(use-modules (guix gexp) (gnu) (guix) ((guix build utils) #:prefix utils:) ((guix modules) #:prefix modules:) ((srfi srfi-1) #:prefix srfi-1:) (srfi srfi-26) ; cut utility ((ice-9 textual-ports) #:prefix textual-ports:) ((ice-9 ftw) #:prefix ftw:) ((ice-9 popen) #:prefix popen:) ((ice-9 rdelim) #:prefix rdelim:) ((ice-9 string-fun) #:prefix string-fun:)) (use-package-modules ssh backup version-control) (use-service-modules networking ssh mcron admin mail web certbot cgit) (define user "andreh") (define tld (slurp "servers/vps/tld.txt")) ;; permit nopass :wheel (define sudoers "\ root ALL=(ALL) ALL %wheel ALL=NOPASSWD: ALL\n") (define letsencrypt-prefix "/etc/letsencrypt/live/") (define (tls-pub-for domain) (string-append letsencrypt-prefix domain "/fullchain.pem")) (define (tls-priv-for domain) (string-append letsencrypt-prefix domain "/privkey.pem")) (define tls-domains (list tld)) (define my-system (operating-system (host-name (slurp "servers/vps/hostname.txt")) (users (cons* (user-account (name user) (group "users") (home-directory (string-append "/home/" user)) (supplementary-groups '("wheel"))) %base-user-accounts)) (sudoers-file (plain-file "sudoers" sudoers)) (packages (append (map (compose list specification->package+output symbol->string) ;; required for guix pull '(nss-certs)) %base-packages)) (services (append (list (service dhcp-client-service-type) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (password-authentication? #f) (permit-root-login #f) (authorized-keys `((,user ,(local-file (string-append (getenv "HOME") "/.ssh/id_rsa.pub"))))))) (service git-daemon-service (git-daemon-configuration (export-all? #t))) (service unattended-upgrade-service-type (unattended-upgrade-configuration (schedule "30 3 * * *"))) (service mcron-service-type (mcron-configuration (jobs (list #~(job "30 1 * * 1" "/opt/bin/gc.sh") #~(job "30 0 * * *" "/opt/bin/backup.sh"))))) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (server-name tls-domains)) (ssl-certificate (tls-pub-for tld)) (ssl-certificate-key (tls-priv-for tld))))))) (service certbot-service-type (certbot-configuration (email (string-append "certbot@" tld)) (certificates (list (certificate-configuration (domains tls-domains))))))) (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) (authorized-keys (append (list (local-file "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))))) (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/vda") (terminal-outputs '(console)))) (swap-devices (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca"))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28" 'ext4)) (type "ext4")) %base-file-systems)))) (list (machine (operating-system my-system) (environment managed-host-environment-type) (configuration (machine-ssh-configuration (host-name tld) (system "x86_64-linux") (user user) (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwnnw/u8ub+kcQhnVSyNWarYGH8aesUwIy4SIprufKf")))))