diff options
| author | EuAndreh <eu@euandre.org> | 2022-12-08 12:04:38 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2022-12-08 12:04:41 -0300 |
| commit | 422b39a1975738bcc7fb12d4065bd13281d80852 (patch) | |
| tree | 6f052eb9ef82bb8a3967904487e0cbb130c58c30 | |
| parent | src/doc/: Remove ad-hoc helper files (diff) | |
| download | toph-422b39a1975738bcc7fb12d4065bd13281d80852.tar.gz toph-422b39a1975738bcc7fb12d4065bd13281d80852.tar.xz | |
src/infrastructure/guix/system.scm: Checkpoint on commited changes
Too many changes that accumulated over time:
- shell aliases in /etc/rc;
- SSH client configuration in /etc/ssh.conf;
- Guile setup script in /etc/init.scm
- r(1) command for running thing with the correct environment;
- borg -r REPO option, and an extra cronjob for backing up to
/mnt/backup/borg;
- an extra btrfs disk on /mnt/backup/
- WIP setup of services in containers using
(least-authority-wrapper ...);
- a couple of FIXME markers for WIP tasks;
- azula joins the WireGuard VPN.
| -rw-r--r-- | src/infrastructure/guix/system.scm | 693 |
1 files changed, 596 insertions, 97 deletions
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm index 2544be7..4e7c814 100644 --- a/src/infrastructure/guix/system.scm +++ b/src/infrastructure/guix/system.scm @@ -3,6 +3,7 @@ ((srfi srfi-1) #:prefix srfi-1:) ((xyz euandreh heredoc) #:prefix heredoc:) (gnu) + (gnu build linux-container) (gnu services mail) (gnu services shepherd) (gnu packages admin) @@ -20,10 +21,10 @@ (guix build-system trivial) (guix download) (guix git-download) + (guix least-authority) (guix packages) (guix records) - (guix utils) - (xyz euandreh queue)) + (guix utils)) (use-package-modules lua web) @@ -61,7 +62,7 @@ "$XDG_CONFIG_HOME" \ "$XDG_CACHE_HOME" \ "$XDG_DATA_HOME" \ - "$XDG_STATE_HOME" \ + "$XDG_STATE_HOME"/ssh/conn \ "$XDG_LOG_HOME" GUIX_PROFILE="$XDG_CONFIG_HOME"/guix/current @@ -99,10 +100,17 @@ unalias -a alias l='ls -lahF --color' - alias grep='grep --color' + alias grep='grep --color=auto' + alias diff='diff --color=auto' + alias watch='watch --color ' + alias man='MANWIDTH=$((COLUMNS > 80 ? 80 : COLUMNS)) man' alias less='less -R' - alias e='vi' alias tree='tree -aC' + alias mv='mv -i' + alias e='vi' + + alias sqlite='rlwrap sqlite3' + alias guile='guile -l /etc/init.scm' error_marker() { STATUS=$? @@ -114,16 +122,108 @@ \u@\H\$ ' "#)) -(define backup.sh #"- +(define ssh.conf (plain-file "ssh.conf" #"- + Host * + ServerAliveInterval 30 + ServerAliveCountMax 20 + ControlMaster auto + ControlPath ${XDG_STATE_HOME}/ssh/conn/%r@%h:%p + ControlPersist 1h + "#)) + + +(define init.scm (plain-file "init.scm" #"- + (use-modules + (ice-9 colorized) + (ice-9 readline)) + + (activate-colorized) + (activate-readline) + "#)) + +(define r.sh #"- #!/bin/sh + set -eu + + # FIXME: what about /etc/login.defs? + + usage() { + cat <<-'EOF' + Usage: + r COMMAND... + r -h + EOF + } + + help() { + cat <<-'EOF' + + Options: + -h, --help show this message + + COMMAND the command to be executed + + + Execute the given command, with a proper login environment + loaded. + + + Examples: + + Run a backup via SSH: + + $ ssh toph r backup -q cron + EOF + } + + + for flag in "$@"; do + case "$flag" in + --) + break + ;; + --help) + usage + help + exit + ;; + *) + ;; + esac + done + + while getopts 'h' flag; do + case "$flag" in + h) + usage + help + exit + ;; + *) + usage >&2 + exit 2 + ;; + esac + done + shift $((OPTIND - 1)) + + + set +eu # shellcheck source=/dev/null . /etc/rc set -eu + exec "$@" + "#) + +(define backup.sh #"- + #!