diff options
| -rw-r--r-- | guix/config.scm | 51 | ||||
| -rw-r--r-- | guix/etc/nginx/sites-enabled/git.site | 5 |
2 files changed, 42 insertions, 14 deletions
diff --git a/guix/config.scm b/guix/config.scm index 32adf8c..134351f 100644 --- a/guix/config.scm +++ b/guix/config.scm @@ -4,14 +4,16 @@ (guix) (guix gexp)) (use-system-modules nss) -(use-service-modules networking ssh version-control databases admin web) -(use-package-modules base bash shells web) +(use-service-modules networking sshversion-control databases admin web) +(use-package-modules base bash shells web tls) ;;; --- cron jobs start -(define %gc-job - ;; Collect garbage once a day. - #~(job '(next-hour '(4)) - (string-append #$guix "/bin/guix gc -F80G"))) +(define %certbot-job + ;; LE cert renewal 7d / 2 + #~(job (lambda (now) + (next-day-from (next-hour-from now '(3)) + '(2 5))) + (string-append #$certbot "/bin/certbot renew"))) ;;; --- cron jobs end ;;; --- nginx start @@ -21,6 +23,12 @@ ;; the way which allows us to work directly on nginx files instead ;; of generating them through Guix, for now. Every update of the ;; nginx config requires a reconfigure! +(define %nginx-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (define %nginx-config (computed-file "nginx-config" (with-imported-modules '((guix build utils)) @@ -39,7 +47,7 @@ (copy-file #$(local-file "etc/nginx/sites-enabled/git-ssl.site") "sites-enabled/git-ssl.site"))))) -;; TODO: Change to our file. +;; this includes defaults, so 'fastcgi' related files: (define %nginx-mime-types (simple-service 'nginx-mime.types etc-service-type @@ -110,10 +118,10 @@ "curl" "gnutls-dane" "gitolite" "acme-client" + "buildbot" ; Website dependencies: "python" "python-jinja2" "python-sphinx")) - ; "buildbot" %base-packages)) ;; TODO: cgit service? @@ -139,6 +147,16 @@ "/bin/env")) ("/bin/ksh" ,(file-append (canonical-package loksh) "/bin/ksh")))) + ;; TODO: Use deploy-hook + ;; TODO: Add git.taler.net + ;; (service certbot-service-type + ;; (certbot-configuration + ;; ;; FIXME: switch over to taler.net domain + ;; (email "cert-admin-taler@n0.is") + ;; (certificates + ;; (list + ;; (certificate-configuration + ;; (domains '("gv.taler.net"))))))) ;; TODO: acme-client cronjob for: ;; taler.net www.taler.net api.taler.net lcov.taler.net ;; git.taler.net gauger.taler.net buildbot.taler.net @@ -161,10 +179,10 @@ (password-authentication? #f) (permit-root-login 'without-password))) - (service rottlog-service-type (rottlog-configuration)) - (service mcron-service-type - (mcron-configuration - (jobs (list %gc-job %thing1)))) + ;; (service rottlog-service-type (rottlog-configuration)) + ;; (service mcron-service-type + ;; (mcron-configuration + ;; (jobs (list %gc-job %thing1)))) (service postgresql-service-type) (git-daemon-service #:config (git-daemon-configuration @@ -176,6 +194,15 @@ (constraint-from '("www.gnu.org")) (constraints-from '("https://www.google.com/")) (allow-large-adjustment? #t))) + ;; FIXME: To be able to better test and replicate this, + ;; we have to replicate what's done in nginx (copy into + ;; store, use location in store). + (service fcgiwrap-service-type + (fcgiwrap-configuration + (socket "/var/run/fcgiwrap.socket"))) + ;; (service cgit-service-type + ;; (opaque-cgit-configuration + ;; (cgitrc "/etc/cgitrc"))) (service nginx-service-type (nginx-configuration (file (file-append %nginx-config diff --git a/guix/etc/nginx/sites-enabled/git.site b/guix/etc/nginx/sites-enabled/git.site index 4c0c9ea..b9b9fc4 100644 --- a/guix/etc/nginx/sites-enabled/git.site +++ b/guix/etc/nginx/sites-enabled/git.site @@ -3,8 +3,9 @@ server { listen [::]:80; ## listen for ipv4; this line is default and implied # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 - root /var/git; - server_name git.taler.net; + root /srv/git; + #server_name git.taler.net; + server_name gv.taler.net; rewrite ^ https://$server_name$request_uri? permanent; } |