services.scm (6145B)
1 ;;; GNU Guix system administration tools. 2 ;;; 3 ;;; Copyright (C) Nils Gillmann <gillmann@n0.is> 4 ;;; Parts and pieces initially taken from Guix' maintenance repository: 5 ;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org> 6 ;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net> 7 ;;; 8 ;;; This program is free software: you can redistribute it and/or modify 9 ;;; it under the terms of the GNU General Public License as published by 10 ;;; the Free Software Foundation, either version 3 of the License, or 11 ;;; (at your option) any later version. 12 ;;; 13 ;;; This program is distributed in the hope that it will be useful, 14 ;;; but WITHOUT ANY WARRANTY; without even the implied warranty of 15 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 ;;; GNU General Public License for more details. 17 ;;; 18 ;;; You should have received a copy of the GNU General Public License 19 ;;; along with this program. If not, see <http://www.gnu.org/licenses/>. 20 21 (define-module (sysadmin services) 22 #:use-module (guix gexp) 23 #:use-module (gnu services) 24 #:use-module (gnu services admin) 25 #:use-module (gnu services base) 26 #:use-module (gnu services cuirass) 27 #:use-module (gnu services mcron) 28 #:use-module (gnu services shepherd) 29 #:use-module (gnu services ssh) 30 #:use-module (gnu services web) 31 #:use-module (gnu packages linux) 32 #:use-module (gnu packages package-management) 33 #:use-module (gnu packages tls) 34 #:use-module (gnu packages web) 35 #:use-module (sysadmin people) 36 #:use-module (srfi srfi-1) 37 #:export (firewall-service 38 default-services)) 39 40 (define start-firewall 41 ;; Rules to throttle malicious SSH connection attempts. This will allow at 42 ;; most 3 connections per minute from any host, and will block the host for 43 ;; another minute if this rate is exceeded. Taken from 44 ;; <http://www.la-samhna.de/library/brutessh.html#3>. 45 #~(let ((iptables 46 (lambda (str) 47 (zero? (apply system* 48 #$(file-append iptables 49 "/sbin/iptables") 50 (string-tokenize str)))))) 51 (format #t "Installing iptables SSH rules...~%") 52 (and (iptables "-A INPUT -p tcp --dport 22 -m state \ 53 --state NEW -m recent --set --name SSH -j ACCEPT") 54 (iptables "-A INPUT -p tcp --dport 22 -m recent \ 55 --update --seconds 60 --hitcount 4 --rttl \ 56 --name SSH -j LOG --log-prefix SSH_brute_force") 57 (iptables "-A INPUT -p tcp --dport 22 -m recent \ 58 --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP")))) 59 60 (define firewall-service 61 ;; The "firewall". Make it a Shepherd service because as an activation 62 ;; script it might run too early, before the Netfilter modules can be 63 ;; loaded for some reason. 64 (simple-service 'firewall shepherd-root-service-type 65 (list (shepherd-service 66 (provision '(firewall)) 67 (requirement '()) 68 (start #~(lambda () 69 #$start-firewall)) 70 (respawn? #f))))) 71 72 (define %nginx-config 73 ;; Our nginx configuration directory. It expects 'guix publish' to be 74 ;; running on port 3000. 75 (computed-file "nginx-config" 76 (with-imported-modules '((guix build utils)) 77 #~(begin 78 (use-modules (guix build utils)) 79 80 (mkdir #$output) 81 (chdir #$output) 82 (symlink #$(local-file "nginx/berlin.conf") 83 "berlin.conf") 84 (copy-file #$(local-file 85 "nginx/bayfront-locations.conf") 86 "berlin-locations.conf") 87 (substitute* "berlin-locations.conf" 88 (("@WWWROOT@") 89 #$(local-file "nginx/html/berlin" #:recursive? #t))))))) 90 91 (define %nginx-cache-activation 92 ;; Make sure /var/cache/nginx exists on the first run. 93 (simple-service 'nginx-/var/cache/nginx 94 activation-service-type 95 (with-imported-modules '((guix build utils)) 96 #~(begin 97 (use-modules (guix build utils)) 98 (mkdir-p "/var/cache/nginx"))))) 99 100 (define %nginx-mime-types 101 ;; Provide /etc/nginx/mime.types (and a bunch of other files.) 102 (simple-service 'nginx-mime.types 103 etc-service-type 104 `(("nginx" ,(file-append nginx "/share/nginx/conf"))))) 105 106 107 ;; FIXME: Use certbot-service. 108 ;; Initial list of domains: 109 ;; taler.net www.taler.net api.taler.net lcov.taler.net git.taler.net 110 ;; gauger.taler.net buildbot.taler.net test.taler.net playground.test.taler.net 111 ;; auditor.test.taler.net auditor.demo.taler.net demo.taler.net shop.test.taler.net 112 ;; shop.demo.taler.net survey.test.taler.net survey.demo.taler.net 113 ;; donations.demo.taler.net backend.test.taler.net backend.demo.taler.net 114 ;; bank.test.taler.net bank.demo.taler.net www.git.taler.net 115 ;; exchange.demo.taler.net exchange.test.taler.net env.taler.net 116 ;; envs.taler.net blog.demo.taler.net blog.test.taler.net 117 ;; donations.test.taler.net docs.taler.net intranet.taler.net 118 ;; stage.taler.net 119 120 (define %certbot-job 121 ;; Attempt to renew the Let's Encrypt certificate twice a week. 122 #~(job (lambda (now 123 (next-day-from (next-hour-from now '(3)) 124 '(2 5))) 125 (string-append #$certbot "/bin/certbot renew")))) 126 127 (define* (default-services sysadmins #:key nginx-config-file) 128 "Return the list of default services." 129 (cons* (service rottlog-service-type (rottlog-configuration)) 130 (service mcron-service-type 131 (mcron-configuration 132 (jobs (list %certbot-job)))) 133 firewall-service 134 135 (service nginx-service-type 136 (nginx-configuration 137 (file nginx-config-file))) 138 139 %nginx-mime-type 140 %nginx-cache-activation 141 142 (service openssh-service-type) 143 (service sysadmin-service-type sysadmins)))