initial commit of guix directory

Signed-off-by: Nils Gillmann <gillmann@infotropique.org>

4 files changed, 270 insertions, 0 deletions

diff --git a/guix/config.scm b/guix/config.scm
new file mode 100644
index 0000000..dd16bf2
--- /dev/null
+++ b/guix/config.scm
@@ -0,0 +1,195 @@
+;; OS configuration for the taler.net server
+
+(use-modules (gnu)
+             (guix)
+             (sysadmin people))
+(use-service-modules base networking mcron ssh mail
+                     version-control databases admin
+                     web certbot)
+(use-package-modules admin linux ssh tls vim zile wget
+                     ntp version-control)
+
+;;; Cron jobs
+;; FIXME: Create jobs.
+
+(define %sysadmins
+  ;; The sys-admins
+  (list (sysadmin (name "gillmann")
+                  (full-name "Nils Gillmann")
+                  (ssh-public-key (local-file "keys/ssh/ng0.pub")))
+        (sysadmin (name "grothoff")
+                  (full-name "Christian Grothoff")
+                  (ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
+
+;;;
+;;; The OS definition
+;;;
+
+(operating-system
+  (host-name "taler.net")
+  (timezone "Europe/Berlin")
+  (locale "en_US.UTF-8")
+
+  ;; bootloader
+  (bootloader (grub-configuration (target "/dev/sda")
+                                  (terminal-outputs '(console))))
+  
+  ;; file-systems
+  ;; single-disk configuration.
+  (file-systems (cons* (file-system
+                         (device "my-root")
+                         (title 'label)
+                         (mount-point "/")
+                         (type "ext4"))
+                       (file-system
+                         (device "my-home")
+                         (title 'label)
+                         (mount-point "/home")
+                         (type "ext4"))
+                       %base-file-systems))
+  ;; FIXME: RAID? -> mapped-devices
+  ;; FIXME: RAID? -> Add kernel module!
+  ;; FIXME: /home should be on luks encrypted device
+
+  ;; Local admin account
+  ;; FIXME: Do we really need this?
+  (users (cons (user-account
+                (name "local-admin")
+                (comment "Local admin")
+                (group "users")
+                (supplementary-groups '("wheel"))
+                (home-directory "/home/local-admin"))
+               %base-user-accounts))
+
+  (packages (append (map specification->package '("nvi"
+                                                  "mg"
+                                                  "openssh"
+                                                  "gitolite"
+                                                  "nss-certs"
+                                                  "wget"
+                                                  "mysql"
+                                                  "certbot"))
+                    %base-packages))
+
+  (services (cons*
+             (service sysadmin-service-type %sysadmins)
+
+             ;; Log rotation
+             (service rottlog-service-type (rottlog-configuration))
+
+             ;; CERTIFICATES
+             (service certbot-service-type
+                      (certbot-configuration
+                       (hosts '(("taler.net")))))
+
+             ;; MAIL
+             ;; FIXME: Policy is to just receive mail.
+             ;; Produce the /etc/alias file:
+             (service mail-aliases-service-type
+                      '(("mailer-daemon" "postmaster")
+                        ("postmaster" "root")
+                        ("nobody" "root")
+                        ("hostmaster" "root")
+                        ("usenet" "root")
+                        ("news" "root")
+                        ("webmaster" "root")
+                        ("www" "root")
+                        ("ftp" "root")
+                        ("abuse" "root")
+                        ("noc" "root")
+                        ("security" "root")
+                        ("root" "grothoff")
+                        ("gnunet" "grothoff")
+                        ("durner" "ndurner")
+                        ("torsten" "grothoff" "krista")
+                        ("cor" "grothoff")
+                        ("ng0" "ng0")
+                        ("translations" "grothoff")
+                        ("translators" "grothoff")
+                        ("website" "grothoff")
+                        ("gns-data" "grothoff" "wachs@net.in.tum.de" "schanzen@in.tum.de")))
+             ;; Depending on the final server policies, adjust to
+             ;; not send email or send email:
+             ;; Dovecot
+             (dovecot-service #:config
+                              (dovecot-configuration
+                               (mail-location "maildir:~/Maildir")))
+             ;; OpenSMTPD:
+             (service opensmtpd-service-type
+                      (opensmtpd-configuration
+                       (config-file (local-file "./opensmtpd/opensmtpd.conf"))))
+             ;; Extend the /etc-service. This creates the files OpenSMTPD
+             ;; wants and adds them to the /etc/ folder.
