system-configuration

ene.scm

;;; Tyreunom's system administration and configuration tools.
;;;
;;; Copyright © 2019, 2020 Julien Lepiller <julien@lepiller.eu>
;;;
;;; This program is free software: you can redistribute it and/or modify
;;; it under the terms of the GNU General Public License as published by
;;; the Free Software Foundation, either version 3 of the License, or
;;; (at your option) any later version.
;;;
;;; This program is distributed in the hope that it will be useful,
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.

(use-modules (gnu))
(use-modules (gnu bootloader))
(use-modules (gnu bootloader u-boot))
(use-modules (gnu services dns))
(use-modules (gnu services mail))
(use-modules (gnu services networking))
(use-modules (gnu services version-control))
(use-modules (gnu services web))
(use-modules (gnu system))

(use-modules (gnu packages bootloaders))
(use-modules (gnu packages dns))
(use-modules (gnu packages libunwind))
(use-modules (gnu packages mail))
(use-modules (gnu packages package-management))
(use-modules (gnu packages php))
(use-modules (gnu packages tor))
(use-modules (gnu packages web))

(use-modules (guix packages))
(use-modules (guix utils))
(use-modules (guix transformations))

(use-modules (config certbot) (config dns) (config iptables)
             (config mail) (config os) (config static-web)
             (config web)
             (packages gitile))

;; Copy from (gnu bootloader u-boot)
(define install-allwinner-u-boot
  #~(lambda (bootloader device mount-point)
      (let ((u-boot (string-append bootloader
                                   "/libexec/u-boot-sunxi-with-spl.bin")))
        (write-file-on-device u-boot (stat:size (stat u-boot))
                              device (* 8 1024)))))

(define u-boot-cubietruck-bootloader
  (bootloader
    (inherit u-boot-bootloader)
    (package u-boot-cubietruck)
    (installer install-allwinner-u-boot)))

