blob: 8c66aa5fe796e8bab39312c2e40f24e1e373fb40 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
;; OS configuration for the taler.net server
(use-modules (gnu)
(guix)
(sysadmin people))
(use-service-modules base networking mcron ssh mail
version-control databases admin
web certbot)
(use-package-modules admin linux ssh tls vim zile wget
ntp version-control)
;;; Cron jobs
;; FIXME: Create jobs.
(define %sysadmins
;; The sys-admins. TODO: More.
(list (sysadmin (name "gillmann")
(full-name "Nils Gillmann")
(ssh-public-key (local-file "keys/ssh/ng0.pub")))
(sysadmin (name "grothoff")
(full-name "Christian Grothoff")
(ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
;;;
;;; The OS definition
;;;
(operating-system
(host-name "bfh.taler.net")
(timezone "Europe/Berlin")
(locale "en_US.UTF-8")
;; bootloader
(bootloader (grub-configuration (target "/dev/sda")
(terminal-outputs '(console))))
;; file-systems
;; single-disk configuration.
(file-systems (cons* (file-system
(device "my-root")
(title 'label)
(mount-point "/")
(type "ext4"))
(file-system
(device "my-home")
(title 'label)
(mount-point "/home")
(type "ext4"))
%base-file-systems))
;; FIXME: RAID? -> mapped-devices
;; FIXME: RAID? -> Add kernel module!
;; FIXME: /home should be on luks encrypted device
;; Local admin account
;; FIXME: Do we really need this?
;; (users (cons (user-account
;; (name "local-admin")
;; (comment "Local admin")
;; (group "users")
;; (supplementary-groups '("wheel"))
;; (home-directory "/home/local-admin"))
;; %base-user-accounts))
(packages (append (map specification->package '("nvi" "mg" ;editors
"openssh"
;; GNUnet core dependencies
;; FIXME: better would be to read gnunet-inputs and -native-inputs.
"curl" "libmicrohttpd" "gnutls/dane"
"sqlite" "jansson" "nss" "gmp"
"bluez" "glib" "libogg" "python2"
"perl" "doxygen" ; FIXME: is perl necessary?
"opus" "pulseaudio" ;PA on server, for building?
"libunistring" "libltdl" "zlib" "libgcrypt" "libextractor"
"gstreamer" "gst-plugins-base" "libidn" "glpk"
;; -- end GNUnet core dependencies.
"gitolite"
"nss-certs"
"wget" "openssl"
"postgres"
"certbot"))
%base-packages))
(services (cons*
(service sysadmin-service-type %sysadmins)
;; Log rotation
(service rottlog-service-type (rottlog-configuration))
;; CERTIFICATES
(service certbot-service-type
(certbot-configuration
;; TODO: Any other (sub)domains?
(hosts '(("taler.net")
("git.taler.net")))))
;; MAIL
;; FIXME: Policy is to just RECEIVE mail.
;; Produce the /etc/alias file:
;; insert a service to copy local file to /etc/aliases here.
;; Depending on the final server policies, adjust to
;; not send email or send email:
;; Dovecot
(dovecot-service #:config
(dovecot-configuration
(mail-location "maildir:~/Maildir")))
;; OpenSMTPD:
(service opensmtpd-service-type
(opensmtpd-configuration
(config-file (local-file "./opensmtpd/opensmtpd.conf"))))
;; Extend the /etc-service. This creates the files OpenSMTPD
;; wants and adds them to the /etc/ folder.
;; (service etc-service-type
;; (list `("vdoms.conf"
;; ,(plain-file "vdoms.conf"
;; "gnunet.org\n"))
;; `("vusers.conf"
;; ,(plain-file "vusers.conf"
;; "grothoff@gnunet.org grothoff"))))
;; SSH
(service openssh-service-type
(openssh-configuration
(port-number 22)
(password-authentication? #f)))
;; Databases
;; (mysql-service
;; #:config
;; (mysql-configuration
;; ;; Defaults to mariadb,
;; ;; read `info guix services`, section databases.
;; ;;(mysql "mysql")
;; ;; Default portnumber, must be a NUMBER not a string.
;; (port 3306)))
;; TODO: PostgreSQL -> exact config: ???
(swervice postgresql-service-type)
;; WEBSERVER
;;(service nginx-service-type)
(service nginx-service-type
(nginx-configuration
(server-blocks
(list
(nginx-server-configuration
(listen '("443 ssl"))
(server-name "git.taler.net")
(ssl-certificate
"/etc/letsencrypt/live/git.taler.net/fullchain.pem")
(ssl-certificate-key
"/etc/letsencrypt/live/git.taler.net/privkey.pem")
(locations
(list
(git-http-nginx-location-configuration
(git-http-configuration (uri-path "/"))))))))))
;;(service fcgiwrap-service-type)
;; FIXME: Check cgit-service-type + gitolite options.
;; FIXME: Extend cgit service.
;;(service cgit-service-type)
(service cgit-service-type
(opaque-cgit-configuration
(cgitrc "")))
;; CGIT:
;;(service nginx-service-type)
;; (service fcgiwrap-service-type)
;; (service cgit-service-type)
;; GIT
;; Defaults to base-folder "/srv/git/"
(git-daemon-service
#:config (git-daemon-configuration
(user-path "git")))
;; SERVE GIT OVER HTTP:
;; FIXME: FAILING BUILD, USE WORKAROUND.
;; (service nginx-service-type
;; (nginx-configuration
;; (server-blocks
;; (list
;; (nginx-server-configuration
;; (http-port #f)
;; (server-name "git.gnunet.org")
;; (ssl-certificate
;; "/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
;; (ssl-certificate-key
;; "/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
;; (locations
;; (list
;; (git-http-nginx-location-configuration
;; (git-http-configuration (uri-path "/"))))))))))
;; Networking
;; FIXME: Complete this
(static-networking-service
"eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60"
#:netmask ""
#:gateway "2001:4ca0:2001:42::1"
#:name-servers '("" "" ""))
(static-networking-service
"eth1" "131.159.74.67"
#:netmask "255.255.255.240"
#:gateway "131.159.74.78"
#:name-servers '("" "" ""))
%base-services)))
|
