blob: 89337099d38688492e275106fa43e222b5a80c83 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
(use-modules (guix gexp)
(gnu)
(guix)
((guix build utils) #:prefix utils:)
((guix modules) #:prefix modules:)
((srfi srfi-1) #:prefix srfi-1:)
(srfi srfi-26) ; cut utility
((ice-9 textual-ports) #:prefix textual-ports:)
((ice-9 ftw) #:prefix ftw:)
((ice-9 popen) #:prefix popen:)
((ice-9 rdelim) #:prefix rdelim:)
((ice-9 string-fun) #:prefix string-fun:))
(use-package-modules ssh
backup
version-control)
(use-service-modules networking
ssh
mcron
admin
mail
web
certbot
cgit)
(define user "andreh")
(define tld (slurp "servers/vps/tld.txt"))
;; permit nopass :wheel
(define sudoers "\
root ALL=(ALL) ALL
%wheel ALL=NOPASSWD: ALL\n")
(define letsencrypt-prefix
"/etc/letsencrypt/live/")
(define (tls-pub-for domain)
(string-append letsencrypt-prefix domain "/fullchain.pem"))
(define (tls-priv-for domain)
(string-append letsencrypt-prefix domain "/privkey.pem"))
(define tls-domains
(list tld))
(define my-system
(operating-system
(host-name (slurp "servers/vps/hostname.txt"))
(users (cons* (user-account
(name user)
(group "users")
(home-directory (string-append "/home/" user))
(supplementary-groups '("wheel")))
%base-user-accounts))
(sudoers-file (plain-file "sudoers" sudoers))
(packages
(append (map (compose list specification->package+output symbol->string)
;; required for guix pull
'(nss-certs))
%base-packages))
(services
(append
(list (service dhcp-client-service-type)
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #f)
(permit-root-login #f)
(authorized-keys
`((,user ,(local-file (string-append (getenv "HOME") "/.ssh/id_rsa.pub")))))))
(service git-daemon-service
(git-daemon-configuration
(export-all? #t)))
(service unattended-upgrade-service-type
(unattended-upgrade-configuration
(schedule "30 3 * * *")))
(service mcron-service-type
(mcron-configuration
(jobs
(list #~(job "30 1 * * 1" "/opt/bin/gc.sh")
#~(job "30 0 * * *" "/opt/bin/backup.sh")))))
(service nginx-service-type
(nginx-configuration
(server-blocks
(list (nginx-server-configuration
(server-name tls-domains))
(ssl-certificate (tls-pub-for tld))
(ssl-certificate-key (tls-priv-for tld)))))))
(service certbot-service-type
(certbot-configuration
(email (string-append "certbot@" tld))
(certificates
(list
(certificate-configuration
(domains tls-domains)))))))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(authorized-keys
(append
(list (local-file "/etc/guix/signing-key.pub"))
%default-authorized-guix-keys)))))))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")
(terminal-outputs '(console))))
(swap-devices
(list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca")))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28"
'ext4))
(type "ext4"))
%base-file-systems))))
(list
(machine
(operating-system my-system)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name tld)
(system "x86_64-linux")
(user user)
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwnnw/u8ub+kcQhnVSyNWarYGH8aesUwIy4SIprufKf")))))
|
