jetomit/monguix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hosts/oswald: add mail, web and certificate services

Browse source
This commit is contained in:
Timotej Lazar 2023-04-28 09:11:50 +02:00
parent b755649cee
commit 8c2a9dd805
1 changed files with 62 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

90
hosts/oswald/system.scm
View file

@ -8,10 +8,15 @@
#:use-module (gnu services admin)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services web)
#:use-module (guix packages)
#:use-module (guix utils)
#:use-module (srfi srfi-26)
#:use-module (services chrony))
#:use-module (services certbot)
#:use-module (config base)
#:use-module (config mail))
(define domain "kosobr.in")
(define dkim-selector "20220826")
;; Use a lower DDR frequency to avoid random segfaults.
;; See <https://forum.pine64.org/showthread.php?tid=11209>.
@ -27,11 +32,13 @@
(substitute* "arch/arm/dts/rk3328-rock64-u-boot.dtsi"
(("rk3328-sdram-lpddr3-1600.dtsi") "rk3328-sdram-lpddr3-666.dtsi"))))))))))
(define chrony-config "\
pool pool.ntp.org iburst
makestep 1.0 3
driftfile /var/lib/chrony/drift
")
; Reload servers on certificate update.
(define (cert-deploy-hook pid-files)
(program-file
"cert-deploy-hook"
#~(for-each (lambda (pid-file)
(kill (call-with-input-file pid-file read) SIGHUP))
'#$pid-files)))
(operating-system
(host-name "oswald")
@ -74,28 +81,55 @@ driftfile /var/lib/chrony/drift
(cons* nss-certs rsync %base-packages))
(services
(cons*
(service static-networking-service-type
(list (static-networking
(addresses (list (network-address
(device "eth0")
(value "192.168.0.3/24"))))
(routes (list (network-route
(destination "default")
(gateway "192.168.0.1"))))
(name-servers '("193.2.1.66" "193.2.1.72")))))
(append
(list
(service static-networking-service-type
(list (static-networking
(addresses (list (network-address
(device "eth0")
(value "192.168.1.3/24"))))
(routes (list (network-route
(destination "default")
(gateway "192.168.1.1"))))
(name-servers '("193.2.1.66" "193.2.1.72")))))
(service chrony-service-type
(chrony-configuration
(config-file (plain-file "chrony.conf" chrony-config))
(syscall-filter "1")))
(service nginx-service-type
(nginx-configuration
(extra-content "autoindex on;")
(server-blocks
(list (nginx-server-configuration
(listen '("443 ssl"))
(server-name (list domain))
(ssl-certificate
(string-append "/etc/letsencrypt/live/" domain "/fullchain.pem"))
(ssl-certificate-key
(string-append "/etc/letsencrypt/live/" domain "/privkey.pem"))
(root (string-append "/srv/http/" domain)))))))
(service openssh-service-type
(openssh-configuration
(password-authentication? #f)))
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(domains '("kosobr.in"))
(deploy-hook (cert-deploy-hook
'("/var/run/nginx/pid"
"/var/run/smtpd.pid"))))))))
(service unattended-upgrade-service-type
(unattended-upgrade-configuration
(channels #~(load "/run/current-system/channels.scm"))))
(service openssh-service-type
(openssh-configuration
(password-authentication? #f)))
%base-services)))
(service unattended-upgrade-service-type
(unattended-upgrade-configuration
(channels #~(map (lambda (c) (channel (inherit c) (commit #f)))
(load "/run/current-system/channels.scm")))
(services-to-restart '(mcron ntpd smtpd)))))
(mail-services
#:interface "eth0"
#:domain domain
#:aliases (list '("root" "timotej") '("timotej.lazar" "timotej"))
#:dkim-selector dkim-selector)
(base-services))))