(use-modules
((xyz euandreh heredoc) #:prefix heredoc:)
((org euandre packages) #:prefix pkg:)
((org euandre queue) #:prefix q:)
(gnu))
(use-package-modules
version-control
web)
(use-service-modules
certbot
cgit
dns
mail
networking
security
ssh
vpn
web)
(heredoc:enable-syntax)
(define +working-dir+
;; src/guix/system.scm + ../../../ = ./
(dirname (dirname (dirname (current-filename)))))
(define (path s)
(pkg:str +working-dir+ "/" s))
(define +users+
`(("andreh"
"EuAndreh"
("wheel" "become-secrets-keeper")
,(path "src/keys/SSH/andreh.pub.txt"))))
(define file (compose string-trim-right pkg:slurp path))
(define +ipv4+ (file "src/config/ipv4.txt"))
(define +ipv6+ (file "src/config/ipv6.txt"))
(define +tld+ (file "src/config/tld.txt"))
(define +root-pubkey+ (file "src/config/root-pubkey.txt"))
(define +known-hosts+ (file "src/config/known-hosts.txt"))
(define +offsite-ssh+ (file "src/config/offsite-ssh.txt"))
(define package-symbols
'(ffmpegx
node))
(define package-records
(list
pkg:euandre.org))
(operating-system
(locale "fr_FR.UTF-8")
(timezone "America/Sao_Paulo")
(host-name +tld+)
(skeletons pkg:skeletons)
(users
(append
(pkg:user-accounts +users+)
(list
(user-account
(name "pijul")
(group "pijul")
(system? #t)
(comment "Pijul SSH user")
(home-directory "/srv/pijul")
(create-home-directory? #t)))
%base-user-accounts))
(groups
(append
(list
(user-group
(name "pijul")
(system? #t)))
%base-groups))
(sudoers-file pkg:syskeep-sudoers-file)
(packages (pkg:package-set package-symbols package-records))
(services
(append
(list
(service ntp-service-type)
(service dhcp-client-service-type)
(service knot-service-type
(q:knot-zones-configuration +tld+ +ipv4+ +ipv6+))
(service openssh-service-type
(q:openssh-default-configuration
(append
(pkg:users->keys +users+)
`(("pijul"
,(plain-file
"pijul-andreh-id_rsa.pub"
(pkg:slurp
(path "src/keys/SSH/andreh.pub.txt"))))))))
(service certbot-service-type
(q:tld-certbot-configuration +tld+))
(service nginx-service-type
(nginx-configuration
(server-blocks
(list
(nginx-server-configuration
(server-name (list +tld+))
(listen '("[::]:443 ssl" "443 ssl"))
(root "/srv/www")
(index '())
(ssl-certificate
(pkg:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+))
(ssl-certificate-key
(pkg:fmt "/etc/letsencrypt/live/~a/privkey.pem" +tld+))
(locations
(list
(nginx-location-configuration
(uri "~ ^(.*)/index\\.html$")
(body
'(#"-
if ($request_uri ~ /index\.html$) {
rewrite ^(.*)/index\.html$ $1/ permanent;
}
"#)))
(nginx-location-configuration
(uri "/live/")
(body
'(#"-
rewrite /live(.*) $1 break;
add_header Access-Control-Allow-Origin *;
proxy_pass http://novinho:4219;
"#)))
(nginx-location-configuration
(uri "/b/")
(body
(list
(list "include " nginx "/share/nginx/conf/fastcgi.conf;")
#"-
fastcgi_param PATH /run/current-system/profile/bin;
fastcgi_pass localhost:9000;
"#)))
(nginx-location-configuration
(uri "/gistatic/")
(body
(list
(list
"include " nginx "/share/nginx/conf/fastcgi_params;")
#"-
fastcgi_param PATH /run/current-system/profile/bin;
fastcgi_pass localhost:9000;
rewrite /gistatic(.*) $1 break;
"#)))
(nginx-location-configuration
(uri "/git/static/")
(body
(list
(list "alias " cgit "/share/cgit/;"))))
(nginx-location-configuration