(operating-system
  (inherit (tyreunom-os "ene"))
  (bootloader
    (bootloader-configuration
      (targets '("/dev/mmcblk0"))
      (bootloader u-boot-cubietruck-bootloader)))
  (initrd-modules (cons* "sunxi-mmc" "sd_mod" "ahci_sunxi" %base-initrd-modules))
  (file-systems (cons (file-system
                        (mount-point "/")
                        (device "/dev/sda1")
                        (type "ext4"))
                      %base-file-systems))
  (services
    (append
      (list
        (service dhcp-client-service-type)
        lepiller-iptables-service
        (agetty-service
          (agetty-configuration
            (extra-options '("-L"))
            (baud-rate "115200")
            (term "vt100")
            (tty "ttyS0")))
        (service tor-service-type
                 (tor-configuration
                   (tor (package
                          (inherit tor)
                          (arguments
                           `(#:tests? #f
                             ,@(package-arguments tor)))))))
        (tor-hidden-service "mail"
                            '((25 "127.0.0.1:25")
                              (143 "127.0.0.1:143")
                              (587 "127.0.0.1:587")
                              (993 "127.0.0.1:993")))
        (tor-hidden-service "ssh"
                            '(("22" "127.0.0.1:22")))
        (service knot-service-type
                 (knot-configuration
                   (knot
                     ((options->transformation '((without-tests . "protobuf")
						 (without-tests . "knot")))
                       knot))
                   (includes '("/etc/knot/secrets.conf"))
                   (acls (list slave-acl))
                   (remotes (list hermes))
                   (zones (list lepiller-slave-zone
                                ipv4-reverse-master-zone
                                ipv6-reverse-master-zone))))
        (certbot-service `(("courriel.lepiller.eu" "imap.lepiller.eu")
                           ("ene.lepiller.eu" "rennes.lepiller.eu")
                           ("avatar.lepiller.eu")
                           ("git.lepiller.eu")
                           ("social.lepiller.eu")))
        (service nginx-service-type)
        (service php-fpm-service-type
                 (php-fpm-configuration
                   ;; TODO: remove after guix doesn't complain about duplicate
                   ;; groups.
                   (group "php-fpm2")
		   (php (package (inherit php)
				 (arguments
				  `(#:tests? #f
				    ,@(package-arguments php)))))))
        (service fcgiwrap-service-type
                 (fcgiwrap-configuration
                   (group "git")))
        (cat-avatar-generator-service
          #:configuration
          (nginx-server-configuration
            (server-name '("avatar.lepiller.eu"))
            (ssl-certificate
              "/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem")
            (ssl-certificate-key
              "/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem")
            (listen '("443 ssl http2" "[::]:443 ssl http2"))))
        (simple-service 'default-http-server nginx-service-type
          (list (nginx-server-configuration
                  (ssl-certificate
                    "/etc/letsencrypt/live/ene.lepiller.eu/fullchain.pem")
                  (ssl-certificate-key
                    "/etc/letsencrypt/live/ene.lepiller.eu/privkey.pem")
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
                  (server-name '(default))(root "/srv/http/default"))))
        (simple-service 'social-http-server nginx-service-type
          (list (nginx-server-configuration
                  (ssl-certificate "/etc/letsencrypt/live/social.lepiller.eu/fullchain.pem")
                  (ssl-certificate-key "/etc/letsencrypt/live/social.lepiller.eu/privkey.pem")
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
                  (server-name '("social.lepiller.eu"))
                  (root "/srv/http/social/public")
                  (locations
                    (list
                      (nginx-location-configuration
                        (uri "/content/")
                        (body '("alias /var/lib/social/user-data/public/;")))
                      (nginx-location-configuration
                        (uri "/")
                        (body '("proxy_pass http://localhost:8081;")))))
                  (raw-content default-web-policy))))
        (service gitile-service-type
                 (gitile-configuration
		   (package gitile)
                   (base-git-url "https://git.lepiller.eu/git")
                   (intro '((p "Hey there, I'm Julien, also known as "
                               (code "roptat") " or " (code "tyreunom")
                               " on the internet. If you reached this page, it
probably means you are interested in the kind of software projects I make. Thank
you for your interest! Here is a list of projects I host here.")
                            (p "Note that I am in the process of migrating from
framagit. Every new project will appear here, but older projects might take
time to migrate. I'm also planning to add some features at some point, like
issues and merge requests, but that will take some time. I'd like to implement
these features myself, using " (a (@ (href "https://notabug.org/peers/forgefed")) "forgefed") ".")))
                   (footer '((p (a (@ (href "https://lepiller.eu")) "Who am I?"))))
                   (nginx
                     (nginx-server-configuration
                       (ssl-certificate
                         "/etc/letsencrypt/live/git.lepiller.eu/fullchain.pem")
                       (ssl-certificate-key
                         "/etc/letsencrypt/live/git.lepiller.eu/privkey.pem")
                       (listen '("443 ssl http2" "[::]:443 ssl http2"))
                       (server-name '("git.lepiller.eu"))
                       (root "/srv/http/git/public")
                       (locations
                         (list
                           (git-http-nginx-location-configuration
                             (git-http-configuration
                               (uri-path "/git/")
                               (git-root "/var/lib/gitolite/repositories")))
                           (nginx-location-configuration
                             (uri "~* .*/manual/.*")
                             (body
                               (list
                                 "root /srv/http/git/public;")))))))))
        (service static-web-site-service-type
                 (static-web-site-configuration
                  (git-url "https://git.lepiller.eu/git/guile-netlink")
                  (git-ref '(branch . "master"))
                  (directory "/srv/http/git/guile-netlink-manual")
                  (build-file "doc/build.scm")))
        ;; on activation, gitolite chmods its home directory to #o700, disabling
        ;; access to git-http-backend.  Re-enable that access.
        (simple-service 'gitolite-home-permissions
                        activation-service-type
                        #~(chmod "/var/lib/gitolite" #o750))
        (service gitolite-service-type
          (gitolite-configuration
            (admin-pubkey (local-file "../keys/tyreunom.pub"))
            (rc-file
              (local-file "../files/gitolite.rc")
              #;(gitolite-rc-file
                (umask #o0027)
                (git-config-keys ".*"))))))
      (modify-services
        (lepiller-mail-services
          #:interface "eth0"
          #:domain "courriel.lepiller.eu")
        (dovecot-service-type config =>
         (dovecot-configuration
           (inherit config)
           (dovecot (package
                      (inherit dovecot)
                      (arguments
                        `(#:tests? #f
                          ,@(package-arguments dovecot))))))))
      (server-services "ene"))))


