vps.scm: Add nginx, certbot and mail-aliases services

2 files changed, 60 insertions, 13 deletions

diff --git a/sync/id_rsa.pub b/sync/id_rsa.pub
new file mode 100644
index 0000000..79054c5
--- /dev/null
+++ b/sync/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org
diff --git a/sync/vps.scm b/sync/vps.scm
index 3a7f2e1..f56b3ed 100644
--- a/sync/vps.scm
+++ b/sync/vps.scm
@@ -1,39 +1,64 @@
 (use-modules (gnu)
              (ice-9 textual-ports))
-(use-service-modules networking ssh mcron admin)
+(use-service-modules networking ssh mcron admin mail web certbot)
 (use-package-modules ssh backup)
 
 (define user "andreh")
 
+(define (slurp f)
+  (call-with-input-file f get-string-all))
+
+(define slurp-trim
+  (compose string-trim-both slurp))
+
 (define ssh-public-key
-  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org")
+  (slurp-trim "id_rsa.pub"))
 
 (define sudoers "\
 root ALL=(ALL) ALL
 %wheel ALL=NOPASSWD: ALL\n")
 
 (define tld
-  (string-trim-both (call-with-input-file "tld.txt" get-string-all)))
+  (slurp-trim "tld.txt"))
 
 (define mail-domain
   (string-append "mail." tld))
 
-(define aliases-file
-  (mixed-text-file "euandreh-aliases" "
-postmaster root
+(define letsencrypt-prefix "/etc/letsencrypt/live/")
+
+(define (tls-pub-for domain)
+  (string-append letsencrypt-prefix domain "/fullchain.pem"))
 
-@ " user))
+(define (tls-priv-for domain)
+  (string-append letsencrypt-prefix domain "/privkey.pem"))
 
 (define opensmtpd-config
   (mixed-text-file "euandreh-smtpd.conf" "
 listen on eth0
+# File comes from mail-aliases-service-type
 table aliases file:/etc/aliases
 accept from any domain " mail-domain " alias <aliases> deliver to maildir
 accept for local alias <aliases> deliver to maildir
 accept for any relay
 
-pki " mail-domain " cert \"/etc/letsencrypt/live/" mail-domain "/fullchain.pem\"
-pki " mail-domain " key  \"/etc/letsencrypt/live/" mail-domain "/privkey.pem\""))
+pki " mail-domain " cert \"" (tls-pub-for  mail-domain) "\"
+pki " mail-domain " key  \"" (tls-priv-for mail-domain) "\""))
+
+(define tls-prefixes
+  '("mail"))
+
+(define tls-domains
+  (cons tld
+        (map (lambda (prefix)
+               (string-append prefix "." tld))
+             tls-prefixes)))
+
+;; FIXME: restart the service over killing the process
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~ (let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+        (kill pid SIGHUP))))
 
 (operating-system
   (locale "fr_FR.UTF-8")
@@ -66,10 +91,31 @@ pki " mail-domain " key  \"/etc/letsencrypt/live/" mail-domain "/privkey.pem\"")
                       (jobs (list))))
             (service unattended-upgrade-service-type)
             (service dhcp-client-service-type)
-;           (service opensmtdp-service-type
-;                    (opensmtpd-configuration
-;                     (config-file opensmtpd-config)))
-)
+            ;; (service opensmtpd-service-type
+            ;;          (opensmtpd-configuration
+            ;;           (config-file opensmtpd-config)))
+            (service mail-aliases-service-type
+                     '(("postmaster" "root")
+                       ("webmaster" "root")
+                       ("abuse" "root")))
+            (service nginx-service-type
+                     (nginx-configuration
+                      (server-blocks
+                       (list
+                        (nginx-server-configuration
+                         ;; redirect???
+                         (server-name (list tld))
+                         (ssl-certificate     (tls-pub-for  tld))
+                         (ssl-certificate-key (tls-priv-for tld)))))))
+            (service certbot-service-type
+                     (certbot-configuration
+                      (email (string-append "certbot@" tld))
+                      (certificates
+                       (list
+                        (certificate-configuration
+                         (domains tls-domains)
+                         ;; FIXME: call /var/lib/certbot/renew-certificates on deploy-hook
+                         (deploy-hook %nginx-deploy-hook)))))))
       %base-services))
   (bootloader
     (bootloader-configuration