config.scm (11382B)
1 ;;; This file is part of GNU Taler. 2 ;;; Copyright © 2018 GNUnet e.V. 3 ;;; 4 ;;; GNU Taler is free software; you can redistribute it and/or modify it 5 ;;; under the terms of the GNU Affero General Public License as published by 6 ;;; the Free Software Foundation; either version 3 of the License, or (at 7 ;;; your option) any later version. 8 ;;; 9 ;;; GNU Taler is distributed in the hope that it will be useful, but 10 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of 11 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 ;;; GNU Affero General Public License for more details. 13 ;;; 14 ;;; You should have received a copy of the GNU Affero General Public License 15 ;;; along with GNU Taler. If not, see <http://www.gnu.org/licenses/>. 16 17 ;; Load modules relative to the script name. 18 (eval-when (load compile eval) 19 (set! %load-path 20 (cons ((@ (guix utils) current-source-directory)) %load-path))) 21 22 (use-modules 23 (srfi srfi-1) 24 (ice-9 match) 25 (gnu) 26 (guix) 27 (guix utils) 28 (guix gexp) 29 (guix records) 30 (guix modules) 31 ((gnu packages admin) #:select (shadow shepherd)) 32 (taler-helpers) 33 ((fixed-fcgiwrap) #:prefix fixed:)) 34 35 (use-system-modules nss) 36 (use-service-modules networking 37 ssh 38 version-control 39 cgit 40 databases 41 admin 42 web 43 shepherd) 44 (use-package-modules base 45 bash 46 shells 47 web 48 tls) 49 50 ;;; Commentary: 51 ;;; 52 ;;; The GNU/Linux system that runs on gv.taler.net is defined here. 53 54 55 56 57 58 ;;; --- cron jobs start 59 (define %certbot-job 60 ;; LE cert renewal 7d / 2 61 #~(job (lambda (now) 62 (next-day-from (next-hour-from now '(3)) 63 '(2 5))) 64 (string-append #$certbot "/bin/certbot renew"))) 65 ;;; --- cron jobs end 66 67 (define %my-deploy-hook 68 (programm-file "my-deploy-hook" 69 #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read)) 70 (cert-dir (getenv "RENEWED_LINEAGE")) 71 (privkey (string-append cert-dir "/privkey.pem"))) 72 (chmod privkey #o600) 73 (kill pid SIGHUP)))) 74 75 ;;; --- nginx start 76 ;; TODO: Translate nginx code to guix nginx-service without a file 77 ;; if possible wiht our config. 78 ;; DOCUMENTATION: There are 2 ways to run nginx on GuixSD, we use 79 ;; the way which allows us to work directly on nginx files instead 80 ;; of generating them through Guix, for now. Every update of the 81 ;; nginx config requires a reconfigure! 82 (define %nginx-deploy-hook 83 (program-file 84 "nginx-deploy-hook" 85 #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) 86 (kill pid SIGHUP)))) 87 88 (define %nginx-config 89 (computed-file "nginx-config" 90 (with-imported-modules '((guix build utils)) 91 #~(begin 92 (use-modules (guix build utils)) 93 (mkdir #$output) 94 (chdir #$output) 95 (symlink #$(local-file "etc/nginx/nginx.conf") 96 "nginx.conf") 97 (mkdir "conf.d") 98 (copy-file #$(local-file "etc/nginx/conf.d/favicon_robots") 99 "conf.d/favicon_robots") 100 (copy-file #$(local-file "etc/nginx/conf.d/talerssl") 101 "conf.d/talerssl") 102 (mkdir "sites-enabled") 103 ;; (copy-file #$(local-file "etc/nginx/sites-enabled/git.site") 104 ;; "sites-enabled/git.site") 105 (copy-file #$(local-file "etc/nginx/sites-enabled/git-ssl.site") 106 "sites-enabled/git-ssl.site") 107 (copy-file #$(local-file "etc/nginx/sites-enabled/default.site") 108 "sites-enabled/default.site"))))) 109 110 ;; this includes defaults, so 'fastcgi' related files: 111 (define %nginx-mime-types 112 (simple-service 'nginx-mime.types 113 etc-service-type 114 `(("nginx" ,(file-append nginx "/share/nginx/conf"))))) 115 116 (define %nginx-cache-activation 117 (simple-service 'nginx-/var/cache/nginx 118 activation-service-type 119 (with-imported-modules '((guix build utils)) 120 #~(begin 121 (use-modules (guix build utils)) 122 (mkdir-p "/var/cache/nginx"))))) 123 ;;; --- nginx end 124 125 (operating-system 126 (host-name "gv") 127 (timezone "Europe/Paris") 128 (locale "en_US.utf8") 129 (initrd-modules (cons* "megaraid_sas" %base-initrd-modules)) 130 (kernel-arguments (list "console=ttyS0" "console=tty0")) 131 132 (bootloader (bootloader-configuration 133 (bootloader grub-bootloader) 134 (target "/dev/sda"))) 135 136 (users 137 (cons* (user-account 138 (name "grothoff") 139 (comment "Christian Grothoff") 140 (group "users") 141 (supplementary-groups '("wheel" "netdev" "kvm")) 142 (home-directory "/home/grothoff")) 143 (user-account 144 (name "dold") 145 (comment "Florian Dold") 146 (group "users") 147 (supplementary-groups '("wheel" "netdev" "kvm")) 148 (home-directory "/home/dold")) 149 (user-account 150 (name "ng0") 151 (comment "Nils Gillmann") 152 (group "users") 153 (supplementary-groups '("wheel" "netdev" "kvm")) 154 (home-directory "/home/ng0")) 155 (user-account 156 (name "stanisci") 157 (comment "Marcello Stanisci") 158 (group "users") 159 (supplementary-groups '("wheel" "netdev" "kvm")) 160 (home-directory "/home/stanisci")) 161 (user-account 162 (name "git") 163 (comment "gitolite") 164 (group "git") 165 (home-directory "/home/git")) 166 %base-user-accounts)) 167 168 (groups (cons (user-group (name "git")) 169 %base-groups)) 170 171 (file-systems 172 (cons* (file-system 173 (device (uuid "304189db-f9df-4222-810d-94c993598c3b")) 174 (mount-point "/") 175 (type "ext4")) 176 %base-file-systems)) 177 178 (packages 179 (append (map specification->package 180 '("mg" "cryptsetup" 181 "screen" "tmux" "wget" 182 "vim" "openssh" "openssl" 183 "nvi" 184 "postgresql" 185 "nss-certs" 186 "curl" "gnutls-dane" 187 "gitolite" 188 "acme-client" 189 #| "buildbot" |# 190 "fcgiwrap" 191 "python-future" 192 "python" "python-jinja2" 193 "python-sphinx")) 194 %base-packages)) 195 196 ;; TODO: cgit service? 197 ;; TODO: gitolite service? 198 199 (services 200 (cons* 201 (service static-networking-service-type 202 (list 203 (static-networking 204 (interface "enp4s0f1") 205 (ip "147.87.255.221") 206 (netmask "255.255.255.240") 207 (gateway "147.87.255.209") 208 (name-servers '("8.8.8.8"))))) 209 210 (service special-files-service-type 211 ;; Using 'canonical-package' as bash and coreutils 212 ;; canonical packages are already a part of 213 ;; '%base-packages'. 214 `(("/bin/sh" ,(file-append (canonical-package bash) 215 "/bin/sh")) 216 ("/usr/bin/env" ,(file-append (canonical-package coreutils) 217 "/bin/env")) 218 ("/bin/ksh" ,(file-append (canonical-package loksh) 219 "/bin/ksh")))) 220 ;; TODO: Add git.taler.net 221 ;; TODO: acme-client cronjob for: 222 ;; taler.net www.taler.net api.taler.net lcov.taler.net 223 ;; git.taler.net gauger.taler.net buildbot.taler.net 224 ;; test.taler.net playground.test.taler.net 225 ;; auditor.test.taler.net auditor.demo.taler.net 226 ;; demo.taler.net shop.test.taler.net 227 ;; shop.demo.taler.net survey.test.taler.net 228 ;; survey.demo.taler.net donations.demo.taler.net 229 ;; backend.test.taler.net backend.demo.taler.net 230 ;; bank.test.taler.net bank.demo.taler.net 231 ;; www.git.taler.net exchange.demo.taler.net 232 ;; exchange.test.taler.net env.taler.net 233 ;; envs.taler.net blog.demo.taler.net 234 ;; blog.test.taler.net donations.test.taler.net 235 ;; docs.taler.net intranet.taler.net stage.taler.net 236 ;;(service certbot-service-type 237 ;; (certbot-configuration 238 ;; (email "cert-admin-taler@n0.is") 239 ;; (certificates 240 ;; (list 241 ;; (certificate-configuration 242 ;; (domains '("gv.taler.net")) 243 ;; (deploy-hook %my-deploy-hook))))))) 244 245 (service openssh-service-type 246 (openssh-configuration 247 (x11-forwarding? #t) 248 (port-number 22) 249 (password-authentication? #f) 250 (permit-root-login 'without-password) 251 (authorized-keys 252 `(("root" ,(concat-local-files 253 "root.pub" 254 '("keys/ssh/grothoff.pub" 255 "keys/ssh/ng0.pub" 256 "keys/ssh/dold.pub" 257 "keys/ssh/stanisci.pub"))) 258 ("stanisci" ,(local-file "keys/ssh/stanisci.pub")) 259 ("dold" ,(local-file "keys/ssh/dold.pub")) 260 ("ng0" ,(local-file "keys/ssh/ng0.pub")) 261 ("grothoff" ,(local-file "keys/ssh/grothoff.pub")))))) 262 263 ;; (service rottlog-service-type (rottlog-configuration)) 264 ;; (service mcron-service-type 265 ;; (mcron-configuration 266 ;; (jobs (list %gc-job %thing1)))) 267 (service postgresql-service-type) 268 (git-daemon-service 269 #:config (git-daemon-configuration 270 (user-path "git"))) 271 (service openntpd-service-type 272 (openntpd-configuration 273 (listen-on '("127.0.0.1" "::1")) 274 (sensor '("udcf0 correction 70000")) 275 (constraint-from '("www.gnu.org")) 276 (constraints-from '("https://www.google.com/")) 277 (allow-large-adjustment? #t))) 278 (service fixed:fcgiwrap-service-type 279 (fixed:fcgiwrap-configuration 280 (socket "unix:/var/run/fcgiwrap/fcgiwrap.socket") 281 (adjusted-socket-permissions #t) 282 (ensure-socket-dir? #t))) 283 ;;(service cgit-service-type 284 ;; (opaque-cgit-configuration 285 ;; (cgitrc "/etc/deployment/guix/etc/cgitrc"))) 286 (service nginx-service-type 287 (nginx-configuration 288 (file (file-append %nginx-config 289 "/nginx.conf")))) 290 %nginx-mime-types 291 %nginx-cache-activation 292 (modify-services %base-services 293 (guix-service-type 294 config => 295 (guix-configuration 296 (inherit config) 297 (substitute-urls 298 (cons* "https://berlin.guixsd.org" 299 %default-substitute-urls))))))) 300 301 ;; Allow resolution of '.local' host names with mDNS. 302 (name-service-switch %mdns-host-lookup-nss))