1	;;; Tyreunom's system administration and configuration tools.
2	;;;
3	;;; Copyright © 2019, 2020 Julien Lepiller <julien@lepiller.eu>
4	;;;
5	;;; This program is free software: you can redistribute it and/or modify
6	;;; it under the terms of the GNU General Public License as published by
7	;;; the Free Software Foundation, either version 3 of the License, or
8	;;; (at your option) any later version.
9	;;;
10	;;; This program is distributed in the hope that it will be useful,
11	;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	;;; GNU General Public License for more details.
14	;;;
15	;;; You should have received a copy of the GNU General Public License
16	;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
17
18	(use-modules (gnu))
19	(use-modules (gnu bootloader))
20	(use-modules (gnu bootloader u-boot))
21	(use-modules (gnu services dns))
22	(use-modules (gnu services mail))
23	(use-modules (gnu services networking))
24	(use-modules (gnu services version-control))
25	(use-modules (gnu services web))
26	(use-modules (gnu system))
27
28	(use-modules (gnu packages bootloaders))
29	(use-modules (gnu packages dns))
30	(use-modules (gnu packages libunwind))
31	(use-modules (gnu packages mail))
32	(use-modules (gnu packages package-management))
33	(use-modules (gnu packages php))
34	(use-modules (gnu packages tor))
35	(use-modules (gnu packages web))
36
37	(use-modules (guix packages))
38	(use-modules (guix utils))
39	(use-modules (guix transformations))
40
41	(use-modules (config certbot) (config dns) (config iptables)
42	(config mail) (config os) (config static-web)
43	(config web)
44	(packages gitile))
45
46	;; Copy from (gnu bootloader u-boot)
47	(define install-allwinner-u-boot
48	#~(lambda (bootloader device mount-point)
49	(let ((u-boot (string-append bootloader
50	"/libexec/u-boot-sunxi-with-spl.bin")))
51	(write-file-on-device u-boot (stat:size (stat u-boot))
52	device (* 8 1024)))))
53
54	(define u-boot-cubietruck-bootloader
55	(bootloader
56	(inherit u-boot-bootloader)
57	(package u-boot-cubietruck)
58	(installer install-allwinner-u-boot)))
59
60	(operating-system
61	(inherit (tyreunom-os "ene"))
62	(bootloader
63	(bootloader-configuration
64	(targets '("/dev/mmcblk0"))
65	(bootloader u-boot-cubietruck-bootloader)))
66	(initrd-modules (cons* "sunxi-mmc" "sd_mod" "ahci_sunxi" %base-initrd-modules))
67	(file-systems (cons (file-system
68	(mount-point "/")
69	(device "/dev/sda1")
70	(type "ext4"))
71	%base-file-systems))
72	(services
73	(append
74	(list
75	(service dhcp-client-service-type)
76	lepiller-iptables-service
77	(agetty-service
78	(agetty-configuration
79	(extra-options '("-L"))
80	(baud-rate "115200")
81	(term "vt100")
82	(tty "ttyS0")))
83	(service tor-service-type
84	(tor-configuration
85	(tor (package
86	(inherit tor)
87	(arguments
88	`(#:tests? #f
89	,@(package-arguments tor)))))))
90	(tor-hidden-service "mail"
91	'((25 "127.0.0.1:25")
92	(143 "127.0.0.1:143")
93	(587 "127.0.0.1:587")
94	(993 "127.0.0.1:993")))
95	(tor-hidden-service "ssh"
96	'(("22" "127.0.0.1:22")))
97	(service knot-service-type
98	(knot-configuration
99	(knot
100	((options->transformation '((without-tests . "protobuf")
101	(without-tests . "knot")))
102	knot))
103	(includes '("/etc/knot/secrets.conf"))
104	(acls (list slave-acl))
105	(remotes (list hermes))
106	(zones (list lepiller-slave-zone
107	ipv4-reverse-master-zone
108	ipv6-reverse-master-zone))))
109	(certbot-service `(("courriel.lepiller.eu" "imap.lepiller.eu")
110	("ene.lepiller.eu" "rennes.lepiller.eu")
111	("avatar.lepiller.eu")
112	("git.lepiller.eu")
113	("social.lepiller.eu")))
114	(service nginx-service-type)
115	(service php-fpm-service-type
116	(php-fpm-configuration
117	;; TODO: remove after guix doesn't complain about duplicate
118	;; groups.
119	(group "php-fpm2")
120	(php (package (inherit php)
121	(arguments
122	`(#:tests? #f
123	,@(package-arguments php)))))))
124	(service fcgiwrap-service-type
125	(fcgiwrap-configuration
126	(group "git")))
127	(cat-avatar-generator-service
