(use-modules ((ice-9 match) #:prefix m:) ((srfi srfi-1) #:prefix s1:) ((xyz euandreh heredoc) #:prefix heredoc:) ((org euandre packages) #:prefix pkg:) ((org euandre queue) #:prefix q:) (gnu) (guix git-download) (guix packages) (guix transformations) (guix utils)) (use-package-modules) (use-service-modules certbot cgit dns mail networking security shepherd ssh) (heredoc:enable-syntax) (define +working-dir+ ;; src/guix/system.scm + ../../../ = ./ (dirname (dirname (dirname (current-filename))))) (define (path s) (pkg:str +working-dir+ "/" s)) (define +users+ `(("andre" "EuAndreh" ("wheel" "become-secrets-keeper") ,(path "src/keys/SSH/andre.pub.txt")))) (define file (compose string-trim-right pkg:slurp path)) (define +ipv4+ (file "src/config/ipv4.txt")) (define +ipv6+ (file "src/config/ipv6.txt")) (define +tld+ (file "src/config/tld.txt")) (define +root-pubkey+ (file "src/config/root-pubkey.txt")) (define +known-hosts+ (file "src/config/known-hosts.txt")) (define +offsite-ssh+ (file "src/config/offsite-ssh.txt")) (define +cert.pem+ (pkg:str "/etc/letsencrypt/live/" +tld+ "/cert.pem")) (define +privkey.pem+ (pkg:str "/etc/letsencrypt/live/" +tld+ "/privkey.pem")) (define (latest pkg) (let* ((name (package-name pkg)) (version (file (pkg:fmt "src/versions/~a.txt" name))) (trans-fn (options->transformation `((with-commit . ,(pkg:fmt "~a=~a" name version)))))) (trans-fn pkg))) (define package-symbols '()) (define package-records (list #; packages:papo.im)) ;; FIXME: move to "website" repository (define binder-service-type (pkg:with-services-from-args pkg:binder-service-type pkg:; FIXME: /var/run/glaze/redirect/glaze.socket, etc '(((binder-http) ("0.0.0.0:80" "/var/run/glaze/redirect.socket")) ((binder-https) ("0.0.0.0:443" "/var/run/untls/https.socket")) ((binder-ircs) ("0.0.0.0:6697" "/var/run/untls/ircs.socket"))))) (define glaze-service-type (pkg:with-services-from-args pkg:glaze-service-type pkg: '(((glaze-http) ("-X" "/var/run/glaze/redirect.socket")) ((glaze-https) ("-P/ws:/var/run/wscat/wscat.socket" ;; -P/git/*:/var/run/fcgiwrap.sock" FIXME "-P/*:/var/lib/glaze/" "/var/run/glaze/glaze.socket"))))) (define certs (list +cert.pem+ +privkey.pem+)) (define untls-service-type (pkg:with-services-from-args pkg:untls-service-type pkg: `(((untls-https) (,@certs "/var/run/untls/https.socket" "/var/run/glaze/glaze.socket")) ((untls-ircs) (,@certs "/var/run/untls/ircs.socket" "/var/run/papod/papod.socket"))))) (operating-system (locale "fr_FR.UTF-8") (timezone "America/Sao_Paulo") (host-name +tld+) (skeletons pkg:skeletons) (users (append (pkg:user-accounts +users+) %base-user-accounts)) (sudoers-file pkg:syskeep-sudoers-file) (packages (pkg:package-set package-symbols package-records)) (services (append (list (service ntp-service-type) (service dhcp-client-service-type) (service fail2ban-service-type) ;; (service binder-service-type (pkg:binder-configuration (package (latest pkg:binder)))) ;; (service glaze-service-type (pkg:glaze-configuration (package (latest pkg:glaze)))) ;; (service untls-service-type (pkg:untls-configuration (package (latest pkg:untls)))) ;; (service pkg:wscat-service-type (pkg:wscat-configuration (package (latest pkg:wscat)))) ;; (service pkg:papod-service-type (pkg:papod-configuration (package (latest pkg:papod)))) (service knot-service-type (q:knot-zones-configuration +tld+ +ipv4+ +ipv6+)) (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+))) (service certbot-service-type (q:tld-certbot-configuration +tld+)) (service pkg:syskeep-service-type) (service pkg:git-service-type (pkg:git-configuration (export-all? #t) (run-server? #t))) (service q:shadow-group-service-type) (service q:dkimproxyout-service-type) (service q:cyrus-sasl-service-type) (service q:dovecot-service-type) (service q:internet-postfix-service-type) (simple-service 'host-specific-etc-file etc-service-type `(("id_rsa.pub" ,(plain-file "id_rsa.pub" +root-pubkey+)) ("known_hosts" ,(plain-file "known-hosts.txt" +known-hosts+)) ("offsite-ssh.txt" ,(plain-file "offsite-ssh.txt" +offsite-ssh+)))) (service mail-aliases-service-type `(("root" "andre") ("support" ,@(map s1:first +users+))))) pkg:base-services)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/vda")))) (file-systems (append (list (file-system (mount-point "/") (device (uuid "da72be6a-0c6b-4874-a57f-2046fcba13af" 'btrfs)) (type "btrfs")) (file-system (mount-point "/mnt/production") (needed-for-boot? #t) (device (uuid "c50ad9fa-c7a1-49a1-93d2-6633f3cf929f" 'btrfs)) (type "btrfs")) (file-system (mount-point "/mnt/backup") (device (uuid "d675e98c-3f48-44d1-b085-36c476d9313f" 'btrfs)) (type "btrfs"))) %base-file-systems)) (swap-devices (list (swap-space ;; # rm -f /swapfile ;; # truncate -s 0 /swapfile ;; # chattr +C /swapfile ;; # fallocate -l 8G /swapfile ;; # chmod 600 /swapfile ;; # mkswap /swapfile ;; # swapon /swapfile (target "/swapfile") (dependencies (filter (file-system-mount-point-predicate "/") file-systems))) (swap-space (target (uuid "fde5e4a8-acc2-4c9a-9712-5494724c2c04"))))))