(uri "/git/")
(body
(list
(list
"fastcgi_param SCRIPT_FILENAME "
cgit
"/lib/cgit/cgit.cgi;")
#"-
fastcgi_param PATH /run/current-system/profile/bin;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass localhost:9000;
rewrite /git(.*) $1 break;
"#)))))
(raw-content
'(#"-
ssl_protocols TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
gzip off; # Disable dynamic compression altogether due to BREACH
gzip_static on;
charset utf-8;
autoindex on;
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always;
types {
text/html html;
text/css css;
text/javascript mjs;
text/xml xml;
text/plain txt;
application/atom+xml atom;
application/gzip gz;
application/pdf pdf;
application/x-bittorrent torrent;
image/vnd.microsoft.icon ico;
image/png png;
image/svg+xml svg;
audio/flac flac;
audio/ogg ogg;
video/webm webm;
}
"#)))))))
(service cgit-service-type q:cgit-pre-configuration)
(service pkg:syskeep-service-type
(pkg:syskeep-configuration
(tld +tld+)))
(service pkg:cicd-service-type)
(service pkg:git-service-type
(pkg:git-configuration
(export-all? #t)
(run-server? #t)))
(simple-service 'add-wireguard-aliases hosts-service-type
(list
(host "10.0.0.0" "toph")
(host "10.0.0.1" "velhinho")
(host "10.0.0.2" "azula")
(host "10.0.0.5" "novinho")))
(service wireguard-service-type
(wireguard-configuration
(addresses '("10.0.0.0/32"))
(peers
(list
(wireguard-peer
(name "velhinho")
(public-key "Mhv8KxB/QXQpNKNtqD57PoFv43TXJ1lg52PJd6TmtwI=")
(allowed-ips '("10.0.0.1/32"))
(keep-alive 25))
(wireguard-peer
(name "azula")
(public-key "8IxSFlJoFuTzLtIkoKZH4CkUbIxd6++E0lBOin/7rT8=")
(allowed-ips '("10.0.0.2/32"))
(keep-alive 25))
(wireguard-peer
(name "novinho")
(public-key "WKOAyNVPxYB9H7ga1A0DfUrZGMUFyC3RCIvUC7u9/RA=")
(allowed-ips '("10.0.0.5/32"))
(keep-alive 25))))))
(service q:shadow-group-service-type)
(service q:dkimproxyout-service-type)
(service q:cyrus-sasl-service-type)
(service q:dovecot-service-type)
(service q:internet-postfix-service-type)
(simple-service 'host-specific-etc-file etc-service-type
`(("id_rsa.pub" ,(plain-file "id_rsa.pub" +root-pubkey+))
("known_hosts" ,(plain-file "known-hosts.txt" +known-hosts+))
("offsite-ssh.txt" ,(plain-file "offsite-ssh.txt" +offsite-ssh+))))
(service mail-aliases-service-type
'(("root" "andreh")
("eu" "andreh")
("mailing-list" "andreh"))))
pkg:base-services))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/vda"))))
(file-systems
(append
(list
(file-system
(mount-point "/")
(device
(uuid "4c36d5ad-f996-413e-a55c-c05b7e1876f2" 'btrfs))
(type "btrfs"))
(file-system
(mount-point "/mnt/production")
(needed-for-boot? #t)
(device
(uuid "b1a7e4a1-a8ea-48a4-ab8b-884a1b6a9c11" 'btrfs))
(type "btrfs"))
(file-system
(mount-point "/mnt/backup")
(device
(uuid "6632849d-f180-4740-86e6-a519d43ab75a" 'btrfs))
(type "btrfs")))
%base-file-systems))
(swap-devices
(list
(swap-space
;; # rm -f /swapfile
;; # truncate -s 0 /swapfile
;; # chattr +C /swapfile
;; # fallocate -l 8G /swapfile
;; # chmod 600 /swapfile
;; # mkswap /swapfile
;; # swapon /swapfile
(target "/mnt/production/swapfile")
(dependencies
(filter (file-system-mount-point-predicate "/mnt/production")
file-systems)))
(swap-space
(target
(uuid "94b47d91-3542-438a-84a9-859fe347ce09"))))))
