;; OS configuration for the taler.net server (use-modules (gnu) (guix) (sysadmin people)) (use-service-modules base networking mcron ssh mail version-control databases admin web certbot) (use-package-modules admin linux ssh tls vim zile wget ntp version-control) ;;; Cron jobs ;; FIXME: Create jobs. (define %sysadmins ;; The sys-admins. TODO: More. (list (sysadmin (name "gillmann") (full-name "Nils Gillmann") (ssh-public-key (local-file "keys/ssh/ng0.pub"))) (sysadmin (name "grothoff") (full-name "Christian Grothoff") (ssh-public-key (local-file "keys/ssh/grothoff.pub"))))) ;;; ;;; The OS definition ;;; (operating-system (host-name "bfh.taler.net") (timezone "Europe/Berlin") (locale "en_US.UTF-8") ;; bootloader (bootloader (grub-configuration (target "/dev/sda") (terminal-outputs '(console)))) ;; file-systems ;; single-disk configuration. (file-systems (cons* (file-system (device "my-root") (title 'label) (mount-point "/") (type "ext4")) (file-system (device "my-home") (title 'label) (mount-point "/home") (type "ext4")) %base-file-systems)) ;; FIXME: RAID? -> mapped-devices ;; FIXME: RAID? -> Add kernel module! ;; FIXME: /home should be on luks encrypted device ;; Local admin account ;; FIXME: Do we really need this? ;; (users (cons (user-account ;; (name "local-admin") ;; (comment "Local admin") ;; (group "users") ;; (supplementary-groups '("wheel")) ;; (home-directory "/home/local-admin")) ;; %base-user-accounts)) (packages (append (map specification->package '("nvi" "mg" ;editors "openssh" ;; GNUnet core dependencies ;; FIXME: better would be to read gnunet-inputs and -native-inputs. "curl" "libmicrohttpd" "gnutls/dane" "sqlite" "jansson" "nss" "gmp" "bluez" "glib" "libogg" "python2" "perl" "doxygen" ; FIXME: is perl necessary? "opus" "pulseaudio" ;PA on server, for building? "libunistring" "libltdl" "zlib" "libgcrypt" "libextractor" "gstreamer" "gst-plugins-base" "libidn" "glpk" ;; -- end GNUnet core dependencies. "gitolite" "nss-certs" "wget" "openssl" "postgres" "certbot")) %base-packages)) (services (cons* (service sysadmin-service-type %sysadmins) ;; Log rotation (service rottlog-service-type (rottlog-configuration)) ;; CERTIFICATES (service certbot-service-type (certbot-configuration ;; TODO: Any other (sub)domains? (hosts '(("taler.net") ("git.taler.net"))))) ;; MAIL ;; FIXME: Policy is to just RECEIVE mail. ;; Produce the /etc/alias file: ;; insert a service to copy local file to /etc/aliases here. ;; Depending on the final server policies, adjust to ;; not send email or send email: ;; Dovecot (dovecot-service #:config (dovecot-configuration (mail-location "maildir:~/Maildir"))) ;; OpenSMTPD: (service opensmtpd-service-type (opensmtpd-configuration (config-file (local-file "./opensmtpd/opensmtpd.conf")))) ;; Extend the /etc-service. This creates the files OpenSMTPD ;; wants and adds them to the /etc/ folder. ;; (service etc-service-type ;; (list `("vdoms.conf" ;; ,(plain-file "vdoms.conf" ;; "gnunet.org\n")) ;; `("vusers.conf" ;; ,(plain-file "vusers.conf" ;; "grothoff@gnunet.org grothoff")))) ;; SSH (service openssh-service-type (openssh-configuration (port-number 22) (password-authentication? #f))) ;; Databases ;; (mysql-service ;; #:config ;; (mysql-configuration ;; ;; Defaults to mariadb, ;; ;; read `info guix services`, section databases. ;; ;;(mysql "mysql") ;; ;; Default portnumber, must be a NUMBER not a string. ;; (port 3306))) ;; TODO: PostgreSQL -> exact config: ??? (swervice postgresql-service-type) ;; WEBSERVER ;;(service nginx-service-type) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen '("443 ssl")) (server-name "git.taler.net") (ssl-certificate "/etc/letsencrypt/live/git.taler.net/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/git.taler.net/privkey.pem") (locations (list (git-http-nginx-location-configuration (git-http-configuration (uri-path "/")))))))))) ;;(service fcgiwrap-service-type) ;; FIXME: Check cgit-service-type + gitolite options. ;; FIXME: Extend cgit service. ;;(service cgit-service-type) (service cgit-service-type (opaque-cgit-configuration (cgitrc ""))) ;; CGIT: ;;(service nginx-service-type) ;; (service fcgiwrap-service-type) ;; (service cgit-service-type) ;; GIT ;; Defaults to base-folder "/srv/git/" (git-daemon-service #:config (git-daemon-configuration (user-path "git"))) ;; SERVE GIT OVER HTTP: ;; FIXME: FAILING BUILD, USE WORKAROUND. ;; (service nginx-service-type ;; (nginx-configuration ;; (server-blocks ;; (list ;; (nginx-server-configuration ;; (http-port #f) ;; (server-name "git.gnunet.org") ;; (ssl-certificate ;; "/etc/letsencrypt/live/git.gnunet.org/fullchain.pem") ;; (ssl-certificate-key ;; "/etc/letsencrypt/live/git.gnunet.org/privkey.pem") ;; (locations ;; (list ;; (git-http-nginx-location-configuration ;; (git-http-configuration (uri-path "/")))))))))) ;; Networking ;; FIXME: Complete this (static-networking-service "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60" #:netmask "" #:gateway "2001:4ca0:2001:42::1" #:name-servers '("" "" "")) (static-networking-service "eth1" "131.159.74.67" #:netmask "255.255.255.240" #:gateway "131.159.74.78" #:name-servers '("" "" "")) %base-services)))