From b47f4e2577d01ff57f165361d3c7b217ffc89331 Mon Sep 17 00:00:00 2001
From: Nils Gillmann <ng0@n0.is>
Date: Mon, 29 Oct 2018 13:01:39 +0000
Subject: guix config + nginx

Signed-off-by: Nils Gillmann <ng0@n0.is>
---
 guix/config.scm                       | 51 ++++++++++++++++++++++++++---------
 guix/etc/nginx/sites-enabled/git.site |  5 ++--
 2 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/guix/config.scm b/guix/config.scm
index 32adf8c..134351f 100644
--- a/guix/config.scm
+++ b/guix/config.scm
@@ -4,14 +4,16 @@
  (guix)
  (guix gexp))
 (use-system-modules nss)
-(use-service-modules networking ssh version-control databases admin web)
-(use-package-modules base bash shells web)
+(use-service-modules networking sshversion-control databases admin web)
+(use-package-modules base bash shells web tls)
 
 ;;; --- cron jobs start
-(define %gc-job
- ;; Collect garbage once a day.
- #~(job '(next-hour '(4))
-        (string-append #$guix "/bin/guix gc -F80G")))
+(define %certbot-job
+  ;; LE cert renewal 7d / 2
+  #~(job (lambda (now)
+           (next-day-from (next-hour-from now '(3))
+                          '(2 5)))
+         (string-append #$certbot "/bin/certbot renew")))
 ;;; --- cron jobs end
 
 ;;; --- nginx start
@@ -21,6 +23,12 @@
 ;; the way which allows us to work directly on nginx files instead
 ;; of generating them through Guix, for now. Every update of the
 ;; nginx config requires a reconfigure!
+(define %nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (define %nginx-config
   (computed-file "nginx-config"
                  (with-imported-modules '((guix build utils))
@@ -39,7 +47,7 @@
                        (copy-file #$(local-file "etc/nginx/sites-enabled/git-ssl.site")
                                   "sites-enabled/git-ssl.site")))))
 
-;; TODO: Change to our file.
+;; this includes defaults, so 'fastcgi' related files:
 (define %nginx-mime-types
   (simple-service 'nginx-mime.types
                   etc-service-type
@@ -110,10 +118,10 @@
                                                   "curl" "gnutls-dane"
                                                   "gitolite"
                                                   "acme-client"
+                                                  "buildbot"
                                         ; Website dependencies:
                                                   "python" "python-jinja2"
                                                   "python-sphinx"))
-                                        ; "buildbot"
                     %base-packages))
   
   ;; TODO: cgit service?
@@ -139,6 +147,16 @@
                                                       "/bin/env"))
                         ("/bin/ksh" ,(file-append (canonical-package loksh)
                                                   "/bin/ksh"))))
+             ;; TODO: Use deploy-hook
+             ;; TODO: Add git.taler.net
+             ;; (service certbot-service-type
+             ;;          (certbot-configuration
+             ;;           ;; FIXME: switch over to taler.net domain
+             ;;           (email "cert-admin-taler@n0.is")
+             ;;           (certificates
+             ;;            (list
+             ;;             (certificate-configuration
+             ;;              (domains '("gv.taler.net")))))))
              ;; TODO: acme-client cronjob for:
              ;; taler.net www.taler.net api.taler.net lcov.taler.net
              ;; git.taler.net  gauger.taler.net buildbot.taler.net
@@ -161,10 +179,10 @@
                        (password-authentication? #f)
                        (permit-root-login 'without-password)))
                         
-             (service rottlog-service-type (rottlog-configuration))
-             (service mcron-service-type
-                      (mcron-configuration
-                       (jobs (list %gc-job %thing1))))
+             ;; (service rottlog-service-type (rottlog-configuration))
+             ;; (service mcron-service-type
+             ;;          (mcron-configuration
+             ;;           (jobs (list %gc-job %thing1))))
              (service postgresql-service-type)
              (git-daemon-service
               #:config (git-daemon-configuration
@@ -176,6 +194,15 @@
                        (constraint-from '("www.gnu.org"))
                        (constraints-from '("https://www.google.com/"))
                        (allow-large-adjustment? #t)))
+             ;; FIXME: To be able to better test and replicate this,
+             ;; we have to replicate what's done in nginx (copy into
+             ;; store, use location in store).
+             (service fcgiwrap-service-type
+                      (fcgiwrap-configuration
+                       (socket "/var/run/fcgiwrap.socket")))
+             ;; (service cgit-service-type
+             ;;          (opaque-cgit-configuration
+             ;;           (cgitrc "/etc/cgitrc")))
              (service nginx-service-type
                       (nginx-configuration
                        (file (file-append %nginx-config
diff --git a/guix/etc/nginx/sites-enabled/git.site b/guix/etc/nginx/sites-enabled/git.site
index 4c0c9ea..b9b9fc4 100644
--- a/guix/etc/nginx/sites-enabled/git.site
+++ b/guix/etc/nginx/sites-enabled/git.site
@@ -3,8 +3,9 @@ server {
 	listen   [::]:80; ## listen for ipv4; this line is default and implied
 	# listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
 
-	root /var/git;
-	server_name git.taler.net;
+	root /srv/git;
+	#server_name git.taler.net;
+        server_name gv.taler.net;
 
 	rewrite ^ https://$server_name$request_uri? permanent;
 }
-- 
cgit v1.2.3