system-configuration/systems/hermes.scm

hermes.scm

1
;;; Tyreunom's system administration and configuration tools.
2
;;;
3
;;; Copyright © 2019 Julien Lepiller <julien@lepiller.eu>
4
;;;
5
;;; This program is free software: you can redistribute it and/or modify
6
;;; it under the terms of the GNU General Public License as published by
7
;;; the Free Software Foundation, either version 3 of the License, or
8
;;; (at your option) any later version.
9
;;;
10
;;; This program is distributed in the hope that it will be useful,
11
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
12
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
;;; GNU General Public License for more details.
14
;;;
15
;;; You should have received a copy of the GNU General Public License
16
;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18
(use-modules (gnu))
19
(use-modules (gnu system))
20
(use-modules (gnu bootloader) (gnu bootloader grub))
21
(use-modules (gnu services dns))
22
(use-modules (gnu services networking))
23
(use-modules (gnu services web))
24
(use-modules (config certbot) (config dns) (config mail) (config network) (config os)
25
             (config iptables) (config web)
26
             (data dns))
27
28
29
;; NOTE: this config contains out-of band files.
30
;; To (re-)generate /etc/mail/dkim/private.key, run:
31
;; openssl genrsa -out /etc/mail/dkim/private.key 2048
32
;; openssl rsa -in /etc/mail/dkim/private.key -pubout -out /etc/mail/dkim/public.key
33
;; chmod 440 /etc/mail/dkim/private.key
34
;;
35
;; To (re-)generate /etc/knot/secrets.conf, run:
36
;; keymgt -t lepiller-key > /etc/knot/secrets.conf
37
38
(define lepiller-policy
39
  (append
40
    web-base-policy
41
    '("add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
42
      "# accept-language: en,en-US;q=0.8,ja;q=0.6"
43
      "set $first_language '';"
44
      "if ($http_accept_language ~* '(en|eo|fr)') {"
45
      "  set $first_language $1;"
46
      "}"
47
      "if ($first_language = '') {"
48
      "  set $first_language 'en';"
49
      "}"
50
      "set $my_uri $first_language/$uri;"
51
      "location ~ ^/[^/]*$ {"
52
      "  return 301 /$first_language/$uri;"
53
      "}"
54
      )
55
    (web-html-policy
56
      '("    add_header Onion-Location 'http://c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion$request_uri';"
57
        "    try_files $my_uri $uri $uri/ =404;"))
58
    '("error_page 404 /404.html;")))
59
60
(operating-system
61
  (inherit (tyreunom-os "hermes"))
62
  (bootloader
63
    (bootloader-configuration
64
      (targets '("/dev/sda"))
65
      (bootloader grub-bootloader)))
66
  (hosts-file
67
    (computed-file "hosts"
68
      #~(with-output-to-file #$output
69
          (lambda _
70
            (format #t "~a\thermes.lepiller.eu\thermes\n" #$hermes-ip4)
71
            (format #t "~a\thermes.lepiller.eu\thermes\n\n" #$hermes-ip6)
72
            (format #t "127.0.0.1\thermes.lepiller.eu\thermes\n")
73
            (format #t "::1\thermes.lepiller.eu\thermes")))))
74
  (file-systems (cons (file-system
75
                        (mount-point "/")
76
                        (device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
77
                        (type "ext4"))
78
                      %base-file-systems))
79
  (services
80
    (append
81
      (list
82
        hermes-network-service
83
        lepiller-iptables-service
84
        (service tor-service-type)
85
        (tor-hidden-service "lepiller"
86
                            '((22 "127.0.0.1:22")
87
                              (80 "127.0.0.1:80")))
88
        (tor-hidden-service "mail"
89
                            '((25 "127.0.0.1:25")
90
                              (143 "127.0.0.1:143")
91
                              (587 "127.0.0.1:587")
92
                              (993 "127.0.0.1:993")))
93
        (service nginx-service-type
94
          (nginx-configuration
95
            (server-names-hash-bucket-size 128)))
96
        (service knot-service-type
97
                 (knot-configuration
98
                   (includes '("/etc/knot/secrets.conf"))
99
                   (acls (list master-acl))
100
                   (remotes (list nono))
101
                   (zones (list lepiller-master-zone
102
                                ipv4-reverse-master-zone
103
                                ipv6-reverse-master-zone))))
104
        (certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu")
105
                           ("dico.lepiller.eu")))
106
        (simple-service 'dico-http-server nginx-service-type
107
          (list (nginx-server-configuration
108
                  (ssl-certificate "/etc/letsencrypt/live/dico.lepiller.eu/fullchain.pem")
109
                  (ssl-certificate-key "/etc/letsencrypt/live/dico.lepiller.eu/privkey.pem")
110
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
111
                  (server-name '("dico.lepiller.eu"))
112
                  (root "/srv/http/dico/public")
113
                  (locations
114
                    (list
115
		      (nginx-location-configuration
116
			(uri "/css/")
117
			(body '("alias /srv/http/dico/public/css/;")))
118
                      (nginx-location-configuration
119
                        (uri "/")
120
                        (body '("proxy_pass http://localhost:8080;")))))
121
                  (raw-content default-web-policy))))
122
        (simple-service 'tor-lepiller-http-server nginx-service-type
123
          (list (nginx-server-configuration
124
                  (listen '("80" "[::]:80"))
125
                  (server-name '("c25o7knygjm3m67jy27yuynvv4pkfi25naucscmh4ubq2ggiig3v57ad.onion"))
126
                  (root "/srv/http/lepiller/public")
127
                  (index '("index.html"))
128
                  (try-files '("$uri" "$uri/" "=404"))
129
                  (raw-content lepiller-policy))))
130
        (simple-service 'lepiller-http-server nginx-service-type
131
          (list (nginx-server-configuration
132
                  (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
133
                  (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
134
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
135
                  (server-name '("lepiller.eu" "www.lepiller.eu"))
136
                  (root "/srv/http/lepiller/public")
137
                  (index '("index.html"))
138
                  (try-files '("$uri" "$uri/" "=404"))
139
                  (raw-content lepiller-policy))))
140
        (simple-service 'default-http-server nginx-service-type
141
          (list (nginx-server-configuration
142
                  (ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
143
                  (ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
144
                  (listen '("443 ssl http2" "[::]:443 ssl http2"))
145
                  (server-name '(default))
146
                  (root "/srv/http/default")
147
                  (raw-content default-web-policy)))))
148
      (lepiller-mail-services
149
        #:interface "ens18"
150
        #:domain "lepiller.eu")
151
      (server-services "hermes"))))
152