | "error_page 404 /404;"))))) |
107 | (simple-service 'default-http-server nginx-service-type |
108 | (list (nginx-server-configuration |
109 | (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem") |
110 | (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem") |
111 | (listen '("443 ssl http2" "[::]:443 ssl http2")) |
112 | (server-name '(default))(root "/srv/http/default"))))) |
113 | (lepiller-mail-services |
114 | #:interface "ens18" |
115 | #:domain "lepiller.eu") |
116 | (server-services "hermes")))) |
117 |