/bin/sh + set -eu + usage() { cat <<-'EOF' Usage: - backup [-q] [-C COMMENT] [ARCHIVE_TAG] + backup [-q] [-C COMMENT] [-r REPO] [ARCHIVE_TAG] backup -h EOF } @@ -135,6 +235,7 @@ -q disable verbose move, useful for for batch sessions -C COMMENT the comment text to be attached to the archive + -r REPO operate on REPO instead of :: -h, --help show this message ARCHIVE_TAG the tag used to create the new @@ -188,7 +289,8 @@ VERBOSE_FLAGS='--verbose --progress' COMMENT='' - while getopts 'qC:h' flag; do + REPO='' + while getopts 'qC:r:h' flag; do case "$flag" in q) VERBOSE_FLAGS='' @@ -196,6 +298,9 @@ C) COMMENT="$OPTARG" ;; + r) + REPO="$OPTARG" + ;; h) usage help @@ -216,15 +321,15 @@ set -x # shellcheck disable=2086 sudo -i borg create \ - $VERBOSE_FLAGS \ - --comment " $COMMENT" \ - --stats \ - --compression lzma,9 \ - "::$(hostname)-{now}-$ARCHIVE_TAG" \ - /root/ \ - /home/ \ - /etc/ \ - /var/ \ + $VERBOSE_FLAGS \ + --comment " $COMMENT" \ + --stats \ + --compression lzma,9 \ + "$REPO::$(hostname)-{now}-$ARCHIVE_TAG" \ + /root/ \ + /home/ \ + /etc/ \ + /var/ \ /srv/ STATUS=$? set +x @@ -241,7 +346,7 @@ run || exit $? - sudo -i borg check --verify-data --verbose + sudo -i borg check --verify-data --verbose "${REPO:-::}" "#) (define cronjob.sh #"- @@ -312,19 +417,12 @@ shift $((OPTIND - 1)) - set +eu - # shellcheck source=/dev/null - . /etc/rc - set -eu - CMD="$*" - with-email -s "$(hostname): $CMD" -- "$@" 1>> /var/log/cronjob.log 2>&1 + r with-email -s "$(hostname): $CMD" -- "$@" 1>> /var/log/cronjob.log 2>&1 "#) (define reconfigure.sh #"- #!/bin/sh - # shellcheck source=/dev/null - . /etc/rc set -eu @@ -602,21 +700,26 @@ postfix-configuration make-postfix-configuration postfix-configuration? - (postfix postfix-configuration-postfix (default postfix)) - (set-sendmail? postfix-configuration-set-sendmail? (default #t)) - (master.cf-file postfix-configuration-master.cf-file (default #f)) - (main.cf-file postfix-configuration-main.cf-file (default #f)) - (master.cf-extra postfix-configuration-master.cf-extra (default "")) - (main.cf-extra postfix-configuration-main.cf-extra (default "")) - (data-directory postfix-configuration-data-directory (default "/var/lib/postfix")) - (queue-directory postfix-configuration-queue-directory (default "/var/spool/postfix")) - (user postfix-configuration-user (default "postfix")) - (group postfix-configuration-group (default "postfix")) - (setgid-group postfix-configuration-setgid-group (default "postdrop")) - (root-aliases postfix-configuration-root-aliases (default '("abuse" "admin" "hostmaster" "postmaster"))) - (cert-file postfix-configuration-cert-file (default #f)) - (key-file postfix-configuration-key-file (default #f)) - (hostname postfix-configuration-hostname (default (gethostname)))) + (postfix postfix-configuration-postfix (default postfix)) + (set-sendmail? postfix-configuration-set-sendmail? (default #t)) + (master.cf-file postfix-configuration-master.cf-file (default #f)) + (main.cf-file postfix-configuration-main.cf-file (default #f)) + (master.cf-extra postfix-configuration-master.cf-extra (default "")) + (main.cf-extra postfix-configuration-main.cf-extra (default "")) + (config-dirname postfix-configuration-config-dirname (default "postfix")) + (data-directory postfix-configuration-data-directory (default "/var/lib/postfix")) + (queue-directory postfix-configuration-queue-directory (default "/var/spool/postfix")) + (user postfix-configuration-user (default "postfix")) + (group postfix-configuration-group (default "postfix")) + (setgid-group postfix-configuration-setgid-group (default "postdrop")) + (root-aliases postfix-configuration-root-aliases (default '("abuse" "admin" "hostmaster" "postmaster"))) + (cert-file postfix-configuration-cert-file (default #f)) + (key-file postfix-configuration-key-file (default #f)) + (hostname postfix-configuration-hostname (default (gethostname))) + (run-in-container? postfix-configuration-run-in-container? (default #f)) + (container-name postfix-configuration-container-name (default "postfix")) + (container-namespaces postfix-configuration-container-namespaces (default (srfi-1:fold delq %namespaces '(net)))) + (extra-mappings postfix-configuration-extra-mappings (default '()))) ; FIXME: hardcoded value of dkimproxy listen and relay (define (generate-master.cf config) @@ -741,10 +844,10 @@ (define (postfix-etc-files config) (match-record config <postfix-configuration> - (master.cf-file main.cf-file) - `(("postfix" + (master.cf-file main.cf-file config-dirname) + `((,config-dirname ,(file-union - "postfix" + config-dirname `(("master.cf" ,(plain-file "master.cf" (or master.cf-file (generate-master.cf config)))) ("main.cf" ,(plain-file "main.cf" (or main.cf-file (generate-main.cf config)))))))))) @@ -806,54 +909,80 @@ (mkdir-p "/var/mail") (format (current-error-port) "Updating /etc/aliases: FIXME.~%") + ;; FIXME: add -c option #; - (invoke #$(file-append postfix "/bin/newaliases")))))) + (invoke #$(file-append postfix "/sbin/postalias") "/etc/aliases"))))) (define (postfix-shepherd-service config) (match-record config <postfix-configuration> - (postfix) - (list - (shepherd-service - (provision '(postfix)) - (documentation - #"- - Run the Postfix MTA. - - This is the entrypoint for starting the "master" process. Then the - "master" process itself takes responsability of starting all the - required daemons and commands."#) - (start #~(make-forkexec-constructor - (list - #$(file-append postfix "/sbin/postfix") - "start-fg") - #:pid-file "/var/lib/postfix/master.lock")) - (stop #~(make-kill-destructor SIGKILL)) - (actions - (list - (shepherd-action - (name 'configuration) - (documentation - #"- - FIXME:DOCUMENTATION - "#) - (procedure - #~(lambda _ - (format #t "/etc/postfix/master.cf~%") - (format #t "/etc/postfix/main.cf~%")))) - (shepherd-action - (name 'reload) - (documentation - #"- - Re-read the "master.cf" and "main.cf" configuration files. - - Daemon processes terminate when possible, and when restarted - use the values of the new configuration files. - - This live-reload option is usually preferable over a stop/start - cycle, as it incurs in no interruption of the running service."#) - (procedure - #~(lambda _ - (invoke #$(file-append postfix "/sbin/postfix") "reload")))))))))) + (postfix config-dirname data-directory queue-directory + run-in-container? container-name container-namespaces extra-mappings) + (let* ((config-dir (string-append "/etc/" config-dirname)) + (bin (file-append postfix "/sbin/postfix")) + (cmd (if (not run-in-container?) + bin + (least-authority-wrapper + bin + #:name container-name + #:mappings (append + (list + (file-system-mapping + (source data-directory) + (target source) + (writable? #t)) + (file-system-mapping + (source queue-directory) + (target source) + (writable? #t))) + extra-mappings) + #:namespaces container-namespaces)))) + (list + (shepherd-service + (provision '(postfix)) + (documentation + #"- + Run the Postfix MTA. + + This is the entrypoint for starting the "master" process. Then the + "master" process itself takes responsability of starting all the + required daemons and commands."#) + (start #~(make-forkexec-constructor + (list + #$(file-append postfix "/sbin/postfix") + "-c" + #$config-dir + "start-fg") + #:pid-file "/var/lib/postfix/master.lock")) + (stop #~(make-kill-destructor SIGKILL)) + (actions + (list + (shepherd-action + (name 'configuration) + (documentation + #"- + FIXME:DOCUMENTATION + "#) + (procedure + #~(lambda _ + (format #t "~a/master.cf~%" #$config-dir) + (format #t "~a/main.cf~%" #$config-dir)))) + (shepherd-action + (name 'reload) + (documentation + #"- + Re-read the "master.cf" and "main.cf" configuration files. + + Daemon processes terminate when possible, and when restarted + use the values of the new configuration files. + + This live-reload option is usually preferable over a stop/start + cycle, as it incurs in no interruption of the running service."