(define-module (hosts amahl system)
  #:use-module (gnu)
  #:use-module (gnu bootloader u-boot)
  #:use-module (gnu packages bootloaders)
  #:use-module (gnu packages certs)
  #:use-module (gnu packages ncurses)
  #:use-module (gnu packages rsync)
  #:use-module (gnu services admin)
  #:use-module (gnu services mail)
  #:use-module (gnu services networking)
  #:use-module (gnu services ssh)
  #:use-module (gnu services web)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (services certbot)
  #:use-module (services ip)
  #:use-module (services znc)
  #:use-module (config base)
  #:use-module (config mail))

(define domain "araneo.si")
(define dkim-selector "20230811")

;; Reload servers on certificate update.
(define (cert-deploy-hook pid-files)
  (program-file
   "cert-deploy-hook"
   #~(for-each (lambda (pid-file)
                 (false-if-exception
                  (kill (call-with-input-file pid-file read) SIGHUP)))
               '#$pid-files)))

(operating-system
  (locale "en_US.utf8")
  (timezone "Europe/Ljubljana")
  (keyboard-layout (keyboard-layout "us"))
  (host-name "amahl")

  (bootloader
   (bootloader-configuration
    (bootloader grub-bootloader)
    (targets (list "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35537784"))))
  (initrd-modules (cons* "virtio_scsi" %base-initrd-modules))

  (swap-devices (list (swap-space (target "/swap"))))

  (file-systems
   (cons* (file-system
            (mount-point "/")
            (device (uuid "6c89d6cf-2d17-479e-a095-3427dfe343d9" 'ext4))
            (type "ext4"))
          %base-file-systems))

  (users
   (cons* (user-account
           (name "timotej")
           (comment "Timotej Lazar")
           (group "users")
           (home-directory "/home/timotej")
           (supplementary-groups '("wheel")))
          %base-user-accounts))

  (packages
    (cons* ncurses nss-certs rsync %base-packages))

  (services
   (append
    (list
     (service ip-service-type
              (ip-configuration
               (commands
                (list "link set eth0 up"
                      "address add 2a01:4f9:c012:5f72::/64 dev eth0"
                      "route add default via fe80::1 dev eth0"))))

     (service dhcp-client-service-type
              (dhcp-client-configuration (interfaces '("eth0"))))

     (service nginx-service-type
              (nginx-configuration
               (extra-content "autoindex on;")
               (server-blocks
                (list (nginx-server-configuration
                       (listen '("443 ssl"))
                       (server-name (list domain))
                       (ssl-certificate
                        (string-append "/etc/letsencrypt/live/" domain "/fullchain.pem"))
                       (ssl-certificate-key
                        (string-append "/etc/letsencrypt/live/" domain "/privkey.pem"))
                       (root (string-append "/srv/http/" domain)))))))

     (service certbot-service-type
              (certbot-configuration
               (certificates
                (list (certificate-configuration
                       (domains (list domain))
                       (deploy-hook (cert-deploy-hook
                                     '("/var/run/nginx/pid"
                                       "/var/run/smtpd.pid"))))))))

     (service openssh-service-type
              (openssh-configuration
               (password-authentication? #f)
               (permit-root-login 'prohibit-password)))

     (service znc-service-type)

     (service unattended-upgrade-service-type
              (unattended-upgrade-configuration
               (channels #~(map (lambda (c) (channel (inherit c) (commit #f)))
                                (load "/run/current-system/channels.scm")))
               (services-to-restart '(mcron nginx ntpd smtpd)))))

    (mail-services
     #:domain domain
     #:aliases (list '("root" "timotej") '("timotej.lazar" "timotej"))
     #:dkim-selector dkim-selector)

    (base-services))))