+             ;; (service etc-service-type
+             ;;          (list `("vdoms.conf"
+             ;;                  ,(plain-file "vdoms.conf"
+             ;;                               "gnunet.org\n"))
+             ;;                `("vusers.conf"
+             ;;                  ,(plain-file "vusers.conf"
+             ;;                               "grothoff@gnunet.org grothoff"))))
+
+             ;; SSH
+             (service openssh-service-type
+                      (openssh-configuration
+                       (port-number 22)
+                       (password-authentication? #f)))
+
+             ;; Databases
+             (mysql-service
+              #:config
+              (mysql-configuration
+               ;; Defaults to mariadb,
+               ;; read `info guix services`, section databases.
+               ;;(mysql "mysql")
+               ;; Default portnumber, must be a NUMBER not a string.
+               (port 3306)))
+
+             ;; WEBSERVER
+             ;;(service nginx-service-type)
+             ;;(service fcgiwrap-service-type)
+             ;; FIXME: Check cgit-service-type + gitolite options.
+             ;; FIXME: Extend cgit service.
+             ;;(service cgit-service-type)
+
+             ;; CGIT:
+             ;;(service nginx-service-type)
+             ;; (service fcgiwrap-service-type)
+             ;; (service cgit-service-type)
+
+             ;; GIT
+             ;; Defaults to base-folder "/srv/git/"
+             (git-daemon-service
+              #:config (git-daemon-configuration
+                        (user-path "git")))
+
+             ;; SERVE GIT OVER HTTP:
+             ;; FIXME: FAILING BUILD, USE WORKAROUND.
+             ;; (service nginx-service-type
+             ;;          (nginx-configuration
+             ;;           (server-blocks
+             ;;            (list
+             ;;             (nginx-server-configuration
+             ;;              (http-port #f)
+             ;;              (server-name "git.gnunet.org")
+             ;;              (ssl-certificate
+             ;;               "/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
+             ;;              (ssl-certificate-key
+             ;;               "/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
+             ;;              (locations
+             ;;               (list
+             ;;                (git-http-nginx-location-configuration
+             ;;                 (git-http-configuration (uri-path "/"))))))))))
+
+             ;; Networking
+             ;; FIXME: Complete this
+             (static-networking-service
+              "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60"
+              #:netmask ""
+              #:gateway "2001:4ca0:2001:42::1"
+              #:name-servers '("" "" ""))
+             (static-networking-service
+              "eth1" "131.159.74.67"
+              #:netmask "255.255.255.240"
+              #:gateway "131.159.74.78"
+              #:name-servers '("" "" ""))
+            %base-services)))
diff --git a/guix/keys/ssh/grothoff.pub b/guix/keys/ssh/grothoff.pub
new file mode 100644
index 0000000..6af38a5
--- /dev/null