#) + (procedure + #~(lambda _ + (invoke #$(file-append postfix "/sbin/postfix") + "-c" + #$config-dir + "reload"))))))))))) (define (postfix-aliases config) (match-record config <postfix-configuration> @@ -952,7 +1081,8 @@ driver = passwd } service auth-worker { - group = shadow + # FIXME: hard-coded group + group = etc-shadow } @@ -1113,6 +1243,357 @@ + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;; OS ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + + +(define-record-type* <shadow-group-configuration> + shadow-group-configuration + make-shadow-group-configuration + shadow-group-configuration? + (group shadow-group-configuration-group (default "etc-shadow"))) + +(define (shadow-group-activation config) + (match-record config <shadow-group-configuration> + (group) + #~(begin + (use-modules (guix build utils)) + (format (current-error-port) + "Setting ownership and permission for \"/etc/passwd\".~%") + (chown "/etc/shadow" + (passwd:uid (getpwnam "root")) + (group:gid (getgrnam #$group))) + (chmod "/etc/shadow" #o640)))) + +(define (shadow-group-accounts config) + (match-record config <shadow-group-configuration> + (group) + (list + (user-group + (name group) + (system? #t))))) + +(define shadow-group-service-type + (service-type + (name 'shadow-group) + (extensions + (list + (service-extension activation-service-type + shadow-group-activation) + (service-extension account-service-type + shadow-group-accounts))) + (default-value (shadow-group-configuration)) + (description "FIXME:DOCUMENTATION"))) + +(define-record-type* <cyrus-service-configuration> + cyrus-service-configuration + make-cyrus-service-configuration + cyrus-service-configuration? + (name cyrus-service-configuration-name) + (authmech cyrus-service-configuration-authmech (default "saslauthd")) + (log-level cyrus-service-configuration-log-level (default 7))) + +(define-record-type* <cyrus-sasl-configuration> + cyrus-sasl-configuration + make-cyrus-sasl-configuration + cyrus-sasl-configuration? + (cyrus-sasl cyrus-sasl-configuration-cyrus-sasl (default cyrus-sasl)) + (user cyrus-sasl-configuration-user (default "cyrus-sasl")) + (group cyrus-sasl-configuration-group (default "cyrus-sasl")) + (supplementary-groups cyrus-sasl-configuration-supplementary-groups (default '("etc-shadow"))) + (authmech cyrus-sasl-configuration-authmech (default "shadow")) + (services cyrus-sasl-configuration-services (default '())) + (config-dirname cyrus-sasl-configuration-config-dirname (default "sasl2")) + (run-directory cyrus-sasl-configuration-run-directory (default "/var/run/saslauthd")) + (run-in-container? cyrus-sasl-configuration-run-in-container? (default #t)) + (container-name cyrus-sasl-configuration-container-name (default "saslauthd")) + (container-namespaces cyrus-sasl-configuration-container-namespaces (default %namespaces)) + (extra-mappings cyrus-sasl-configuration-extra-mappings (default '()))) + +(define (cyrus-sasl-etc-files config) + ;; FIXME: support opaque files + ;; FIXME: extend this with postfix instead of making postfix add here + (match-record config <cyrus-sasl-configuration> + (services config-dirname run-directory) + `((,config-dirname + ,(file-union + config-dirname + (map (lambda (service-config) + (match-record service-config <cyrus-service-configuration> + (name authmech log-level) + `(,name ,(plain-file + name + (format #f + "pwcheck_method: ~a~%saslauthd_path: ~a/mux~%log_level: ~a~%" + authmech + run-directory + log-level))))) + services)))))) + +(define (cyrus-sasl-activation config) + (match-record config <cyrus-sasl-configuration> + (user run-directory) + #~(begin + (use-modules (guix build utils)) + (let ((user (getpwnam #$user))) + (format (current-error-port) + "Creating Cyrus SASL socket directory: \"~a\".