diff options
Diffstat (limited to 'servers/inactive/guixvps/machines.scm')
| -rw-r--r-- | servers/inactive/guixvps/machines.scm | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/servers/inactive/guixvps/machines.scm b/servers/inactive/guixvps/machines.scm new file mode 100644 index 0000000..8933709 --- /dev/null +++ b/servers/inactive/guixvps/machines.scm @@ -0,0 +1,129 @@ +(use-modules (guix gexp) + (gnu) + (guix) + ((guix build utils) #:prefix utils:) + ((guix modules) #:prefix modules:) + ((srfi srfi-1) #:prefix srfi-1:) + (srfi srfi-26) ; cut utility + ((ice-9 textual-ports) #:prefix textual-ports:) + ((ice-9 ftw) #:prefix ftw:) + ((ice-9 popen) #:prefix popen:) + ((ice-9 rdelim) #:prefix rdelim:) + ((ice-9 string-fun) #:prefix string-fun:)) + +(use-package-modules ssh + backup + version-control) +(use-service-modules networking + ssh + mcron + admin + mail + web + certbot + cgit) + +(define user "andreh") +(define tld (slurp "servers/vps/tld.txt")) + +;; permit nopass :wheel +(define sudoers "\ +root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL\n") + +(define letsencrypt-prefix + "/etc/letsencrypt/live/") + +(define (tls-pub-for domain) + (string-append letsencrypt-prefix domain "/fullchain.pem")) + +(define (tls-priv-for domain) + (string-append letsencrypt-prefix domain "/privkey.pem")) + +(define tls-domains + (list tld)) + +(define my-system + (operating-system + (host-name (slurp "servers/vps/hostname.txt")) + (users (cons* (user-account + (name user) + (group "users") + (home-directory (string-append "/home/" user)) + (supplementary-groups '("wheel"))) + %base-user-accounts)) + (sudoers-file (plain-file "sudoers" sudoers)) + (packages + (append (map (compose list specification->package+output symbol->string) + ;; required for guix pull + '(nss-certs)) + %base-packages)) + (services + (append + (list (service dhcp-client-service-type) + (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (password-authentication? #f) + (permit-root-login #f) + (authorized-keys + `((,user ,(local-file (string-append (getenv "HOME") "/.ssh/id_rsa.pub"))))))) + (service git-daemon-service + (git-daemon-configuration + (export-all? #t))) + (service unattended-upgrade-service-type + (unattended-upgrade-configuration + (schedule "30 3 * * *"))) + (service mcron-service-type + (mcron-configuration + (jobs + (list #~(job "30 1 * * 1" "/opt/bin/gc.sh") + #~(job "30 0 * * *" "/opt/bin/backup.sh"))))) + (service nginx-service-type + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (server-name tls-domains)) + (ssl-certificate (tls-pub-for tld)) + (ssl-certificate-key (tls-priv-for tld))))))) + (service certbot-service-type + (certbot-configuration + (email (string-append "certbot@" tld)) + (certificates + (list + (certificate-configuration + (domains tls-domains))))))) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (authorized-keys + (append + (list (local-file "/etc/guix/signing-key.pub")) + %default-authorized-guix-keys))))))) + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vda") + (terminal-outputs '(console)))) + (swap-devices + (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca"))) + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28" + 'ext4)) + (type "ext4")) + %base-file-systems)))) + +(list + (machine + (operating-system my-system) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name tld) + (system "x86_64-linux") + (user user) + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwnnw/u8ub+kcQhnVSyNWarYGH8aesUwIy4SIprufKf"))))) |