summaryrefslogtreecommitdiff
path: root/src/guix/system.scm
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2024-08-18 16:37:26 -0300
committerEuAndreh <eu@euandre.org>2024-08-18 16:37:26 -0300
commitb848470725ebb1fc16e181e4642d1a1421a7be6a (patch)
treeffe581365c0d23704ba6f949821b231ed4318623 /src/guix/system.scm
parentpackages.scm: Stop using package/inherit (diff)
downloadasami-b848470725ebb1fc16e181e4642d1a1421a7be6a.tar.gz
asami-b848470725ebb1fc16e181e4642d1a1421a7be6a.tar.xz
system.scm: Add specific configuration for deployed services
Diffstat (limited to 'src/guix/system.scm')
-rw-r--r--src/guix/system.scm131
1 files changed, 79 insertions, 52 deletions
diff --git a/src/guix/system.scm b/src/guix/system.scm
index 9e06878..4f7f389 100644
--- a/src/guix/system.scm
+++ b/src/guix/system.scm
@@ -1,9 +1,11 @@
(use-modules
+ ((ice-9 match) #:prefix m:)
((srfi srfi-1) #:prefix s1:)
((xyz euandreh heredoc) #:prefix heredoc:)
((org euandre packages) #:prefix pkg:)
((org euandre queue) #:prefix q:)
- (gnu))
+ (gnu)
+ (guix records))
(use-package-modules
version-control)
(use-service-modules
@@ -12,6 +14,7 @@
mail
networking
security
+ shepherd
ssh
web)
(heredoc:enable-syntax)
@@ -41,6 +44,9 @@
path)
"src/config/tld.txt"))
+(define +cert.pem+ (string-append "/etc/letsencrypt/live/" +tld+ "/cert.pem"))
+(define +privkey.pem+ (string-append "/etc/letsencrypt/live/" +tld+ "/privkey.pem"))
+
(define package-symbols
@@ -51,6 +57,73 @@
#;
packages:papo.im)) ;; FIXME: move to "website" repository
+(define (without-shepherd-services lst)
+ (filter (lambda (extension)
+ (not (eq? shepherd-root-service-type
+ (service-extension-target extension))))
+ lst))
+
+(define (replacing-shepherd-services service fn)
+ (service-type
+ (inherit service)
+ (extensions
+ (append
+ (without-shepherd-services
+ (service-type-extensions service))
+ (list
+ (service-extension shepherd-root-service-type
+ fn))))))
+
+(define (with-services-from-args service config-type args)
+ (replacing-shepherd-services
+ service
+ (lambda (config)
+ (m:match config
+ (($ config-type _name _package user group log-file data-directory)
+ (map (lambda (tuple)
+ (let ((provision (s1:first tuple))
+ (args (s1:second tuple)))
+ (shepherd-service
+ (provision provision)
+ (requirement '())
+ (start
+ #~(make-forkexec-constructor
+ (list #$(pkg:cmd-for config-type config)
+ #$@args)
+ #:user #$user
+ #:group #$group
+ #:log-file #$log-file
+ #:directory #$data-directory))
+ (stop #~(make-kill-destructor SIGKILL)))))
+ args))))))
+
+(define binder-service-type
+ (with-services-from-args
+ pkg:binder-service-type
+ pkg:<binder-configuration>; FIXME: /var/run/glaze/redirect/glaze.socket, etc
+ '(((binder-http) ("0.0.0.0:80" "/var/run/glaze/redirect.socket"))
+ ((binder-https) ("0.0.0.0:443" "/var/run/untls/https.socket"))
+ ((binder-ircs) ("0.0.0.0:6697" "/var/run/untls/ircs.socket")))))
+
+(define glaze-service-type
+ (with-services-from-args
+ pkg:glaze-service-type
+ pkg:<glaze-configuration>
+ '(((glaze-http) ("-X" "/var/run/glaze/redirect.socket"))
+ ((glaze-https) ("-P/ws:/var/run/wscat/wscat.socket"
+ ;; -P/git/*:/var/run/fcgiwrap.sock" FIXME
+ "-P/*:/var/lib/glaze/"
+ "/var/run/glaze/glaze.socket")))))
+
+(define certs (list +cert.pem+ +privkey.pem+))
+(define untls-service-type
+ (with-services-from-args
+ pkg:untls-service-type
+ pkg:<untls-configuration>
+ `(((untls-https) (,@certs "/var/run/untls/https.socket" "/var/run/glaze/glaze.socket"))
+ ((untls-ircs) (,@certs "/var/run/untls/ircs.socket" "/var/run/papod/papod.socket")))))
+
+
(operating-system
(locale "en_GB.UTF-8")
@@ -65,11 +138,11 @@
(service ntp-service-type)
(service dhcp-client-service-type)
(service fail2ban-service-type)
- (service pkg:binder-service-type (pkg:binder-configuration (package packages:binder)))
- (service pkg:glaze-service-type (pkg:glaze-configuration (package packages:glaze)))
- (service pkg:untls-service-type (pkg:untls-configuration (package packages:untls)))
- (service pkg:wscat-service-type (pkg:wscat-configuration (package packages:wscat)))
- (service pkg:papod-service-type (pkg:papod-configuration (package packages:papod)))
+ (service binder-service-type (pkg:binder-configuration (package packages:binder)))
+ (service glaze-service-type (pkg:glaze-configuration (package packages:glaze)))
+ (service untls-service-type (pkg:untls-configuration (package packages:untls)))
+ (service pkg:wscat-service-type (pkg:wscat-configuration (package packages:wscat)))
+ (service pkg:papod-service-type (pkg:papod-configuration (package packages:papod)))
(service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+)))
(service certbot-service-type (q:tld-certbot-configuration +tld+))
(service cgit-service-type q:cgit-pre-configuration)
@@ -79,52 +152,6 @@
(service q:cyrus-sasl-service-type)
(service q:dovecot-service-type)
(service q:internet-postfix-service-type)
- (service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name (list +tld+))
- (listen '("[::]:443 ssl http2" "443 ssl http2"))
- (root "/srv/www")
- (ssl-certificate (serv:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+))
- (ssl-certificate-key (serv:fmt "/etc/letsencrypt/live/~a/privkey.pem" +tld+))
- (locations
- (list
- (nginx-location-configuration
- (uri "/api/")
- (body
- (list
- ;; FIXME: use this for blue/green deployment
- #;
- (serv:fmt "include /var/run/~a/curr.conf;~%" +tld+))))
- (nginx-location-configuration
- (uri "/git/static/")
- (body
- (list
- (list "alias " cgit "/share/cgit/;"))))
- (nginx-location-configuration
- (uri "/git/")
- (body
- (list
- (list "fastcgi_param SCRIPT_FILENAME " cgit "/lib/cgit/cgit.cgi;")
- #"-
- fastcgi_param PATH_INFO $uri;
- fastcgi_param QUERY_STRING $args;
- fastcgi_param HTTP_HOST $server_name;
- fastcgi_pass localhost:9000;
- rewrite /git(.*) $1 break;
- "#)))))
- (raw-content
- '(#"-
- ssl_protocols TLSv1.3;
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
- ssl_prefer_server_ciphers on;
- gzip off; # Disable catch-all compression due to BREACH
- charset UTF-8;
- autoindex on;
- add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always;
- "#)))))))
(service mail-aliases-service-type
`(("root" "andre")
("support" ,@(map s1:first +users+)))))