;; OS configuration for the taler.net server (use-modules (gnu) (guix) (sysadmin people) (sysadmin services)) (use-service-modules base networking mcron ssh mail version-control databases admin web certbot cgit) (use-package-modules admin linux ssh tls vim zile wget ntp version-control) ;;; Cron jobs ;; FIXME: Create jobs. (define %sysadmins (list (sysadmin (name "gillmann") (full-name "Nils Gillmann") (ssh-public-key (local-file "keys/ssh/ng0.pub"))) (sysadmin (name "dold") (ssh-public-key (local-file "keys/ssh/dold.pub"))) (sysadmin (name "stanisci") (ssh-public-key (local-file "keys/ssh/stanisci.pub"))) (sysadmin (name "grothoff") (full-name "Christian Grothoff") (ssh-public-key (local-file "keys/ssh/grothoff.pub"))))) ;;; /etc/aliases ;; Takes the local aliases file contained in this repository (../etc/aliases) ;; and copy it to "/etc/aliases" in the OS resulting from this config. (define %aliases-etc-service (simple-service 'etc-/etc/aliases-init activation-service-type (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (copy-file #$(local-file "../etc/aliases") "/etc/aliases"))))) ;; TODO: Do we need more than this hook? (define %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) ;;; ;;; The OS definition ;;; (operating-system ;; TODO: Hostname should be loaded from external file and be substituted, ;; same for some other basic values. (host-name "bfh.taler.net") (timezone "Europe/Berlin") (locale "en_US.UTF-8") ;; bootloader (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (terminal-outputs '(console)))) ;; file-systems ;; TODO: Write functions for Hardware RAID ;; TODO: /home should be on luks encrypted device ;; single-disk configuration. (file-systems (cons* (file-system (device "my-root") (title 'label) (mount-point "/") (type "ext4")) (file-system (device "my-home") (title 'label) (mount-point "/home") (type "ext4")) %base-file-systems)) (packages (append (map specification->package '("nvi" "mg" "emacs-no-x" "openssh" "curl" "libmicrohttpd" "gnutls-dane" "sqlite" "jansson" "nss" "gmp" "bluez" "glib" "libogg" "python2" "perl" "doxygen" "opus" "pulseaudio" "libunistring" "libltdl" "zlib" "libgcrypt" "libextractor" "gstreamer" "gst-plugins-base" "libidn" "glpk" "gitolite" "nss-certs" "wget" "openssl" "postgresql" "certbot")) %base-packages)) (services (cons* (ntp-service) (service sysadmin-service-type %sysadmins) ;; Log rotation (service rottlog-service-type (rottlog-configuration)) ;; certificates (service certbot-service-type (certbot-configuration (email "admin@taler.net") (certificates (list (certificate-configuration (domains '("taler.net" "git.taler.net")) (deploy-hook %nginx-deploy-hook)) (certificate-configuration (domains '("2.taler.net"))))))) ;; MAIL ;; FIXME: Policy is to just RECEIVE mail. ;; Produce the /etc/alias file: ;; insert a service to copy local file to /etc/aliases here. ;; Depending on the final server policies, adjust to ;; not send email or send email: ;; Dovecot (dovecot-service #:config (dovecot-configuration (mail-location "maildir:~/Maildir"))) ;; OpenSMTPD: (service opensmtpd-service-type (opensmtpd-configuration (config-file (local-file "./opensmtpd/opensmtpd.conf")))) ;; Extend the /etc-service. This creates the files OpenSMTPD ;; wants and adds them to the /etc/ folder. ;; (service etc-service-type ;; (list `("vdoms.conf" ;; ,(plain-file "vdoms.conf" ;; "gnunet.org\n")) ;; `("vusers.conf" ;; ,(plain-file "vusers.conf" ;; "grothoff@gnunet.org grothoff")))) ;; SSH (service openssh-service-type (openssh-configuration (port-number 22) (password-authentication? #f))) ;; Databases ;; (mysql-service ;; #:config ;; (mysql-configuration ;; ;; Defaults to mariadb, ;; ;; read `info guix services`, section databases. ;; ;;(mysql "mysql") ;; ;; Default portnumber, must be a NUMBER not a string. ;; (port 3306))) ;; TODO: PostgreSQL -> exact config: ??? (service postgresql-service-type) ;; WEBSERVER ;;(service nginx-service-type) (service nginx-service-type (nginx-configuration (file (file-append %nginx-config "/bhf.conf")))) ;;(service fcgiwrap-service-type) ;; FIXME: Check cgit-service-type + gitolite options. ;; FIXME: Extend cgit service. ;;(service cgit-service-type) (service cgit-service-type (opaque-cgit-configuration (cgitrc ""))) ;; CGIT: ;;(service nginx-service-type) ;; (service fcgiwrap-service-type) ;; (service cgit-service-type) ;; GIT ;; Defaults to base-folder "/srv/git/" (git-daemon-service #:config (git-daemon-configuration (user-path "git"))) ;; Networking ;; FIXME: Complete this (static-networking-service "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60" #:netmask "" #:gateway "2001:4ca0:2001:42::1" #:name-servers '("" "" "")) (static-networking-service "eth1" "131.159.74.67" #:netmask "255.255.255.240" #:gateway "131.159.74.78" #:name-servers '("" "" "")) %base-services)))