128	#:configuration
129	(nginx-server-configuration
130	(server-name '("avatar.lepiller.eu"))
131	(ssl-certificate
132	"/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem")
133	(ssl-certificate-key
134	"/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem")
135	(listen '("443 ssl http2" "[::]:443 ssl http2"))))
136	(simple-service 'default-http-server nginx-service-type
137	(list (nginx-server-configuration
138	(ssl-certificate
139	"/etc/letsencrypt/live/ene.lepiller.eu/fullchain.pem")
140	(ssl-certificate-key
141	"/etc/letsencrypt/live/ene.lepiller.eu/privkey.pem")
142	(listen '("443 ssl http2" "[::]:443 ssl http2"))
143	(server-name '(default))(root "/srv/http/default"))))
144	(simple-service 'social-http-server nginx-service-type
145	(list (nginx-server-configuration
146	(ssl-certificate "/etc/letsencrypt/live/social.lepiller.eu/fullchain.pem")
147	(ssl-certificate-key "/etc/letsencrypt/live/social.lepiller.eu/privkey.pem")
148	(listen '("443 ssl http2" "[::]:443 ssl http2"))
149	(server-name '("social.lepiller.eu"))
150	(root "/srv/http/social/public")
151	(locations
152	(list
153	(nginx-location-configuration
154	(uri "/content/")
155	(body '("alias /var/lib/social/user-data/public/;")))
156	(nginx-location-configuration
157	(uri "/")
158	(body '("proxy_pass http://localhost:8081;")))))
159	(raw-content default-web-policy))))
160	(service gitile-service-type
161	(gitile-configuration
162	(package gitile)
163	(base-git-url "https://git.lepiller.eu/git")
164	(intro '((p "Hey there, I'm Julien, also known as "
165	(code "roptat") " or " (code "tyreunom")
166	" on the internet. If you reached this page, it
167	probably means you are interested in the kind of software projects I make. Thank
168	you for your interest! Here is a list of projects I host here.")
169	(p "Note that I am in the process of migrating from
170	framagit. Every new project will appear here, but older projects might take
171	time to migrate. I'm also planning to add some features at some point, like
172	issues and merge requests, but that will take some time. I'd like to implement
173	these features myself, using " (a (@ (href "https://notabug.org/peers/forgefed")) "forgefed") ".")))
174	(footer '((p (a (@ (href "https://lepiller.eu")) "Who am I?"))))
175	(nginx
176	(nginx-server-configuration
177	(ssl-certificate
178	"/etc/letsencrypt/live/git.lepiller.eu/fullchain.pem")
179	(ssl-certificate-key
180	"/etc/letsencrypt/live/git.lepiller.eu/privkey.pem")
181	(listen '("443 ssl http2" "[::]:443 ssl http2"))
182	(server-name '("git.lepiller.eu"))
183	(root "/srv/http/git/public")
184	(locations
185	(list
186	(git-http-nginx-location-configuration
187	(git-http-configuration
188	(uri-path "/git/")
189	(git-root "/var/lib/gitolite/repositories")))
190	(nginx-location-configuration
191	(uri "~* ./manual/.")
192	(body
193	(list
194	"root /srv/http/git/public;")))))))))
195	(service static-web-site-service-type
196	(static-web-site-configuration
197	(git-url "https://git.lepiller.eu/git/guile-netlink")
198	(git-ref '(branch . "master"))
199	(directory "/srv/http/git/guile-netlink-manual")
200	(build-file "doc/build.scm")))
201	;; on activation, gitolite chmods its home directory to #o700, disabling
202	;; access to git-http-backend. Re-enable that access.
203	(simple-service 'gitolite-home-permissions
204	activation-service-type
205	#~(chmod "/var/lib/gitolite" #o750))
206	(service gitolite-service-type
207	(gitolite-configuration
208	(admin-pubkey (local-file "../keys/tyreunom.pub"))
209	(rc-file
210	(local-file "../files/gitolite.rc")
211	#;(gitolite-rc-file
212	(umask #o0027)
213	(git-config-keys ".*"))))))
214	(modify-services
215	(lepiller-mail-services
216	#:interface "eth0"
217	#:domain "courriel.lepiller.eu")
218	(dovecot-service-type config =>
219	(dovecot-configuration
220	(inherit config)
221	(dovecot (package
222	(inherit dovecot)
223	(arguments
224	`(#:tests? #f
225	,@(package-arguments dovecot))))))))
226	(server-services "ene"))))
227