+++ b/guix/keys/ssh/grothoff.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjwkLD9X6tdYhT0XtG13dweog6EDrxXjtiIM1XY+jfTYvXVmDIn/lzvEfnhMkErTu/ZXt8bGVIRC5THDASFdQTnsCnVc1OU6AH3xVKa3F9CzOCwhrJ2EpQQMc8022ltmBYu9wFF0HPDoe56mqKdNnHDeaLp8CCuf9pLMeih9csYJlAQ3GsOzX9WR044+JqbS+b/++lOZjJdFlUlONZu0F+166rX4pipAAAAFQCA2XLNDkiQ93HpAFgZmBbavTVdxQAAAgA8cpggPUORDfTcgWgcdrJCQz4bIaGKdD/KhiLu15FqF02WkBYC8xsySK8DHkS41bHiqLB8vM5Yh2FiTjpwIzpQ9QH74JSdncUMxYncEcHrlHulASQZ7fuNMFK5vK7XVY2zAjrsjP+/H3vLrEOBoiI625gpGMTLB8QILBBbkGTpQ3Ks6LSJqEQfsCHmGYUhtkIQjgWIzDyzvvAOCjKMjNpkFyEKLkUYIWajt5y8AaFW5uNeXBqk5ejV4Y4pUg67zOJt92moqK5TQWIEjL0kKM7lFMXZDZow+DQQ47q9NYPLWVAwgWGbCdvvewWkJ5+xMTbxfTZgcUmvXz1zc/yGXoeSLoL+iJKyqQgEi6Jv8a+TnnTZivoxIgWYd/uByUvsxZrMXNlc1MUTKNI5CnEz3Dprb+qHw36SXKymnhSgC2948YRTWqU9emR8qNG8EKOoisHX9EPq+Ex5/IJQh2UlSScpnt2xANtoAZuEt/P5W6Djq6UtwMyI8E6yycEP+myKR/JKnydzjtxWEQV9ytfIQQkndPCr49N3RnrVA47aoBzhUQfiLyWbYFpc/oTZRhL5X86Sm9dXDhIyaPslSM8/C0DqzfhqOw53XxROj2IAAu3Aqsg4mkSEwuPzv2PTj0KjagGIuz3J/71CpUOz+6CUWh+tCzkYC3joLYXh0v/MUVZ5JgAAAgEA9IO/Nv4zdZtHSN2RN1lEyGGi+Oi5mFS5Wjo/tsw3VM53H7HiyxVCE8mcLWT/UOEcG4uitonxTUypZGhNra7sTkbje5tuLVKF99e3W4/wV6aWwLpryeZL5BOhlnmTJsZPgTuu3A7eNnh+C45L5SW7qmXLgS8jl3CKqGdzl3XO+eB5oN8EIjWGk+VbD0iPVYobDEUOo1TCj5ZGUENw4R6lRXKsPtHDqa+iMGSUa6hQXaM13oJTI+P4Dr9WcUjqbceHT3LPoYs8dCT9rrqHDX4HGIJr9A6aV/djPVoloPgONQVfqW+xci+yUVYLp8Xdj2zC8P0NCOWiFzke1v7fFvDzs2stotAfXtLvCHje2W4rbpz6InKfbysOEc/o2ybeb2Pu9F6oIamd9qiZhCGog422YyNh1+w1sAvUCBHuF38zPHxDB2YgF4tf2K4kU++PAuZOxnsYLErZly9Nxm2uGKvgKAEgaeMEYR1jK1llRmiGPIapJZIk3cav8tLEP6MNTrjDB52D56DeLdPrgL3cUfLtGcZOJhyBTcz5W07kyGQyT7VZiqlErsg6KQxRzEda6DWNYCAMc32yj8kgEY5hCt7ei1cfyL1Wox61rrdchjGgBDxikVeUL/Sw5H8Yuh8o7j6sT1RHfui5kW5M0ykCjKMniDiOE4sBtVSHFouERamDKA0= grothoff@gnunet.org
diff --git a/guix/keys/ssh/ng0.pub b/guix/keys/ssh/ng0.pub
new file mode 100644
index 0000000..6d4c6e1
--- /dev/null
+++ b/guix/keys/ssh/ng0.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG ng0@khazad-dum-2016-04-17
diff --git a/guix/modules/sysadmin/people.scm b/guix/modules/sysadmin/people.scm
new file mode 100644
index 0000000..121c268
--- /dev/null
+++ b/guix/modules/sysadmin/people.scm
@@ -0,0 +1,73 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin people)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:use-module (gnu services)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu packages base)
+  #:use-module (ice-9 match)
+  #:export (sysadmin?
+            sysadmin
+            sysadmin-service-type))
+
+;;; Commentary:
+;;;
+;;; Declaration of system administrator user accounts.
+;;;
+;;; Code:
+
+(define-record-type* <sysadmin> sysadmin make-sysadmin
+  sysadmin?
+  (name            sysadmin-name)
+  (full-name       sysadmin-full-name)
+  (ssh-public-key  sysadmin-ssh-public-key)
+  (restricted?     sysadmin-restricted? (default #f)))
+
+(define (sysadmin->account sysadmin)
+  "Return the user account for SYSADMIN."
+  (match sysadmin
+    (($ <sysadmin> name comment _ restricted?)
+     (user-account
+      (name name)
+      (comment comment)
+      (group "users")
+      (supplementary-groups (if restricted?
+                                '()
+                                '("wheel" "kvm"))) ;sudoer
+      (home-directory (string-append "/home/" name))))))
+
+(define (sysadmin->authorized-key sysadmin)
+  "Return an authorized key tuple for SYSADMIN."
+  (list (sysadmin-name sysadmin)
+        (sysadmin-ssh-public-key sysadmin)))
+
+(define sysadmin-service-type
+  ;; The service that initializes sysadmin accounts.
+  (service-type
+   (name 'sysadmin)
+   (extensions (list (service-extension account-service-type
+                                        (lambda (lst)
+                                          (map sysadmin->account lst)))
+                     (service-extension openssh-service-type
+                                        (lambda (lst)
+                                          (map sysadmin->authorized-key
+                                               lst)))))))
+
+;;; people.scm ends here