aboutsummaryrefslogtreecommitdiff
path: root/src/guix/system.scm
diff options
context:
space:
mode:
Diffstat (limited to 'src/guix/system.scm')
-rw-r--r--src/guix/system.scm218
1 files changed, 25 insertions, 193 deletions
diff --git a/src/guix/system.scm b/src/guix/system.scm
index 73ca90a..27c6439 100644
--- a/src/guix/system.scm
+++ b/src/guix/system.scm
@@ -2,6 +2,7 @@
((ice-9 textual-ports) #:prefix textual-ports:)
((srfi srfi-1) #:prefix s1:)
((xyz euandreh heredoc) #:prefix heredoc:)
+ ((org euandre packages) #:prefix pkg:)
((org euandre queue) #:prefix q:)
(gnu)
(guix build-system trivial)
@@ -30,9 +31,15 @@
(define ipv4 "216.238.68.100")
(define ipv6 "2001:19f0:b400:1f0c:5400:04ff:fe35:8c89")
(define tld "euandre.org")
+(define +tld+ tld)
-(define users
- '(("andreh" "EuAndreh" ("wheel" "become-deployer" "become-secrets-keeper"))))
+
+(define (path s)
+ ;; src/guix/system.scm + ../../../ = ./
+ (string-append (dirname (dirname (dirname (current-filename)))) "/" s))
+
+(define +users+
+ `(("andreh" "EuAndreh" ("wheel") ,(path "src/keys/SSH/andreh.pub.txt"))))
(define working-dir
@@ -80,43 +87,6 @@
(description #f)
(license #f)))
-(define user-accounts
- (map (lambda (user)
- (let ((name (s1:first user))
- (comment (s1:second user))
- (groups (s1:third user)))
- (user-account
- (name name)
- (comment comment)
- (group "users")
- (supplementary-groups groups))))
- users))
-
-(define (ssh-file-for user)
- (let ((name (s1:first user)))
- (path (fmt "src/infrastructure/keys/SSH/~a.pub.txt" name))))
-
-(define authorized-keys
- (let ((users-with-keys
- (map (lambda (user)
- `(,@user ,(slurp (ssh-file-for user))))
- (filter (lambda (user)
- (file-exists? (ssh-file-for user)))
- users))))
- (append
- (map (lambda (user)
- (let ((name (s1:first user))
- (key (s1:fourth user)))
- `(,name ,(plain-file (str name "-id_rsa.pub")
- key))))
- users-with-keys)
- `(("git" ,@(map (lambda (user)
- (let ((name (s1:first user))
- (key (s1:fourth user)))
- (plain-file (str name "-git-id_rsa.pub")
- key)))
- users-with-keys))))))
-
(define ns (fmt "ns1.~a." tld))
(define mail (fmt "hostmaster.~a." tld))
@@ -215,159 +185,32 @@
(mail mail)
(entries ipv6-reverse-domain-zone))))))
+(define package-symbols
+ '())
+
+(define package-records
+ (list))
+
(operating-system
(locale "fr_FR.UTF-8")
(timezone "America/Sao_Paulo")
- (host-name tld)
- (skeletons
- `((".profile"
- ,(plain-file "user-profile"
- (file "src/infrastructure/config/profile.sh")))))
- (users
- (append
- (list
- (user-account
- (name "git")
- (group "git")
- (system? #t)
- (comment "External SSH Git user")
- (home-directory "/srv/git")
- (create-home-directory? #f)
- (shell
- (file-append git "/bin/git-shell")))
- (user-account
- (name "deployer")
- (group "deployer")
- (system? #t)
- (comment "The account used to run deployment commands")
- (home-directory "/var/empty")
- (create-home-directory? #f)
- (shell
- (file-append shadow "/sbin/nologin")))
- (user-account
- (name "secrets-keeper")
- (group "secrets-keeper")
- (system? #t)
- (comment "The account used to manage production secrets")
- (home-directory "/var/empty")
- (create-home-directory? #f)
- (shell
- (file-append shadow "/sbin/nologin"))))
- user-accounts
- %base-user-accounts))
- (groups
- (append
- (list
- (user-group
- (name "git")
- (system? #t))
- (user-group
- (name "deployer")
- (system? #t))
- (user-group
- (name "become-deployer")
- (system? #t))
- (user-group
- (name "secrets-keeper")
- (system? #t))
- (user-group
- (name "become-secrets-keeper")
- (system? #t)))
- %base-groups))
- (sudoers-file
- (plain-file "sudoers" #"-
- root ALL=(ALL) ALL
- %wheel ALL= ALL
- %become-deployer ALL=(deployer) NOPASSWD: ALL
- %become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm
- git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure, /run/current-system/profile/bin/cicd
- git ALL=(deployer) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/mkdir
