From f7a6ab6cb6efe3af1a01d9c5054c0e2b75d7523e Mon Sep 17 00:00:00 2001 From: Nils Gillmann Date: Sat, 31 Mar 2018 13:04:55 +0000 Subject: initial commit of guix directory Signed-off-by: Nils Gillmann --- guix/config.scm | 195 +++++++++++++++++++++++++++++++++++++++ guix/keys/ssh/grothoff.pub | 1 + guix/keys/ssh/ng0.pub | 1 + guix/modules/sysadmin/people.scm | 73 +++++++++++++++ 4 files changed, 270 insertions(+) create mode 100644 guix/config.scm create mode 100644 guix/keys/ssh/grothoff.pub create mode 100644 guix/keys/ssh/ng0.pub create mode 100644 guix/modules/sysadmin/people.scm diff --git a/guix/config.scm b/guix/config.scm new file mode 100644 index 0000000..dd16bf2 --- /dev/null +++ b/guix/config.scm @@ -0,0 +1,195 @@ +;; OS configuration for the taler.net server + +(use-modules (gnu) + (guix) + (sysadmin people)) +(use-service-modules base networking mcron ssh mail + version-control databases admin + web certbot) +(use-package-modules admin linux ssh tls vim zile wget + ntp version-control) + +;;; Cron jobs +;; FIXME: Create jobs. + +(define %sysadmins + ;; The sys-admins + (list (sysadmin (name "gillmann") + (full-name "Nils Gillmann") + (ssh-public-key (local-file "keys/ssh/ng0.pub"))) + (sysadmin (name "grothoff") + (full-name "Christian Grothoff") + (ssh-public-key (local-file "keys/ssh/grothoff.pub"))))) + +;;; +;;; The OS definition +;;; + +(operating-system + (host-name "taler.net") + (timezone "Europe/Berlin") + (locale "en_US.UTF-8") + + ;; bootloader + (bootloader (grub-configuration (target "/dev/sda") + (terminal-outputs '(console)))) + + ;; file-systems + ;; single-disk configuration. + (file-systems (cons* (file-system + (device "my-root") + (title 'label) + (mount-point "/") + (type "ext4")) + (file-system + (device "my-home") + (title 'label) + (mount-point "/home") + (type "ext4")) + %base-file-systems)) + ;; FIXME: RAID? -> mapped-devices + ;; FIXME: RAID? -> Add kernel module! + ;; FIXME: /home should be on luks encrypted device + + ;; Local admin account + ;; FIXME: Do we really need this? + (users (cons (user-account + (name "local-admin") + (comment "Local admin") + (group "users") + (supplementary-groups '("wheel")) + (home-directory "/home/local-admin")) + %base-user-accounts)) + + (packages (append (map specification->package '("nvi" + "mg" + "openssh" + "gitolite" + "nss-certs" + "wget" + "mysql" + "certbot")) + %base-packages)) + + (services (cons* + (service sysadmin-service-type %sysadmins) + + ;; Log rotation + (service rottlog-service-type (rottlog-configuration)) + + ;; CERTIFICATES + (service certbot-service-type + (certbot-configuration + (hosts '(("taler.net"))))) + + ;; MAIL + ;; FIXME: Policy is to just receive mail. + ;; Produce the /etc/alias file: + (service mail-aliases-service-type + '(("mailer-daemon" "postmaster") + ("postmaster" "root") + ("nobody" "root") + ("hostmaster" "root") + ("usenet" "root") + ("news" "root") + ("webmaster" "root") + ("www" "root") + ("ftp" "root") + ("abuse" "root") + ("noc" "root") + ("security" "root") + ("root" "grothoff") + ("gnunet" "grothoff") + ("durner" "ndurner") + ("torsten" "grothoff" "krista") + ("cor" "grothoff") + ("ng0" "ng0") + ("translations" "grothoff") + ("translators" "grothoff") + ("website" "grothoff") + ("gns-data" "grothoff" "wachs@net.in.tum.de" "schanzen@in.tum.de"))) + ;; Depending