~%" #$run-directory) + (mkdir-p #$run-directory) + (chown #$run-directory (passwd:uid user) (passwd:gid user)) + (chmod #$run-directory #o755))))) + +(define (cyrus-sasl-accounts config) + (match-record config <cyrus-sasl-configuration> + (user group supplementary-groups) + (list + (user-account + (name user) + (group group) + (supplementary-groups supplementary-groups) + (comment "Cyrus SASL system user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (system? #t)) + (user-group + (name group) + (system? #t))))) + +(define (cyrus-sasl-shepherd-service config) + (match-record config <cyrus-sasl-configuration> + (cyrus-sasl user group supplementary-groups authmech config-dirname run-directory + run-in-container? container-name container-namespaces extra-mappings) + (let* ((config-dir (string-append "/etc/" config-dirname)) + (bin (file-append cyrus-sasl "/sbin/saslauthd")) + (cmd (if (not run-in-container?) + bin + (least-authority-wrapper + bin + #:name container-name + #:mappings (append + (list + (file-system-mapping + (source run-directory) + (target source) + (writable? #t)) + (file-system-mapping + (source "/etc/passwd") + (target source)) + (file-system-mapping + (source "/etc/shadow") + (target source))) + extra-mappings) + #:namespaces container-namespaces)))) + (list + (shepherd-service + (provision '(cyrus-sasl)) + (documentation "FIXME:DOCUMENTATION") + (start #~(make-forkexec-constructor + (list #$cmd "-a" #$authmech "-d" "-m" #$run-directory) + #:user #$user + #:group #$group + #:supplementary-groups '(#$@supplementary-groups))) + (stop #~(make-kill-destructor)) + (actions + (list + (shepherd-action + (name 'configuration) + (documentation "FIXME:DOCUMENTATION") + (procedure + #~(lambda _ + (format #t "~a~%" #$config-dir))))))))))) + +(define cyrus-sasl-service-type + (service-type + (name 'cyrus-sasl) + (extensions + (list + (service-extension etc-service-type + cyrus-sasl-etc-files) + (service-extension activation-service-type + cyrus-sasl-activation) + (service-extension profile-service-type + (compose list cyrus-sasl-configuration-cyrus-sasl)) + (service-extension account-service-type + cyrus-sasl-accounts) + (service-extension shepherd-root-service-type + cyrus-sasl-shepherd-service))) + (compose srfi-1:concatenate) + (extend (lambda (config services) + (cyrus-sasl-configuration + (inherit config) + (services + (append + (cyrus-sasl-configuration-services config) + services))))) + (default-value (cyrus-sasl-configuration)) + (description "FIXME:DOCUMENTATION"))) + + +(define-record-type* <dkimproxyout-configuration> + dkimproxyout-configuration + make-dkimproxyout-configuration + dkimproxyout-configuration? + (dkimproxy dkimproxyout-configuration-dkimproxy (default dkimproxy)) + (user dkimproxyout-configuration-user (default "dkimproxyout")) + (group dkimproxyout-configuration-group (default "dkimproxyout")) + (config-name dkimproxyout-configuration-config-name (default "dkimproxyout.conf")) + (listen dkimproxyout-configuration-listen (default "127.0.0.1:10027")) + (relay dkimproxyout-configuration-relay (default "127.0.0.1:10028")) + (domains dkimproxyout-configuration-domains (default (list (gethostname)))) + (selector dkimproxyout-configuration-selector (default "dkimproxyout")) + (key-size dkimproxyout-configuration-key-size (default 2048)) + (data-directory dkimproxyout-configuration-data-directory (default "/var/lib/dkimproxyout")) + (run-in-container? dkimproxyout-configuration-run-in-container? (default #f)) + (container-name dkimproxyout-configuration-container-name (default "dkimproxyout")) + (container-namespaces dkimproxyout-configuration-container-namespaces (default (srfi-1:fold delq %namespaces '(net)))) + (extra-mappings dkimproxyout-configuration-extra-mappings (default '()))) + +(define (generate-out.cf config) + (match-record config <dkimproxyout-configuration> + (listen relay domains selector data-directory) + (format #f +" +listen ~a +relay ~a + +domain ~a +selector ~a + +signature dkim(c=relaxed/relaxed) + +# FIXME:DOCUMENTATION add this to the service documentation +# the corresponding public key is available at: +# ~a/public.key +keyfile ~a/private.key +" + listen + relay + (string-join domains ",") + selector + data-directory + data-directory))) + +(define (dkimproxyout-etc-files config) + (match-record config <dkimproxyout-configuration> + (config-name) + `((,config-name ,(plain-file config-name (generate-out.cf config)))))) + +(define (dkimproxyout-accounts config) + (match-record config <dkimproxyout-configuration> + (user group) + (list + (user-account + (name user) + (group group) + (comment "DKIMproxy.out signing system user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (system? #t)) + (user-group + (name group) + (system? #t))))) + +(define (dkimproxyout-activation config) + (match-record config <dkimproxyout-configuration> + (user group data-directory key-size) + #~(begin + (use-modules (guix build utils)) + (let ((uid (passwd:uid (getpwnam #$user))) + (gid (group:gid (getgrnam #$group)))) + (format (current-error-port) + "Creating DKIMproxy.out data directory: \"~a\".~%" #$data-directory) + (mkdir-p #$data-directory) + (chown #$data-directory uid gid) + (chmod #$data-directory #o755) + (let ((private-key (string-append #$data-directory "/private.key")) + (public-key (string-append #$data-directory "/public.key"))) + (unless (file-exists? private-key) + (cond + ((zero? (system* #$(file-append openssl "/bin/openssl") + "genrsa" + "-out" + private-key + (number->string #$key-size))) + (format (current-error-port) + "DKIMproxy.out private key file created: \"~a\".~%" private-key)) + (else + (format (current-error-port) + "Failed to create DKIMproxy.out private key file: \"~a\".~%" private-key)))) + (invoke #$(file-append openssl "/bin/openssl") + "rsa" + "-in" + private-key + "-pubout" + "-out" + public-key) + (format (current-error-port) + "Setting permissions for the public/private DKIMproxy.out keypair: \"~a/{public,private}.key\".~%" #$data-directory) + (chown private-key uid gid) + (chown public-key uid gid) + (chmod private-key #o400) + (chmod public-key #o644)))))) + +(define (dkimproxyout-shepherd-service config) + (match-record config <dkimproxyout-configuration> + (dkimproxy user group config-name data-directory + run-in-container? container-name container-namespaces extra-mappings) + (let* ((config-file (string-append "/etc/" config-name)) + (bin (file-append dkimproxy "/bin/dkimproxy.out")) + (cmd (if (not run-in-container?) + bin + (least-authority-wrapper + bin + #:name container-name + #:mappings (append + (list + (file-system-mapping + (source config-file) + (target source)) + (file-system-mapping + (source + (string-append data-directory "/private.key")) + (target source))) + extra-mappings) + #:namespaces container-namespaces)))) + (list + (shepherd-service + (provision '(dkimproxyout)) + (documentation "FIXME:DOCUMENTATION") + (start #~(make-forkexec-constructor + (list #$cmd "--conf_file" #$config-file) + #:user #$user + #:group #$group)) + (stop #~(make-kill-destructor)) + (actions + (list + (shepherd-action + (name 'configuration) + (documentation "FIXME:DOCUMENTATION") + (procedure + #~(lambda _ + (format #t "~a~%" #$config-file))))))))))) + +(define-public