diff options
Diffstat (limited to 'src/guix/system.scm')
-rw-r--r-- | src/guix/system.scm | 218 |
1 files changed, 25 insertions, 193 deletions
diff --git a/src/guix/system.scm b/src/guix/system.scm index 73ca90a..27c6439 100644 --- a/src/guix/system.scm +++ b/src/guix/system.scm @@ -2,6 +2,7 @@ ((ice-9 textual-ports) #:prefix textual-ports:) ((srfi srfi-1) #:prefix s1:) ((xyz euandreh heredoc) #:prefix heredoc:) + ((org euandre packages) #:prefix pkg:) ((org euandre queue) #:prefix q:) (gnu) (guix build-system trivial) @@ -30,9 +31,15 @@ (define ipv4 "216.238.68.100") (define ipv6 "2001:19f0:b400:1f0c:5400:04ff:fe35:8c89") (define tld "euandre.org") +(define +tld+ tld) -(define users - '(("andreh" "EuAndreh" ("wheel" "become-deployer" "become-secrets-keeper")))) + +(define (path s) + ;; src/guix/system.scm + ../../../ = ./ + (string-append (dirname (dirname (dirname (current-filename)))) "/" s)) + +(define +users+ + `(("andreh" "EuAndreh" ("wheel") ,(path "src/keys/SSH/andreh.pub.txt")))) (define working-dir @@ -80,43 +87,6 @@ (description #f) (license #f))) -(define user-accounts - (map (lambda (user) - (let ((name (s1:first user)) - (comment (s1:second user)) - (groups (s1:third user))) - (user-account - (name name) - (comment comment) - (group "users") - (supplementary-groups groups)))) - users)) - -(define (ssh-file-for user) - (let ((name (s1:first user))) - (path (fmt "src/infrastructure/keys/SSH/~a.pub.txt" name)))) - -(define authorized-keys - (let ((users-with-keys - (map (lambda (user) - `(,@user ,(slurp (ssh-file-for user)))) - (filter (lambda (user) - (file-exists? (ssh-file-for user))) - users)))) - (append - (map (lambda (user) - (let ((name (s1:first user)) - (key (s1:fourth user))) - `(,name ,(plain-file (str name "-id_rsa.pub") - key)))) - users-with-keys) - `(("git" ,@(map (lambda (user) - (let ((name (s1:first user)) - (key (s1:fourth user))) - (plain-file (str name "-git-id_rsa.pub") - key))) - users-with-keys)))))) - (define ns (fmt "ns1.~a." tld)) (define mail (fmt "hostmaster.~a." tld)) @@ -215,159 +185,32 @@ (mail mail) (entries ipv6-reverse-domain-zone)))))) +(define package-symbols + '()) + +(define package-records + (list)) + (operating-system (locale "fr_FR.UTF-8") (timezone "America/Sao_Paulo") - (host-name tld) - (skeletons - `((".profile" - ,(plain-file "user-profile" - (file "src/infrastructure/config/profile.sh"))))) - (users - (append - (list - (user-account - (name "git") - (group "git") - (system? #t) - (comment "External SSH Git user") - (home-directory "/srv/git") - (create-home-directory? #f) - (shell - (file-append git "/bin/git-shell"))) - (user-account - (name "deployer") - (group "deployer") - (system? #t) - (comment "The account used to run deployment commands") - (home-directory "/var/empty") - (create-home-directory? #f) - (shell - (file-append shadow "/sbin/nologin"))) - (user-account - (name "secrets-keeper") - (group "secrets-keeper") - (system? #t) - (comment "The account used to manage production secrets") - (home-directory "/var/empty") - (create-home-directory? #f) - (shell - (file-append shadow "/sbin/nologin")))) - user-accounts - %base-user-accounts)) - (groups - (append - (list - (user-group - (name "git") - (system? #t)) - (user-group - (name "deployer") - (system? #t)) - (user-group - (name "become-deployer") - (system? #t)) - (user-group - (name "secrets-keeper") - (system? #t)) - (user-group - (name "become-secrets-keeper") - (system? #t))) - %base-groups)) - (sudoers-file - (plain-file "sudoers" #"- - root ALL=(ALL) ALL - %wheel ALL= ALL - %become-deployer ALL=(deployer) NOPASSWD: ALL - %become-secrets-keeper ALL=(secrets-keeper) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/setfacl, /run/current-system/profile/bin/rm - git ALL= NOPASSWD: /run/current-system/profile/bin/reconfigure, /run/current-system/profile/bin/cicd - git ALL=(deployer) NOPASSWD: /run/current-system/profile/bin/rsync, /run/current-system/profile/bin/mkdir - "#)) - (packages - (append - (map (compose list specification->package+output symbol->string) - '(parted - acl - bind:utils - tcpdump - knot:tools - file - git - guile-heredoc - entr - lsof - jq - moreutils - mailutils-sendmail - curl - make - gnupg - borg - rsync - sqlite - strace - rlwrap - trash-cli - tree)) - (list - (script "gc" (file "src/infrastructure/scripts/gc.sh")) - (script "cicd" (file "src/infrastructure/scripts/cicd.sh")) - (script "check" (file "src/infrastructure/scripts/check.sh")) - (script "backup" (file "src/infrastructure/scripts/backup.sh")) - (script "deploy" (file "src/infrastructure/scripts/deploy.sh")) - (script "report" (file "src/infrastructure/scripts/report.sh")) - (script "cronjob" (file "src/infrastructure/scripts/cronjob.sh")) - (script "reconfigure" (file "src/infrastructure/scripts/reconfigure.sh"))) - %base-packages)) + (host-name +tld+) + (skeletons pkg:skeletons) + (users (append (pkg:user-accounts +users+) %base-user-accounts)) + (packages (pkg:package-set package-symbols package-records)) (services (append (list - (service ntp-service-type) - (service dhcp-client-service-type) (service knot-service-type (knot-configuration (zones zones))) - (service openssh-service-type - (openssh-configuration - (openssh openssh-sans-x) - (password-authentication? #f) - (authorized-keys authorized-keys) - (extra-content #"- - ClientAliveInterval 30 - ClientAliveCountMax 20 - MaxSessions 20 - SetEnv GIT_CONFIG_GLOBAL=/etc/gitconfig - "#))) - (simple-service 'extra-rottlog-rotations rottlog-service-type - (list - (log-rotation - (frequency 'weekly) - (files '("/var/log/cronjobs.log")) - (options '("rotate 52"))))) + (service ntp-service-type) + (service dhcp-client-service-type) (service fail2ban-service-type) - (service mcron-service-type - (mcron-configuration - (jobs - (list - #~(job "0 0 * * *" "cronjob check") - #~(job "0 1 * * *" "cronjob env BORG_REPO=/mnt/backup/borg backup -q cron") - #~(job "0 2 * * *" "cronjob backup -q cron") - #~(job "0 3 * * 0" "cronjob gc") - #~(job "0 4 * * *" "cronjob reconfigure -U"))))) - (service certbot-service-type - (certbot-configuration - (email (str "root@" tld)) - (certificates - (list - (certificate-configuration - (domains (list tld)) - (deploy-hook - (program-file - "nginx-deploy-hook" - #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) - (kill pid SIGHUP))))))))) + (service openssh-service-type (q:openssh-default-configuration (pkg:users->keys +users+))) + (service certbot-service-type (q:tld-certbot-configuration +tld+)) (service nginx-service-type (nginx-configuration (server-blocks @@ -415,14 +258,7 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always; "#))))))) (service cgit-service-type q:cgit-pre-configuration) - (simple-service 'extra-etc-file etc-service-type - `(("rc" ,(plain-file "rc.sh" (file "src/infrastructure/config/rc.sh"))) - ("known_hosts" ,(plain-file "known_hosts" (file "src/infrastructure/config/known_hosts.txt"))) - ("id_rsa.pub" ,(plain-file "id_rsa.pub" (file (fmt "src/infrastructure/keys/SSH/root@~a.id_rsa.pub.stripped" tld)))) - ("ssh.conf" ,(plain-file "ssh.conf" (file "src/infrastructure/config/ssh.conf"))) - ("init.scm" ,(plain-file "init.scm" (file "src/infrastructure/config/init.scm"))) - ("conf.env" ,(plain-file "conf.env" (file "src/infrastructure/config/conf.env"))) - ("gitconfig" ,(plain-file "gitconfig" (file "src/infrastructure/config/gitconfig"))))) + (service pkg:syskeep-service-type) (service git-daemon-service-type (git-daemon-configuration (export-all? #t))) @@ -455,11 +291,7 @@ '(("root" "andreh") ("eu" "andreh") ("mailing-list" "andreh")))) - (modify-services %base-services - (rottlog-service-type config => - (rottlog-configuration - (inherit config) - (rc-file (file-append q:rottlog-mailutils-sendmail "/etc/rc"))))))) + pkg:base-services)) (bootloader (bootloader-configuration (bootloader grub-bootloader) |