diff options
author | EuAndreh <eu@euandre.org> | 2024-08-18 16:37:26 -0300 |
---|---|---|
committer | EuAndreh <eu@euandre.org> | 2024-08-18 16:37:26 -0300 |
commit | b848470725ebb1fc16e181e4642d1a1421a7be6a (patch) | |
tree | ffe581365c0d23704ba6f949821b231ed4318623 /src/guix/system.scm | |
parent | packages.scm: Stop using package/inherit (diff) | |
download | asami-b848470725ebb1fc16e181e4642d1a1421a7be6a.tar.gz asami-b848470725ebb1fc16e181e4642d1a1421a7be6a.tar.xz |
system.scm: Add specific configuration for deployed services
Diffstat (limited to 'src/guix/system.scm')
-rw-r--r-- | src/guix/system.scm | 131 |
1 files changed, 79 insertions, 52 deletions
diff --git a/src/guix/system.scm b/src/guix/system.scm index 9e06878..4f7f389 100644 --- a/src/guix/system.scm +++ b/src/guix/system.scm @@ -1,9 +1,11 @@ (use-modules + ((ice-9 match) #:prefix m:) ((srfi srfi-1) #:prefix s1:) ((xyz euandreh heredoc) #:prefix heredoc:) ((org euandre packages) #:prefix pkg:) ((org euandre queue) #:prefix q:) - (gnu)) + (gnu) + (guix records)) (use-package-modules version-control) (use-service-modules @@ -12,6 +14,7 @@ mail networking security + shepherd ssh web) (heredoc:enable-syntax) @@ -41,6 +44,9 @@ path) "src/config/tld.txt")) +(define +cert.pem+ (string-append "/etc/letsencrypt/live/" +tld+ "/cert.pem")) +(define +privkey.pem+ (string-append "/etc/letsencrypt/live/" +tld+ "/privkey.pem")) + (define package-symbols @@ -51,6 +57,73 @@ #; packages:papo.im)) ;; FIXME: move to "website" repository +(define (without-shepherd-services lst) + (filter (lambda (extension) + (not (eq? shepherd-root-service-type + (service-extension-target extension)))) + lst)) + +(define (replacing-shepherd-services service fn) + (service-type + (inherit service) + (extensions + (append + (without-shepherd-services + (service-type-extensions service)) + (list + (service-extension shepherd-root-service-type + fn)))))) + +(define (with-services-from-args service config-type args) + (replacing-shepherd-services + service + (lambda (config) + (m:match config + (($ config-type _name _package user group log-file data-directory) + (map (lambda (tuple) + (let ((provision (s1:first tuple)) + (args (s1:second tuple))) + (shepherd-service + (provision provision) + (requirement '()) + (start + #~(make-forkexec-constructor + (list #$(pkg:cmd-for config-type config) + #$@args) + #:user #$user + #:group #$group + #:log-file #$log-file + #:directory #$data-directory)) + (stop #~(make-kill-destructor SIGKILL))))) + args)))))) + +(define binder-service-type + (with-services-from-args + pkg:binder-service-type + pkg:<binder-configuration>; FIXME: /var/run/glaze/redirect/glaze.socket, etc + '(((binder-http) ("0.0.0.0:80" "/var/run/glaze/redirect.socket")) + ((binder-https) ("0.0.0.0:443" "/var/run/untls/https.socket")) + ((binder-ircs) ("0.0.0.0:6697" "/var/run/untls/ircs.socket"))))) + +(define glaze-service-type + (with-services-from-args + pkg:glaze-service-type + pkg:<glaze-configuration> + '(((glaze-http) ("-X" "/var/run/glaze/redirect.socket")) + ((glaze-https) ("-P/ws:/var/run/wscat/wscat.socket" + ;; -P/git/*:/var/run/fcgiwrap.sock" FIXME + "-P/*:/var/lib/glaze/" + "/var/run/glaze/glaze.socket"))))) + +(define certs (list +cert.pem+ +privkey.pem+)) +(define untls-service-type + (with-services-from-args + pkg:untls-service-type + pkg:<untls-configuration> + `(((untls-https) (,@certs "/var/run/untls/https.socket" "/var/run/glaze/glaze.socket")) + ((untls-ircs) (,@certs "/var/run/untls/ircs.socket" "/var/run/papod/papod.socket"))))) + + (operating-system (locale "en_GB.UTF-8") @@ -65,11 +138,11 @@ (service ntp-service-type) (service dhcp-client-service-type) (service fail2ban-service-type) - (service pkg:binder-service-type (pkg:binder-configuration (package packages:binder))) - (service pkg:glaze-service-type (pkg:glaze-configuration (package packages:glaze))) - (service pkg:untls-service-type (pkg:untls-configuration (package packages:untls))) - (service pkg:wscat-service-type (pkg:wscat-configuration (package packages:wscat))) - (service pkg:papod-service-type (pkg:papod-configuration (package packages:papod))) + (service binder-service-type (pkg:binder-configuration (package packages:binder))) + (service glaze-service-type (pkg:glaze-configuration (package packages:glaze))) + (service untls-service-type (pkg:untls-configuration (package packages:untls))) + (service pkg:wscat-service-type (pkg:wscat-configuration (package packages:wscat))) + (service pkg:papod-service-type (pkg:papod-configuration (package packages:papod))) (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+))) (service certbot-service-type (q:tld-certbot-configuration +tld+)) (service cgit-service-type q:cgit-pre-configuration) @@ -79,52 +152,6 @@ (service q:cyrus-sasl-service-type) (service q:dovecot-service-type) (service q:internet-postfix-service-type) - (service nginx-service-type - (nginx-configuration - (server-blocks - (list - (nginx-server-configuration - (server-name (list +tld+)) - (listen '("[::]:443 ssl http2" "443 ssl http2")) - (root "/srv/www") - (ssl-certificate (serv:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+)) - (ssl-certificate-key (serv:fmt "/etc/letsencrypt/live/~a/privkey.pem" +tld+)) - (locations - (list - (nginx-location-configuration - (uri "/api/") - (body - (list - ;; FIXME: use this for blue/green deployment - #; - (serv:fmt "include /var/run/~a/curr.conf;~%" +tld+)))) - (nginx-location-configuration - (uri "/git/static/") - (body - (list - (list "alias " cgit "/share/cgit/;")))) - (nginx-location-configuration - (uri "/git/") - (body - (list - (list "fastcgi_param SCRIPT_FILENAME " cgit "/lib/cgit/cgit.cgi;") - #"- - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass localhost:9000; - rewrite /git(.*) $1 break; - "#))))) - (raw-content - '(#"- - ssl_protocols TLSv1.3; - ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; - ssl_prefer_server_ciphers on; - gzip off; # Disable catch-all compression due to BREACH - charset UTF-8; - autoindex on; - add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always; - "#))))))) (service mail-aliases-service-type `(("root" "andre") ("support" ,@(map s1:first +users+))))) |