2023-09-12 17:59:05 +02:00
|
|
|
;; Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
|
|
|
|
|
;;
|
|
|
|
|
;; This file is free software; you can redistribute it and/or modify it
|
|
|
|
|
;; under the terms of the GNU General Public License as published by
|
|
|
|
|
;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
;; your option) any later version.
|
|
|
|
|
;;
|
|
|
|
|
;; You should have received a copy of the GNU General Public License
|
|
|
|
|
;; along with this file. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
(define-module (mumble-vm-system)
|
|
|
|
|
#:use-module (gnu)
|
|
|
|
|
#:use-module (gnu packages admin)
|
|
|
|
|
#:use-module (gnu packages dns)
|
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
|
#:use-module (gnu packages ssh)
|
2023-09-13 03:11:21 +02:00
|
|
|
#:use-module (gnu packages tls)
|
2023-09-12 17:59:05 +02:00
|
|
|
#:use-module (gnu services admin)
|
2023-09-13 03:11:21 +02:00
|
|
|
#:use-module (gnu services certbot)
|
2023-09-12 17:59:05 +02:00
|
|
|
#:use-module (gnu services ssh)
|
2023-09-13 03:11:21 +02:00
|
|
|
#:use-module (gnu services web)
|
|
|
|
|
#:use-module (guix build-system copy)
|
|
|
|
|
#:use-module ((guix licenses) #:prefix license:)
|
|
|
|
|
#:use-module (guix packages)
|
|
|
|
|
#:use-module (guix utils)
|
2023-09-12 17:59:05 +02:00
|
|
|
#:export (mumble-vm-operating-system))
|
|
|
|
|
|
2023-09-13 03:11:21 +02:00
|
|
|
(define website
|
|
|
|
|
(package
|
|
|
|
|
(name "website")
|
|
|
|
|
(version "0.1")
|
|
|
|
|
(source (local-file "index.html" ))
|
|
|
|
|
(build-system copy-build-system)
|
|
|
|
|
(arguments
|
|
|
|
|
(list
|
|
|
|
|
#:install-plan
|
|
|
|
|
#~(list '("index.html" "var/www/audio.experimental.chalec.org/"))))
|
|
|
|
|
(synopsis "The audio.experimental.chalec.org website.")
|
|
|
|
|
(description
|
|
|
|
|
"The website contains how to use the service, and how to
|
|
|
|
|
replicate or contribute to it.")
|
|
|
|
|
(home-page "audio.experimental.chalec.org")
|
|
|
|
|
(license license:gpl3+)))
|
|
|
|
|
|
2023-09-12 17:59:05 +02:00
|
|
|
(define-public %nginx-deploy-hook
|
|
|
|
|
(program-file
|
|
|
|
|
"nginx-deploy-hook"
|
|
|
|
|
#~(let
|
|
|
|
|
((nginx-pid (call-with-input-file "/var/run/nginx/pid" read))
|
|
|
|
|
(mumble-server-pid
|
|
|
|
|
(call-with-input-file
|
|
|
|
|
"/var/run/mumble-server/mumble-server.pid" read)))
|
|
|
|
|
((lambda _
|
|
|
|
|
(kill nginx-pid SIGHUP)
|
|
|
|
|
(kill mumble-server-pid SIGUSR1))))))
|
|
|
|
|
|
|
|
|
|
(define mumble-vm-operating-system
|
|
|
|
|
(operating-system
|
|
|
|
|
(bootloader (bootloader-configuration
|
|
|
|
|
(bootloader grub-minimal-bootloader)
|
|
|
|
|
(targets '("/dev/vda"))))
|
|
|
|
|
;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4
|
|
|
|
|
;; without doing many fsck?
