From d2617c6bb3b87c157e20a9df8ca6dfb8063756fe Mon Sep 17 00:00:00 2001 From: Nils Gillmann Date: Tue, 25 Sep 2018 20:05:43 +0000 Subject: config Signed-off-by: Nils Gillmann --- guix/config.scm | 242 ++++++++++++++++---------------------------------------- 1 file changed, 69 insertions(+), 173 deletions(-) (limited to 'guix') diff --git a/guix/config.scm b/guix/config.scm index eb3eafa..ca1769a 100644 --- a/guix/config.scm +++ b/guix/config.scm @@ -1,193 +1,89 @@ -;; OS configuration for the taler.net server - -(use-modules (gnu) - (guix) - (sysadmin people) - (sysadmin services)) -(use-service-modules base networking mcron ssh mail - version-control databases admin - web certbot cgit) -(use-package-modules admin linux ssh tls vim zile wget - ntp version-control) - -;;; Cron jobs -;; FIXME: Create jobs. - -(define %sysadmins - (list (sysadmin (name "gillmann") - (full-name "Nils Gillmann") - (ssh-public-key (local-file "keys/ssh/ng0.pub"))) - (sysadmin (name "dold") - (ssh-public-key (local-file "keys/ssh/dold.pub"))) - (sysadmin (name "stanisci") - (ssh-public-key (local-file "keys/ssh/stanisci.pub"))) - (sysadmin (name "grothoff") - (full-name "Christian Grothoff") - (ssh-public-key (local-file "keys/ssh/grothoff.pub"))))) - -;;; /etc/aliases -;; Takes the local aliases file contained in this repository (../etc/aliases) -;; and copy it to "/etc/aliases" in the OS resulting from this config. -(define %aliases-etc-service - (simple-service 'etc-/etc/aliases-init - activation-service-type - (with-imported-modules '((guix build utils)) - #~(begin - (use-modules (guix build utils)) - (copy-file #$(local-file "../etc/aliases") - "/etc/aliases"))))) - -;; TODO: Do we need more than this hook? -(define %nginx-deploy-hook - (program-file "nginx-deploy-hook" - #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) - (kill pid SIGHUP)))) - -;;; -;;; The OS definition -;;; +(use-modules + (srfi srfi-1) + (gnu) + (gnu services networking) + (gnu services ssh) + (gnu packages bootloaders) + (gnu packages wget) + (gnu packages base) + (gnu packages certs) + (gnu system nss) + (gnu packages vim) + (gnu packages cryptsetup)) + +(use-package-modules certs screen text-editors tmux ssh) +(use-service-modules networking ssh version-control databases admin) (operating-system - ;; TODO: Hostname should be loaded from external file and be substituted, - ;; same for some other basic values. - (host-name "bfh.taler.net") - (timezone "Europe/Berlin") - (locale "en_US.UTF-8") + (host-name "gv") + (timezone "Europe/Paris") + (locale "en_US.utf8") + (initrd-modules (append (list "megaraid_sas") + ;; FIXME: Is this dropped from Linux entirely + ;; or is it a BUILT-IN now? + ;; LTS of linux still has "shpchp" + %base-initrd-modules)) - ;; bootloader (bootloader (bootloader-configuration (bootloader grub-bootloader) - (target "/dev/sda") - (terminal-outputs '(console)))) - - ;; file-systems - ;; TODO: Write functions for Hardware RAID - ;; TODO: /home should be on luks encrypted device - ;; single-disk configuration. + (target "/dev/sda"))) + + (users (cons* (user-account + (name "grothoff") + (comment "Christian Grothoff") + (group "users") + (supplementary-groups '("wheel" "netdev")) + (home-directory "/home/grothoff")) + (user-account + (name "dold") + (comment "Florian Dold") + (group "users") + (supplementary-groups '("wheel" "netdev")) + (home-directory "/home/dold")) + %base-user-accounts)) + (file-systems (cons* (file-system - (device "my-root") - (title 'label) + (device (uuid "304189db-f9df-4222-810d-94c993598c3b")) (mount-point "/") (type "ext4")) - (file-system - (device "my-home") - (title 'label) - (mount-point "/home") - (type "ext4")) + ;;(file-system + ;;(mapped-device + ;; (source (uuid "6631d48c-1371-4b50-aa94-5863c706773e")) + ;; (target "home") + ;; (type