- "#))
- (packages
- (append
- (map (compose list specification->package+output symbol->string)
- '(parted
- acl
- bind:utils
- tcpdump
- knot:tools
- file
- git
- guile-heredoc
- entr
- lsof
- jq
- moreutils
- mailutils-sendmail
- curl
- make
- gnupg
- borg
- rsync
- sqlite
- strace
- rlwrap
- trash-cli
- tree))
- (list
- (script "gc" (file "src/infrastructure/scripts/gc.sh"))
- (script "cicd" (file "src/infrastructure/scripts/cicd.sh"))
- (script "check" (file "src/infrastructure/scripts/check.sh"))
- (script "backup" (file "src/infrastructure/scripts/backup.sh"))
- (script "deploy" (file "src/infrastructure/scripts/deploy.sh"))
- (script "report" (file "src/infrastructure/scripts/report.sh"))
- (script "cronjob" (file "src/infrastructure/scripts/cronjob.sh"))
- (script "reconfigure" (file "src/infrastructure/scripts/reconfigure.sh")))
- %base-packages))
+ (host-name +tld+)
+ (skeletons pkg:skeletons)
+ (users (append (pkg:user-accounts +users+) %base-user-accounts))
+ (packages (pkg:package-set package-symbols package-records))
(services
(append
(list
- (service ntp-service-type)
- (service dhcp-client-service-type)
(service knot-service-type
(knot-configuration
(zones zones)))
- (service openssh-service-type
- (openssh-configuration
- (openssh openssh-sans-x)
- (password-authentication? #f)
- (authorized-keys authorized-keys)
- (extra-content #"-
- ClientAliveInterval 30
- ClientAliveCountMax 20
- MaxSessions 20
- SetEnv GIT_CONFIG_GLOBAL=/etc/gitconfig
- "#)))
- (simple-service 'extra-rottlog-rotations rottlog-service-type
- (list
- (log-rotation
- (frequency 'weekly)
- (files '("/var/log/cronjobs.log"))
- (options '("rotate 52")))))
+ (service ntp-service-type)
+ (service dhcp-client-service-type)
(service fail2ban-service-type)
- (service mcron-service-type
- (mcron-configuration
- (jobs
- (list
- #~(job "0 0 * * *" "cronjob check")
- #~(job "0 1 * * *" "cronjob env BORG_REPO=/mnt/backup/borg backup -q cron")
- #~(job "0 2 * * *" "cronjob backup -q cron")
- #~(job "0 3 * * 0" "cronjob gc")
- #~(job "0 4 * * *" "cronjob reconfigure -U")))))
- (service certbot-service-type
- (certbot-configuration
- (email (str "root@" tld))
- (certificates
- (list
- (certificate-configuration
- (domains (list tld))
- (deploy-hook
- (program-file
- "nginx-deploy-hook"
- #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
- (kill pid SIGHUP)))))))))
+ (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+)))
+ (service certbot-service-type (q:tld-certbot-configuration +tld+))
(service nginx-service-type
(nginx-configuration
(server-blocks
@@ -415,14 +258,7 @@
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always;
"#)))))))
(service cgit-service-type q:cgit-pre-configuration)
- (simple-service 'extra-etc-file etc-service-type
- `(("rc" ,(plain-file "rc.sh" (file "src/infrastructure/config/rc.sh")))
- ("known_hosts" ,(plain-file "known_hosts" (file "src/infrastructure/config/known_hosts.txt")))
- ("id_rsa.pub" ,(plain-file "id_rsa.pub" (file (fmt "src/infrastructure/keys/SSH/root@~a.id_rsa.pub.stripped" tld))))
- ("ssh.conf" ,(plain-file "ssh.conf" (file "src/infrastructure/config/ssh.conf")))
- ("init.scm" ,(plain-file "init.scm" (file "src/infrastructure/config/init.scm")))
- ("conf.env" ,(plain-file "conf.env" (file "src/infrastructure/config/conf.env")))
- ("gitconfig" ,(plain-file "gitconfig" (file "src/infrastructure/config/gitconfig")))))
+ (service pkg:syskeep-service-type)
(service git-daemon-service-type
(git-daemon-configuration
(export-all? #t)))
@@ -455,11 +291,7 @@
'(("root" "andreh")
("eu" "andreh")
("mailing-list" "andreh"))))
- (modify-services %base-services
- (rottlog-service-type config =>
- (rottlog-configuration
- (inherit config)
- (rc-file (file-append q:rottlog-mailutils-sendmail "/etc/rc")))))))
+ pkg:base-services))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)