(use-modules (gnu) (ice-9 textual-ports)) (use-service-modules networking ssh mcron admin mail web certbot) (use-package-modules ssh backup) (define user "andreh") (define (slurp f) (string-trim-both (call-with-input-file f get-string-all))) (define ssh-public-key (slurp "id_rsa.pub")) (define sudoers "\ root ALL=(ALL) ALL %wheel ALL=NOPASSWD: ALL\n") (define tld (slurp "tld.txt")) (define mail-domain (string-append "mail." tld)) (define letsencrypt-prefix "/etc/letsencrypt/live/") (define (tls-pub-for domain) (string-append letsencrypt-prefix domain "/fullchain.pem")) (define (tls-priv-for domain) (string-append letsencrypt-prefix domain "/privkey.pem")) (define opensmtpd-config (mixed-text-file "euandreh-smtpd.conf" " listen on eth0 # File comes from mail-aliases-service-type table aliases file:/etc/aliases accept from any domain " mail-domain " alias deliver to maildir accept for local alias deliver to maildir accept for any relay pki " mail-domain " cert \"" (tls-pub-for mail-domain) "\" pki " mail-domain " key \"" (tls-priv-for mail-domain) "\"")) (define tls-prefixes '("mail")) (define tls-domains (cons tld (map (lambda (prefix) (string-append prefix "." tld)) tls-prefixes))) ;; FIXME: restart the service over killing the process (define %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (operating-system (locale "fr_FR.UTF-8") (timezone "America/Sao_Paulo") (keyboard-layout (keyboard-layout "us")) (host-name "guix-pet-server") (users (cons* (user-account (name user) (group "users") (home-directory (string-append "/home/" user)) (supplementary-groups '("wheel"))) %base-user-accounts)) (sudoers-file (plain-file "sudoers" sudoers)) (packages (append (map (compose list specification->package+output symbol->string) '(git nss-certs rsync)) %base-packages)) (services (append (list (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (password-authentication? #false) (authorized-keys `((,user ,(plain-file "id_rsa.pub" ssh-public-key)))))) (service mcron-service-type (mcron-configuration (jobs (list)))) (service unattended-upgrade-service-type) (service dhcp-client-service-type) (service opensmtpd-service-type (opensmtpd-configuration (config-file opensmtpd-config))) (service mail-aliases-service-type '(("postmaster" "root") ("webmaster" "root") ("abuse" "root"))) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration ;; FIXME: force redirect ;; FIXME: hook for "mkdir -p /srv/http/ && chmod" ;; FIXME: permanent redirect www (server-name (list tld)) (ssl-certificate (tls-pub-for tld)) (ssl-certificate-key (tls-priv-for tld))))))) (service certbot-service-type (certbot-configuration (email (string-append "certbot@" tld)) (certificates (list (certificate-configuration (domains tls-domains) ;; FIXME: call /var/lib/certbot/renew-certificates on deploy-hook (deploy-hook %nginx-deploy-hook))))))) %base-services)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/vda") (keyboard-layout keyboard-layout))) (swap-devices (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca"))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28" 'ext4)) (type "ext4")) %base-file-systems)))