dkimproxyout-service-type + (service-type + (name 'dkimproxyout) + (extensions + (list + (service-extension etc-service-type + dkimproxyout-etc-files) + (service-extension account-service-type + dkimproxyout-accounts) + (service-extension activation-service-type + dkimproxyout-activation) + (service-extension profile-service-type + (compose list dkimproxyout-configuration-dkimproxy)) + (service-extension shepherd-root-service-type + dkimproxyout-shepherd-service))) + (default-value (dkimproxyout-configuration)) + (description "FIXME:DOCUMENTATION"))) + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;; OS ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -1125,7 +1606,8 @@ (define me "eu") (define public-me (format #f "~a@~a" me tld)) -(define git-dir "/srv/git/git") +(define git-dir "/srv/git/git") ;; FIXME: get git-root from config +(define www-dir "/srv/www") ;; FIXME: get nginx-root from config (define gitconfig (plain-file "gitconfig" (format #f #"- [init] @@ -1139,6 +1621,7 @@ tld tld))) + (operating-system (locale "fr_FR.UTF-8") (timezone "America/Sao_Paulo") @@ -1153,6 +1636,7 @@ 10.0.0.0 toph 10.0.0.1 velhinho + 10.0.0.2 azula "# tld tld))) @@ -1193,6 +1677,7 @@ git-minimal guile-heredoc-latest htop + lsof mailutils ranger rlwrap @@ -1203,7 +1688,7 @@ prosody)) (list ;; lua-cyrussasl - (script "rc" rc.sh) + (script "r" r.sh) (script "backup" backup.sh) (script "cronjob" cronjob.sh) (script "reconfigure" reconfigure.sh) @@ -1222,6 +1707,7 @@ (mcron-configuration (jobs (list + #~(job "0 0 * * *" "cronjob backup -q cron -r /mnt/backup/borg") #~(job "0 1 * * *" "cronjob backup -q cron") #~(job "0 2 * * *" "cronjob reconfigure -U"))))) (service dkimproxyout-service-type) @@ -1284,7 +1770,7 @@ (nginx-server-configuration (server-name (list tld)) (listen '("[::]:443 ssl http2" "443 ssl http2")) - (root "/srv/www") + (root www-dir) (ssl-certificate (format #f "/etc/letsencrypt/live/~a/fullchain.pem" tld)) (ssl-certificate-key (format #f "/etc/letsencrypt/live/~a/privkey.pem" tld)) (locations @@ -1304,6 +1790,7 @@ fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; + # FIXME: use localhost instead? fastcgi_pass 127.0.0.1:9000; rewrite /git(.*) $1 break; "#))) @@ -1319,10 +1806,10 @@ (use-modules (guix build utils)) (let ((user (getpwnam #$whoami)) (git (getpwnam "git"))) - (format (current-error-port) "Creating \"/srv/www\".~%") - (mkdir-p "/srv/www") - (chown "/srv/www" (passwd:uid user) (passwd:gid user)) - (chmod "/srv/www" #o755) + (format (current-error-port) "Creating \"~a\".~%" #$www-dir) + (mkdir-p #$www-dir) + (chown #$www-dir (passwd:uid user) (passwd:gid user)) + (chmod #$www-dir #o755) (format (current-error-port) "Setting permissions for \"~a\".~%" #$git-dir) (mkdir-p #$git-dir) (chown #$git-dir (passwd:uid git) (passwd:gid git)) @@ -1352,7 +1839,12 @@ (wireguard-peer (name "velhinho") (public-key "Mhv8KxB/QXQpNKNtqD57PoFv43TXJ1lg52PJd6TmtwI=") - (allowed-ips '("10.0.0.0/24")) + (allowed-ips '("10.0.0.1/32")) + (keep-alive 25)) + (wireguard-peer + (name "azula") + (public-key "8IxSFlJoFuTzLtIkoKZH4CkUbIxd6++E0lBOin/7rT8=") + (allowed-ips '("10.0.0.2/32")) (keep-alive 25)))))) (service dovecot2-service-type) (service certbot-service-type @@ -1399,6 +1891,8 @@ ("mailing-list" ,whoami))) (simple-service 'extra-etc-file etc-service-type `(("rc" ,rc.sh) + ("ssh.conf" ,ssh.conf) + ("init.scm" ,init.scm) ("gitconfig" ,gitconfig))) (service openssh-service-type (openssh-configuration @@ -1428,5 +1922,10 @@ (mount-point "/") (device (uuid "4c36d5ad-f996-413e-a55c-c05b7e1876f2" 'btrfs)) + (type "btrfs")) + (file-system + (mount-point "/mnt/backup") + (device + (uuid "6632849d-f180-4740-86e6-a519d43ab75a" 'btrfs)) (type "btrfs"))) %base-file-systems))) |