|
|
|
|
|
(file-systems (cons (file-system
|
|
|
|
|
(device (file-system-label "Guix_image"))
|
|
|
|
|
(mount-point "/")
|
|
|
|
|
(type "ext4")) %base-file-systems))
|
|
|
|
|
(host-name "mumble-vm")
|
|
|
|
|
(timezone "Europe/Paris")
|
|
|
|
|
(packages
|
|
|
|
|
(append
|
2023-09-13 03:11:21 +02:00
|
|
|
(list certbot
|
|
|
|
|
htop
|
2023-09-12 17:59:05 +02:00
|
|
|
iftop
|
|
|
|
|
`(,isc-bind "utils")
|
|
|
|
|
net-tools
|
|
|
|
|
nmon
|
2023-09-13 03:11:21 +02:00
|
|
|
openssh-sans-x
|
|
|
|
|
website)
|
2023-09-12 17:59:05 +02:00
|
|
|
%base-packages))
|
|
|
|
|
(services
|
|
|
|
|
(append
|
|
|
|
|
(list
|
2023-09-13 03:11:21 +02:00
|
|
|
;; Certbot
|
|
|
|
|
(service
|
|
|
|
|
certbot-service-type
|
|
|
|
|
(certbot-configuration
|
|
|
|
|
(email "cominfra@a-lec.org")
|
|
|
|
|
(certificates
|
|
|
|
|
(list
|
|
|
|
|
(certificate-configuration
|
|
|
|
|
(domains '("audio.experimental.a-lec.org"))
|
|
|
|
|
(deploy-hook %nginx-deploy-hook))))))
|
2023-09-12 17:59:05 +02:00
|
|
|
;; Networking
|
|
|
|
|
(service
|
|
|
|
|
static-networking-service-type
|
|
|
|
|
(list
|
|
|
|
|
(static-networking
|
|
|
|
|
(addresses (list (network-address
|
|
|
|
|
(device "eth0")
|
|
|
|
|
(value "192.168.10.37/24"))))
|
|
|
|
|
(routes (list (network-route
|
|
|
|
|
(destination "default")
|
|
|
|
|
(gateway "192.168.10.1"))))
|
|
|
|
|
(name-servers '("192.168.10.1")))))
|
2023-09-13 03:11:21 +02:00
|
|
|
;; Nginx
|
|
|
|
|
(service
|
|
|
|
|
nginx-service-type
|
|
|
|
|
(nginx-configuration
|
|
|
|
|
(log-directory "/var/log")
|
|
|
|
|
(server-blocks
|
|
|
|
|
(list
|
|
|
|
|
(nginx-server-configuration
|
|
|
|
|
(listen '("80" "443 ssl"))
|
|
|
|
|
(server-name '("audio.experimental.a-lec.org"))
|
|
|
|
|
(ssl-certificate
|
|
|
|
|
(string-append
|
|
|
|
|
"/etc/letsencrypt/live/"
|
|
|
|
|
"audio.experimental.a-lec.org/fullchain.pem"))
|
|
|
|
|
(ssl-certificate-key
|
|
|
|
|
(string-append
|
|
|
|
|
"/etc/letsencrypt/live/"
|
|
|
|
|
"audio.experimental.a-lec.org/privkey.pem"))
|
|
|
|
|
(root (string-append
|
|
|
|
|
"/run/current-system/profile/"
|
|
|
|
|
"var/www/audio.experimental.chalec.org")))))))
|
2023-09-12 17:59:05 +02:00
|
|
|
;; OpenSSH
|
|
|
|
|
(service openssh-service-type
|
|
|
|
|
(openssh-configuration
|
|
|
|
|
(openssh openssh-sans-x)
|
|
|
|
|
(use-pam? #f)
|
|
|
|
|
(port-number 222)
|
|
|
|
|
(permit-root-login #t)
|
|
|
|
|
(password-authentication? #f)
|
|
|
|
|
(challenge-response-authentication? #f)
|
|
|
|
|
(authorized-keys
|
|
|
|
|
`(("root" , (local-file "id_ed25519.pub"))
|
|
|
|
|
("gnutoo" ,(local-file "id_ed25519.pub"))))))
|
|
|
|
|
;; Unattended Upgrades
|
|
|
|
|
(service unattended-upgrade-service-type))
|
|
|
|
|
(modify-services
|
|
|
|
|
%base-services
|
|
|
|
|
(guix-service-type config => (guix-configuration
|
|
|
|
|
(authorized-keys
|
|
|
|
|
(append
|
|
|
|
|
(list
|
|
|
|
|
(local-file
|
|
|
|
|
"signing-key.pub"))
|
|
|
|
|
%default-authorized-guix-keys)))))))))
|
|
|
|
|
mumble-vm-operating-system
|