on the final server policies, adjust to + ;; not send email or send email: + ;; Dovecot + (dovecot-service #:config + (dovecot-configuration + (mail-location "maildir:~/Maildir"))) + ;; OpenSMTPD: + (service opensmtpd-service-type + (opensmtpd-configuration + (config-file (local-file "./opensmtpd/opensmtpd.conf")))) + ;; Extend the /etc-service. This creates the files OpenSMTPD + ;; wants and adds them to the /etc/ folder. + ;; (service etc-service-type + ;; (list `("vdoms.conf" + ;; ,(plain-file "vdoms.conf" + ;; "gnunet.org\n")) + ;; `("vusers.conf" + ;; ,(plain-file "vusers.conf" + ;; "grothoff@gnunet.org grothoff")))) + + ;; SSH + (service openssh-service-type + (openssh-configuration + (port-number 22) + (password-authentication? #f))) + + ;; Databases + (mysql-service + #:config + (mysql-configuration + ;; Defaults to mariadb, + ;; read `info guix services`, section databases. + ;;(mysql "mysql") + ;; Default portnumber, must be a NUMBER not a string. + (port 3306))) + + ;; WEBSERVER + ;;(service nginx-service-type) + ;;(service fcgiwrap-service-type) + ;; FIXME: Check cgit-service-type + gitolite options. + ;; FIXME: Extend cgit service. + ;;(service cgit-service-type) + + ;; CGIT: + ;;(service nginx-service-type) + ;; (service fcgiwrap-service-type) + ;; (service cgit-service-type) + + ;; GIT + ;; Defaults to base-folder "/srv/git/" + (git-daemon-service + #:config (git-daemon-configuration + (user-path "git"))) + + ;; SERVE GIT OVER HTTP: + ;; FIXME: FAILING BUILD, USE WORKAROUND. + ;; (service nginx-service-type + ;; (nginx-configuration + ;; (server-blocks + ;; (list + ;; (nginx-server-configuration + ;; (http-port #f) + ;; (server-name "git.gnunet.org") + ;; (ssl-certificate + ;; "/etc/letsencrypt/live/git.gnunet.org/fullchain.pem") + ;; (ssl-certificate-key + ;; "/etc/letsencrypt/live/git.gnunet.org/privkey.pem") + ;; (locations + ;; (list + ;; (git-http-nginx-location-configuration + ;; (git-http-configuration (uri-path "/")))))))))) + + ;; Networking + ;; FIXME: Complete this + (static-networking-service + "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60" + #:netmask "" + #:gateway "2001:4ca0:2001:42::1" + #:name-servers '("" "" "")) + (static-networking-service + "eth1" "131.159.74.67" + #:netmask "255.255.255.240" + #:gateway "131.159.74.78" + #:name-servers '("" "" "")) + %base-services))) diff --git a/guix/keys/ssh/grothoff.pub b/guix/keys/ssh/grothoff.pub new file mode 100644 index 0000000..6af38a5 --- /dev/null +++ b/guix/keys/ssh/grothoff.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjwkLD9X6tdYhT0XtG13dweog6EDrxXjtiIM1XY+jfTYvXVmDIn/lzvEfnhMkErTu/ZXt8bGVIRC5THDASFdQTnsCnVc1OU6AH3xVKa3F9CzOCwhrJ2EpQQMc8022ltmBYu9wFF0HPDoe56mqKdNnHDeaLp8CCuf9pLMeih9csYJlAQ3GsOzX9WR044+JqbS+b/++lOZjJdFlUlONZu0F+166rX4pipAAAAFQCA2XLNDkiQ93HpAFgZmBbavTVdxQAAAgA8cpggPUORDfTcgWgcdrJCQz4bIaGKdD/KhiLu15FqF02WkBYC8xsySK8DHkS41bHiqLB8vM5Yh2FiTjpwIzpQ9QH74JSdncUMxYncEcHrlHulASQZ7fuNMFK5vK7XVY2zAjrsjP+/H3vLrEOBoiI625gpGMTLB8QILBBbkGTpQ3Ks6LSJqEQfsCHmGYUhtkIQjgWIzDyzvvAOCjKMjNpkFyEKLkUYIWajt5y8AaFW5uNeXBqk5ejV4Y4pUg67zOJt92moqK5TQWIEjL0kKM7lFMXZDZow+DQQ47q9NYPLWVAwgWGbCdvvewWkJ5+xMTbxfTZgcUmvXz1zc/yGXoeSLoL+iJKyqQgEi6Jv8a+TnnTZivoxIgWYd/uByUvsxZrMXNlc1MUTKNI5CnEz3Dprb+qHw36SXKymnhSgC2948YRTWqU9emR8qNG8EKOoisHX9EPq+Ex5/IJQh2UlSScpnt2xANtoAZuEt/P5W6Djq6UtwMyI8E6yycEP+myKR/JKnydzjtxWEQV9ytfIQQkndPCr49N3RnrVA47aoBzhUQfiLyWbYFpc/oTZRhL5X86Sm9dXDhIyaPslSM8/C0DqzfhqOw53XxROj2IAAu3Aqsg4mkSEwuPzv2PTj0KjagGIuz3J/71CpUOz+6CUWh+tCzkYC3joLYXh0v/MUVZ5JgAAAgEA9IO/Nv4zdZtHSN2RN1lEyGGi+Oi5mFS5Wjo/tsw3VM53H7HiyxVCE8mcLWT/UOEcG4uitonxTUypZGhNra7sTkbje5tuLVKF99e3W4/wV6aWwLpryeZL5BOhlnmTJsZPgTuu3A7eNnh+C45L5SW7qmXLgS8jl3CKqGdzl3XO+eB5oN8EIjWGk+VbD0iPVYobDEUOo1TCj5ZGUENw4R6lRXKsPtHDqa+iMGSUa6hQXaM13oJTI+P4Dr9WcUjqbceHT3LPoYs8dCT9rrqHDX4HGIJr9A6aV/djPVoloPgONQVfqW+xci+yUVYLp8Xdj2zC8P0NCOWiFzke1v7fFvDzs2stotAfXtLvCHje2W4rbpz6InKfbysOEc/o2ybeb2Pu9F6oIamd9qiZhCGog422YyNh1+w1sAvUCBHuF38zPHxDB2YgF4tf2K4kU++PAuZOxnsYLErZly9Nxm2uGKvgKAEgaeMEYR1jK1llRmiGPIapJZIk3cav8tLEP6MNTrjDB52D56DeLdPrgL3cUfLtGcZOJhyBTcz5W07kyGQyT7VZiqlErsg6KQxRzEda6DWNYCAMc32yj8kgEY5hCt7ei1cfyL1Wox61rrdchjGgBDxikVeUL/Sw5H8Yuh8o7j6sT1RHfui5kW5M0ykCjKMniDiOE4sBtVSHFouERamDKA0= grothoff@gnunet.org diff --git a/guix/keys/ssh/ng0.pub b/guix/keys/ssh/ng0.pub new file mode 100644 index 0000000..6d4c6e1 --- /dev/null +++ b/guix/keys/ssh/ng0.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG ng0@khazad-dum-2016-04-17 diff --git a/guix/modules/sysadmin/people.scm b/guix/modules/sysadmin/people.scm new file mode 100644 index 0000000..121c268 --- /dev/null +++ b/guix/modules/sysadmin/people.scm @@ -0,0 +1,73 @@ +;;; GNU Guix system administration tools. +;;; +;;; Copyright © 2016, 2017 Ludovic Courtès +;;; +;;; This program is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; This program is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with this program. If not, see . + +(define-module (sysadmin people) + #:use-module (guix gexp) + #:use-module (guix records) + #:use-module (gnu services) + #:use-module (gnu system shadow) + #:use-module (gnu services ssh) + #:use-module (gnu packages base) + #:use-module (ice-9 match) + #:export (sysadmin? + sysadmin + sysadmin-service-type)) + +;;; Commentary: +;;; +;;; Declaration of system administrator user accounts. +;;; +;;; Code: + +(define-record-type* sysadmin make-sysadmin + sysadmin? + (name sysadmin-name) + (full-name sysadmin-full-name) + (ssh-public-key sysadmin-ssh-public-key) + (restricted? sysadmin-restricted? (default #f))) + +(define (sysadmin->account sysadmin) + "Return the user account for SYSADMIN." + (match sysadmin + (($ name comment _ restricted?) + (user-account + (name name) + (comment comment) + (group "users") + (supplementary-groups (if restricted? + '() + '("wheel" "kvm"))) ;sudoer + (home-directory (string-append "/home/" name)))))) + +(define (sysadmin->authorized-key sysadmin) + "Return an authorized key tuple for SYSADMIN." + (list (sysadmin-name sysadmin) + (sysadmin-ssh-public-key sysadmin))) + +(define sysadmin-service-type + ;; The service that initializes sysadmin accounts. + (service-type + (name 'sysadmin) + (extensions (list (service-extension account-service-type + (lambda (lst) + (map sysadmin->account lst))) + (service-extension openssh-service-type + (lambda (lst) + (map sysadmin->authorized-key + lst))))))) + +;;; people.scm ends here -- cgit v1.2.3