system.scm: Add specific configuration for deployed services

1 files changed, 79 insertions, 52 deletions

diff --git a/src/guix/system.scm b/src/guix/system.scm
index 9e06878..4f7f389 100644
--- a/src/guix/system.scm
+++ b/src/guix/system.scm
@@ -1,9 +1,11 @@
 (use-modules
+  ((ice-9 match) #:prefix m:)
   ((srfi srfi-1) #:prefix s1:)
   ((xyz euandreh heredoc) #:prefix heredoc:)
   ((org euandre packages) #:prefix pkg:)
   ((org euandre queue) #:prefix q:)
-  (gnu))
+  (gnu)
+  (guix records))
 (use-package-modules
   version-control)
 (use-service-modules
@@ -12,6 +14,7 @@
   mail
   networking
   security
+  shepherd
   ssh
   web)
 (heredoc:enable-syntax)
@@ -41,6 +44,9 @@
             path)
    "src/config/tld.txt"))
 
+(define +cert.pem+    (string-append "/etc/letsencrypt/live/" +tld+ "/cert.pem"))
+(define +privkey.pem+ (string-append "/etc/letsencrypt/live/" +tld+ "/privkey.pem"))
+
 
 
 (define package-symbols
@@ -51,6 +57,73 @@
    #;
    packages:papo.im))  ;; FIXME: move to "website" repository
 
+(define (without-shepherd-services lst)
+  (filter (lambda (extension)
+            (not (eq? shepherd-root-service-type
+                      (service-extension-target extension))))
+          lst))
+
+(define (replacing-shepherd-services service fn)
+  (service-type
+    (inherit service)
+    (extensions
+      (append
+       (without-shepherd-services
+        (service-type-extensions service))
+       (list
+        (service-extension shepherd-root-service-type
+                           fn))))))
+
+(define (with-services-from-args service config-type args)
+  (replacing-shepherd-services
+   service
+   (lambda (config)
+     (m:match config
+       (($ config-type _name _package user group log-file data-directory)
+        (map (lambda (tuple)
+               (let ((provision (s1:first  tuple))
+                     (args      (s1:second tuple)))
+                 (shepherd-service
+                   (provision provision)
+                   (requirement '())
+                   (start
+                     #~(make-forkexec-constructor
+                        (list #$(pkg:cmd-for config-type config)
+                              #$@args)
+                        #:user      #$user
+                        #:group     #$group
+                        #:log-file  #$log-file
+                        #:directory #$data-directory))
+                   (stop #~(make-kill-destructor SIGKILL)))))
+             args))))))
+
+(define binder-service-type
+  (with-services-from-args
+   pkg:binder-service-type
+   pkg:<binder-configuration>; FIXME: /var/run/glaze/redirect/glaze.socket, etc
+   '(((binder-http)  ("0.0.0.0:80"   "/var/run/glaze/redirect.socket"))
+     ((binder-https) ("0.0.0.0:443"  "/var/run/untls/https.socket"))
+     ((binder-ircs)  ("0.0.0.0:6697" "/var/run/untls/ircs.socket")))))
+
+(define glaze-service-type
+  (with-services-from-args
+   pkg:glaze-service-type
+   pkg:<glaze-configuration>
+   '(((glaze-http)  ("-X" "/var/run/glaze/redirect.socket"))
+     ((glaze-https) ("-P/ws:/var/run/wscat/wscat.socket"
+                     ;; -P/git/*:/var/run/fcgiwrap.sock" FIXME
+                     "-P/*:/var/lib/glaze/"
+                     "/var/run/glaze/glaze.socket")))))
+
+(define certs (list +cert.pem+ +privkey.pem+))
+(define untls-service-type
+  (with-services-from-args
+   pkg:untls-service-type
+   pkg:<untls-configuration>
+   `(((untls-https) (,@certs "/var/run/untls/https.socket" "/var/run/glaze/glaze.socket"))
+     ((untls-ircs)  (,@certs "/var/run/untls/ircs.socket"  "/var/run/papod/papod.socket")))))
+
+
 
 (operating-system
   (locale "en_GB.UTF-8")
@@ -65,11 +138,11 @@
       (service ntp-service-type)
       (service dhcp-client-service-type)
       (service fail2ban-service-type)
-      (service pkg:binder-service-type (pkg:binder-configuration (package packages:binder)))
-      (service pkg:glaze-service-type  (pkg:glaze-configuration  (package packages:glaze)))
-      (service pkg:untls-service-type  (pkg:untls-configuration  (package packages:untls)))
-      (service pkg:wscat-service-type  (pkg:wscat-configuration  (package packages:wscat)))
-      (service pkg:papod-service-type  (pkg:papod-configuration  (package packages:papod)))
+      (service binder-service-type    (pkg:binder-configuration (package packages:binder)))
+      (service glaze-service-type     (pkg:glaze-configuration  (package packages:glaze)))
+      (service untls-service-type     (pkg:untls-configuration  (package packages:untls)))
+      (service pkg:wscat-service-type (pkg:wscat-configuration  (package packages:wscat)))
+      (service pkg:papod-service-type (pkg:papod-configuration  (package packages:papod)))
       (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+)))
       (service certbot-service-type (q:tld-certbot-configuration +tld+))
       (service cgit-service-type q:cgit-pre-configuration)
@@ -79,52 +152,6 @@
       (service q:cyrus-sasl-service-type)
       (service q:dovecot-service-type)
       (service q:internet-postfix-service-type)
-      (service nginx-service-type
-        (nginx-configuration
-          (server-blocks
-            (list
-             (nginx-server-configuration
-               (server-name (list +tld+))
-               (listen '("[::]:443 ssl http2" "443 ssl http2"))
-               (root "/srv/www")
-               (ssl-certificate     (serv:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+))
-               (ssl-certificate-key (serv:fmt "/etc/letsencrypt/live/~a/privkey.pem"   +tld+))
-               (locations
-                 (list
-                  (nginx-location-configuration
-                    (uri "/api/")
-                    (body
-                      (list
-                       ;; FIXME: use this for blue/green deployment
-                       #;
-                       (serv:fmt "include /var/run/~a/curr.conf;~%" +tld+))))
-                  (nginx-location-configuration
-                    (uri "/git/static/")
-                    (body
-                      (list
-                       (list "alias " cgit "/share/cgit/;"))))
-                  (nginx-location-configuration
-                    (uri "/git/")
-                    (body
-                      (list
-                       (list "fastcgi_param SCRIPT_FILENAME " cgit "/lib/cgit/cgit.cgi;")
-                       #"-
-                         fastcgi_param PATH_INFO    $uri;
-                         fastcgi_param QUERY_STRING $args;
-                         fastcgi_param HTTP_HOST    $server_name;
-                         fastcgi_pass localhost:9000;
-                         rewrite /git(.*) $1 break;
-                         "#)))))
-               (raw-content
-                 '(#"-
-                     ssl_protocols TLSv1.3;
-                     ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
-                     ssl_prefer_server_ciphers on;
-                     gzip off;  # Disable catch-all compression due to BREACH
-                     charset UTF-8;
-                     autoindex on;
-                     add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always;
-                     "#)))))))
       (service mail-aliases-service-type
         `(("root"    "andre")
           ("support" ,@(map s1:first +users+)))))