commit b0b5e7ecc7cc6e61e35bef15f46c1e688d5c70ac
parent d7d326acbff5cab9ed809dbcb7435e040ae21ac5
Author: Nils Gillmann <ng0@n0.is>
Date: Sat, 4 Aug 2018 08:10:15 +0000
guix
Signed-off-by: Nils Gillmann <ng0@n0.is>
Diffstat:
| M | guix/config.scm | | | 110 | ++++++++++++++++++++++++++++++++----------------------------------------------- |
1 file changed, 44 insertions(+), 66 deletions(-)
diff --git a/guix/config.scm b/guix/config.scm
@@ -2,10 +2,11 @@
(use-modules (gnu)
(guix)
- (sysadmin people))
+ (sysadmin people)
+ (sysadmin services))
(use-service-modules base networking mcron ssh mail
version-control databases admin
- web certbot)
+ web certbot cgit)
(use-package-modules admin linux ssh tls vim zile wget
ntp version-control)
@@ -13,39 +14,55 @@
;; FIXME: Create jobs.
(define %sysadmins
- ;; The sys-admins. TODO: More.
(list (sysadmin (name "gillmann")
(full-name "Nils Gillmann")
(ssh-public-key (local-file "keys/ssh/ng0.pub")))
+ (sysadmin (name "dold")
+ (ssh-public-key (local-file "keys/ssh/dold.pub")))
+ (sysadmin (name "stanisci")
+ (ssh-public-key (local-file "keys/ssh/stanisci.pub")))
(sysadmin (name "grothoff")
(full-name "Christian Grothoff")
(ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
;;; /etc/aliases
-;; this takes the local (repository!) aliases file and copies it to /etc/aliases
-;; in the resulting OS.
+;; Takes the local aliases file contained in this repository (../etc/aliases)
+;; and copy it to "/etc/aliases" in the OS resulting from this config.
(define %aliases-etc-service
(simple-service 'etc-/etc/aliases-init
+ activation-service-type
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(copy-file #$(local-file "../etc/aliases")
"/etc/aliases")))))
+;; TODO: Do we need more than this hook?
+(define %nginx-deploy-hook
+ (program-file "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+ (kill pid SIGHUP))))
+
;;;
;;; The OS definition
;;;
(operating-system
- (host-name "bfh.taler.net")
+ ;; TODO: Hostname should be loaded from external file and be substituted,
+ ;; same for some other basic values.
+ (host-name "bfh.taler.net")
(timezone "Europe/Berlin")
(locale "en_US.UTF-8")
;; bootloader
- (bootloader (grub-configuration (target "/dev/sda")
- (terminal-outputs '(console))))
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (target "/dev/sda")
+ (terminal-outputs '(console))))
;; file-systems
+ ;; TODO: Write functions for Hardware RAID
+ ;; TODO: /home should be on luks encrypted device
;; single-disk configuration.
(file-systems (cons* (file-system
(device "my-root")
@@ -58,51 +75,41 @@
(mount-point "/home")
(type "ext4"))
%base-file-systems))
- ;; FIXME: RAID? -> mapped-devices
- ;; FIXME: RAID? -> Add kernel module!
- ;; FIXME: /home should be on luks encrypted device
-
- ;; Local admin account
- ;; FIXME: Do we really need this?
- ;; (users (cons (user-account
- ;; (name "local-admin")
- ;; (comment "Local admin")
- ;; (group "users")
- ;; (supplementary-groups '("wheel"))
- ;; (home-directory "/home/local-admin"))
- ;; %base-user-accounts))
-
- (packages (append (map specification->package '("nvi" "mg" ;editors
+
+ (packages (append (map specification->package '("nvi" "mg" "emacs-no-x"
"openssh"
- ;; GNUnet core dependencies
- ;; FIXME: better would be to read gnunet-inputs and -native-inputs.
- "curl" "libmicrohttpd" "gnutls/dane"
+ "curl" "libmicrohttpd" "gnutls-dane"
"sqlite" "jansson" "nss" "gmp"
"bluez" "glib" "libogg" "python2"
- "perl" "doxygen" ; FIXME: is perl necessary?
- "opus" "pulseaudio" ;PA on server, for building?
+ "perl" "doxygen"
+ "opus" "pulseaudio"
"libunistring" "libltdl" "zlib" "libgcrypt" "libextractor"
"gstreamer" "gst-plugins-base" "libidn" "glpk"
- ;; -- end GNUnet core dependencies.
"gitolite"
"nss-certs"
"wget" "openssl"
- "postgres"
+ "postgresql"
"certbot"))
%base-packages))
(services (cons*
+ (ntp-service)
(service sysadmin-service-type %sysadmins)
;; Log rotation
(service rottlog-service-type (rottlog-configuration))
- ;; CERTIFICATES
+ ;; certificates
(service certbot-service-type
(certbot-configuration
- ;; TODO: Any other (sub)domains?
- (hosts '(("taler.net")
- ("git.taler.net")))))
+ (email "admin@taler.net")
+ (certificates
+ (list
+ (certificate-configuration
+ (domains '("taler.net" "git.taler.net"))
+ (deploy-hook %nginx-deploy-hook))
+ (certificate-configuration
+ (domains '("2.taler.net")))))))
;; MAIL
;; FIXME: Policy is to just RECEIVE mail.
@@ -144,25 +151,14 @@
;; ;; Default portnumber, must be a NUMBER not a string.
;; (port 3306)))
;; TODO: PostgreSQL -> exact config: ???
- (swervice postgresql-service-type)
+ (service postgresql-service-type)
;; WEBSERVER
;;(service nginx-service-type)
(service nginx-service-type
(nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name "git.taler.net")
- (ssl-certificate
- "/etc/letsencrypt/live/git.taler.net/fullchain.pem")
- (ssl-certificate-key
- "/etc/letsencrypt/live/git.taler.net/privkey.pem")
- (locations
- (list
- (git-http-nginx-location-configuration
- (git-http-configuration (uri-path "/"))))))))))
+ (file
+ (file-append %nginx-config "/bhf.conf"))))
;;(service fcgiwrap-service-type)
;; FIXME: Check cgit-service-type + gitolite options.
;; FIXME: Extend cgit service.
@@ -182,24 +178,6 @@
#:config (git-daemon-configuration
(user-path "git")))
- ;; SERVE GIT OVER HTTP:
- ;; FIXME: FAILING BUILD, USE WORKAROUND.
- ;; (service nginx-service-type
- ;; (nginx-configuration
- ;; (server-blocks
- ;; (list
- ;; (nginx-server-configuration
- ;; (http-port #f)
- ;; (server-name "git.gnunet.org")
- ;; (ssl-certificate
- ;; "/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
- ;; (ssl-certificate-key
- ;; "/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
- ;; (locations
- ;; (list
- ;; (git-http-nginx-location-configuration
- ;; (git-http-configuration (uri-path "/"))))))))))
-
;; Networking
;; FIXME: Complete this
(static-networking-service
