From 8c2a9dd805d490275cab12929be4cf80c09a3703 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 28 Apr 2023 09:11:50 +0200 Subject: [PATCH] hosts/oswald: add mail, web and certificate services --- hosts/oswald/system.scm | 90 ++++++++++++++++++++++++++++------------- 1 file changed, 62 insertions(+), 28 deletions(-) diff --git a/hosts/oswald/system.scm b/hosts/oswald/system.scm index 3af941d..329e403 100644 --- a/hosts/oswald/system.scm +++ b/hosts/oswald/system.scm @@ -8,10 +8,15 @@ #:use-module (gnu services admin) #:use-module (gnu services networking) #:use-module (gnu services ssh) + #:use-module (gnu services web) #:use-module (guix packages) #:use-module (guix utils) - #:use-module (srfi srfi-26) - #:use-module (services chrony)) + #:use-module (services certbot) + #:use-module (config base) + #:use-module (config mail)) + +(define domain "kosobr.in") +(define dkim-selector "20220826") ;; Use a lower DDR frequency to avoid random segfaults. ;; See . @@ -27,11 +32,13 @@ (substitute* "arch/arm/dts/rk3328-rock64-u-boot.dtsi" (("rk3328-sdram-lpddr3-1600.dtsi") "rk3328-sdram-lpddr3-666.dtsi")))))))))) -(define chrony-config "\ -pool pool.ntp.org iburst -makestep 1.0 3 -driftfile /var/lib/chrony/drift -") +; Reload servers on certificate update. +(define (cert-deploy-hook pid-files) + (program-file + "cert-deploy-hook" + #~(for-each (lambda (pid-file) + (kill (call-with-input-file pid-file read) SIGHUP)) + '#$pid-files))) (operating-system (host-name "oswald") @@ -74,28 +81,55 @@ driftfile /var/lib/chrony/drift (cons* nss-certs rsync %base-packages)) (services - (cons* - (service static-networking-service-type - (list (static-networking - (addresses (list (network-address - (device "eth0") - (value "192.168.0.3/24")))) - (routes (list (network-route - (destination "default") - (gateway "192.168.0.1")))) - (name-servers '("193.2.1.66" "193.2.1.72"))))) + (append + (list + (service static-networking-service-type + (list (static-networking + (addresses (list (network-address + (device "eth0") + (value "192.168.1.3/24")))) + (routes (list (network-route + (destination "default") + (gateway "192.168.1.1")))) + (name-servers '("193.2.1.66" "193.2.1.72"))))) - (service chrony-service-type - (chrony-configuration - (config-file (plain-file "chrony.conf" chrony-config)) - (syscall-filter "1"))) + (service nginx-service-type + (nginx-configuration + (extra-content "autoindex on;") + (server-blocks + (list (nginx-server-configuration + (listen '("443 ssl")) + (server-name (list domain)) + (ssl-certificate + (string-append "/etc/letsencrypt/live/" domain "/fullchain.pem")) + (ssl-certificate-key + (string-append "/etc/letsencrypt/live/" domain "/privkey.pem")) + (root (string-append "/srv/http/" domain))))))) - (service openssh-service-type - (openssh-configuration - (password-authentication? #f))) + (service certbot-service-type + (certbot-configuration + (certificates + (list + (certificate-configuration + (domains '("kosobr.in")) + (deploy-hook (cert-deploy-hook + '("/var/run/nginx/pid" + "/var/run/smtpd.pid")))))))) - (service unattended-upgrade-service-type - (unattended-upgrade-configuration - (channels #~(load "/run/current-system/channels.scm")))) + (service openssh-service-type + (openssh-configuration + (password-authentication? #f))) - %base-services))) + (service unattended-upgrade-service-type + (unattended-upgrade-configuration + (channels #~(map (lambda (c) (channel (inherit c) (commit #f))) + (load "/run/current-system/channels.scm"))) + (services-to-restart '(mcron ntpd smtpd))))) + + (mail-services + #:interface "eth0" + #:domain domain + #:aliases (list '("root" "timotej") '("timotej.lazar" "timotej")) + #:dkim-selector dkim-selector) + + (base-services))))