luks-device-mapping)) + ;; (mount-piont "/home") + ;; (type "ext4")) %base-file-systems)) - (packages (append (map specification->package '("nvi" "mg" "emacs-no-x" - "openssh" - "curl" "libmicrohttpd" "gnutls-dane" - "sqlite" "jansson" "nss" "gmp" - "bluez" "glib" "libogg" "python2" - "perl" "doxygen" - "opus" "pulseaudio" - "libunistring" "libltdl" "zlib" "libgcrypt" "libextractor" - "gstreamer" "gst-plugins-base" "libidn" "glpk" - "gitolite" - "nss-certs" - "wget" "openssl" - "postgresql" - "certbot")) + (packages (append (map specification->package '("nvi" "mg" "cryptsetup" + "screen" "tmux" "wget" + "vim" "openssh" + "postgresql" "certbot" + "nss-certs")) %base-packages)) - (services (cons* - (ntp-service) - (service sysadmin-service-type %sysadmins) + (service static-networking-service-type + (list + (static-networking + (interface "enp4s0f1") + (ip "147.87.255.221") + (netmask "255.255.255.240") + (gateway "147.87.255.209") + (name-servers '("8.8.8.8"))))) - ;; Log rotation - (service rottlog-service-type (rottlog-configuration)) - - ;; certificates - (service certbot-service-type - (certbot-configuration - (email "admin@taler.net") - (certificates - (list - (certificate-configuration - (domains '("taler.net" "git.taler.net")) - (deploy-hook %nginx-deploy-hook)) - (certificate-configuration - (domains '("2.taler.net"))))))) - - ;; MAIL - ;; FIXME: Policy is to just RECEIVE mail. - ;; Produce the /etc/alias file: - ;; insert a service to copy local file to /etc/aliases here. - ;; Depending on the final server policies, adjust to - ;; not send email or send email: - ;; Dovecot - (dovecot-service #:config - (dovecot-configuration - (mail-location "maildir:~/Maildir"))) - ;; OpenSMTPD: - (service opensmtpd-service-type - (opensmtpd-configuration - (config-file (local-file "./opensmtpd/opensmtpd.conf")))) - ;; Extend the /etc-service. This creates the files OpenSMTPD - ;; wants and adds them to the /etc/ folder. - ;; (service etc-service-type - ;; (list `("vdoms.conf" - ;; ,(plain-file "vdoms.conf" - ;; "gnunet.org\n")) - ;; `("vusers.conf" - ;; ,(plain-file "vusers.conf" - ;; "grothoff@gnunet.org grothoff")))) - - ;; SSH (service openssh-service-type (openssh-configuration + (x11-forwarding? #t) (port-number 22) - (password-authentication? #f))) - - ;; Databases - ;; (mysql-service - ;; #:config - ;; (mysql-configuration - ;; ;; Defaults to mariadb, - ;; ;; read `info guix services`, section databases. - ;; ;;(mysql "mysql") - ;; ;; Default portnumber, must be a NUMBER not a string. - ;; (port 3306))) - ;; TODO: PostgreSQL -> exact config: ??? + (password-authentication? #f) + (permit-root-login 'without-password))) + + (service rottlog-service-type (rottlog-configuration)) (service postgresql-service-type) - - ;; WEBSERVER - ;;(service nginx-service-type) - (service nginx-service-type - (nginx-configuration - (file - (file-append %nginx-config "/bhf.conf")))) - ;;(service fcgiwrap-service-type) - ;; FIXME: Check cgit-service-type + gitolite options. - ;; FIXME: Extend cgit service. - ;;(service cgit-service-type) - (service cgit-service-type - (opaque-cgit-configuration - (cgitrc ""))) - - ;; CGIT: - ;;(service nginx-service-type) - ;; (service fcgiwrap-service-type) - ;; (service cgit-service-type) - - ;; GIT - ;; Defaults to base-folder "/srv/git/" (git-daemon-service #:config (git-daemon-configuration (user-path "git"))) - - ;; Networking - ;; FIXME: Complete this - (static-networking-service - "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60" - #:netmask "" - #:gateway "2001:4ca0:2001:42::1" - #:name-servers '("" "" "")) - (static-networking-service - "eth1" "131.159.74.67" - #:netmask "255.255.255.240" - #:gateway "131.159.74.78" - #:name-servers '("" "" "")) - %base-services))) + %base-services)) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss)) -- cgit v1.2.3