(use-modules ((xyz euandreh heredoc) #:prefix heredoc:) ((org euandre packages) #:prefix pkg:) ((org euandre queue) #:prefix q:) (gnu)) (use-package-modules version-control web) (use-service-modules certbot cgit dns mail networking security ssh vpn web) (heredoc:enable-syntax) (define +working-dir+ ;; src/guix/system.scm + ../../../ = ./ (dirname (dirname (dirname (current-filename))))) (define (path s) (pkg:str +working-dir+ "/" s)) (define +users+ `(("andreh" "EuAndreh" ("wheel" "become-secrets-keeper") ,(path "src/keys/SSH/andreh.pub.txt")))) (define file (compose string-trim-right pkg:slurp path)) (define +ipv4+ (file "src/config/ipv4.txt")) (define +ipv6+ (file "src/config/ipv6.txt")) (define +tld+ (file "src/config/tld.txt")) (define +root-pubkey+ (file "src/config/root-pubkey.txt")) (define +known-hosts+ (file "src/config/known-hosts.txt")) (define +offsite-ssh+ (file "src/config/offsite-ssh.txt")) (define package-symbols '(ffmpegx)) (define package-records (list)) (operating-system (locale "fr_FR.UTF-8") (timezone "America/Sao_Paulo") (host-name +tld+) (skeletons pkg:skeletons) (users (append (pkg:user-accounts +users+) %base-user-accounts)) (sudoers-file pkg:syskeep-sudoers-file) (packages (pkg:package-set package-symbols package-records)) (services (append (list (service ntp-service-type) (service dhcp-client-service-type) (service knot-service-type (q:knot-zones-configuration +tld+ +ipv4+ +ipv6+)) (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+))) (service certbot-service-type (q:tld-certbot-configuration +tld+)) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (server-name (list +tld+)) (listen '("[::]:443 ssl" "443 ssl")) (root "/srv/www") (index '()) (ssl-certificate (pkg:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+)) (ssl-certificate-key (pkg:fmt "/etc/letsencrypt/live/~a/privkey.pem" +tld+)) (locations (list (nginx-location-configuration (uri "~ ^(.*)/index\\.html$") (body '(#"- if ($request_uri ~ /index\.html$) { rewrite ^(.*)/index\.html$ $1/ permanent; } "#))) (nginx-location-configuration (uri "/live/") (body '(#"- rewrite /live(.*) $1 break; add_header Access-Control-Allow-Origin *; proxy_pass http://novinho:4219; "#))) (nginx-location-configuration (uri "/b/") (body (list (list "include " nginx "/share/nginx/conf/fastcgi.conf;") #"- fastcgi_param PATH /run/current-system/profile/bin; fastcgi_pass localhost:9000; "#))) (nginx-location-configuration (uri "/gistatic/") (body (list (list "include " nginx "/share/nginx/conf/fastcgi_params;") (list "fastcgi_param SCRIPT_FILENAME /srv/www/bin/cgi.sh;") #"- fastcgi_param PATH /run/current-system/profile/bin; fastcgi_pass localhost:9000; rewrite /gistatic(.*) $1 break; "#))) (nginx-location-configuration (uri "/git/static/") (body (list (list "alias " cgit "/share/cgit/;")))) (nginx-location-configuration (uri "/git/") (body (list (list "fastcgi_param SCRIPT_FILENAME " cgit "/lib/cgit/cgit.cgi;") #"- fastcgi_param PATH /run/current-system/profile/bin; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; fastcgi_pass localhost:9000; rewrite /git(.*) $1 break; "#))))) (raw-content '(#"- ssl_protocols TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; gzip off; # Disable dynamic compression altogether due to BREACH gzip_static on; charset utf-8; autoindex on; add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always; "#))))))) (service cgit-service-type q:cgit-pre-configuration) (service pkg:syskeep-service-type (pkg:syskeep-configuration (tld +tld+))) (service pkg:cicd-service-type) (service pkg:git-service-type (pkg:git-configuration (export-all? #t) (run-server? #t))) (simple-service 'add-wireguard-aliases hosts-service-type (list (host "10.0.0.0" "toph") (host "10.0.0.1" "velhinho") (host "10.0.0.2" "azula") (host "10.0.0.5" "novinho"))) (service wireguard-service-type (wireguard-configuration (addresses '("10.0.0.0/32")) (peers (list (wireguard-peer (name "velhinho") (public-key "Mhv8KxB/QXQpNKNtqD57PoFv43TXJ1lg52PJd6TmtwI=") (allowed-ips '("10.0.0.1/32")) (keep-alive 25)) (wireguard-peer (name "azula") (public-key "8IxSFlJoFuTzLtIkoKZH4CkUbIxd6++E0lBOin/7rT8=") (allowed-ips '("10.0.0.2/32")) (keep-alive 25)) (wireguard-peer (name "novinho") (public-key "WKOAyNVPxYB9H7ga1A0DfUrZGMUFyC3RCIvUC7u9/RA=") (allowed-ips '("10.0.0.5/32")) (keep-alive 25)))))) (service q:shadow-group-service-type) (service q:dkimproxyout-service-type) (service q:cyrus-sasl-service-type) (service q:dovecot-service-type) (service q:internet-postfix-service-type) (simple-service 'host-specific-etc-file etc-service-type `(("id_rsa.pub" ,(plain-file "id_rsa.pub" +root-pubkey+)) ("known_hosts" ,(plain-file "known-hosts.txt" +known-hosts+)) ("offsite-ssh.txt" ,(plain-file "offsite-ssh.txt" +offsite-ssh+)))) (service mail-aliases-service-type '(("root" "andreh") ("eu" "andreh") ("mailing-list" "andreh")))) pkg:base-services)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/vda")))) (file-systems (append (list (file-system (mount-point "/") (device (uuid "4c36d5ad-f996-413e-a55c-c05b7e1876f2" 'btrfs)) (type "btrfs")) (file-system (mount-point "/mnt/production") (needed-for-boot? #t) (device (uuid "b1a7e4a1-a8ea-48a4-ab8b-884a1b6a9c11" 'btrfs)) (type "btrfs")) (file-system (mount-point "/mnt/backup") (device (uuid "6632849d-f180-4740-86e6-a519d43ab75a" 'btrfs)) (type "btrfs"))) %base-file-systems)) (swap-devices (list (swap-space ;; # rm -f /swapfile ;; # truncate -s 0 /swapfile ;; # chattr +C /swapfile ;; # fallocate -l 8G /swapfile ;; # chmod 600 /swapfile ;; # mkswap /swapfile ;; # swapon /swapfile (target "/mnt/production/swapfile") (dependencies (filter (file-system-mount-point-predicate "/mnt/production") file-systems))) (swap-space (target (uuid "94b47d91-3542-438a-84a9-859fe347ce09"))))))