;; Copyright (C) 2023 Denis 'GNUtoo' Carikli ;; ;; This file is free software; you can redistribute it and/or modify it ;; under the terms of the GNU General Public License as published by ;; the Free Software Foundation; either version 3 of the License, or (at ;; your option) any later version. ;; ;; You should have received a copy of the GNU General Public License ;; along with this file. If not, see . (define-module (mumble-vm-system) #:use-module (gnu) #:use-module (gnu packages admin) #:use-module (gnu packages dns) #:use-module (gnu packages linux) #:use-module (gnu packages ssh) #:use-module (gnu packages tls) #:use-module (gnu services admin) #:use-module (gnu services certbot) #:use-module (gnu services ssh) #:use-module (gnu services telephony) #:use-module (gnu services vpn) #:use-module (gnu services web) #:use-module (guix build-system copy) #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix utils) #:export (mumble-vm-operating-system)) (define enable-wireguard? (string=? "yes" "ENABLE_WIREGUARD")) (define website (package (name "website") (version "0.1") ;; TODO: Make that tarball reproducible (source (local-file "mumble-vm.tar.xz")) (build-system copy-build-system) (arguments (list #:install-plan #~(list '("index.html" "var/www/DOMAIN/") '(#$source "var/www/DOMAIN/")))) (synopsis "The DOMAIN website.") (description "The website contains how to use the service, and how to replicate or contribute to it.") (home-page "DOMAIN") (license license:gpl3+))) (define first-boot-script (package (name "first-boot-script") (version "0.1") (source (local-file "first-boot.sh" )) (build-system gnu-build-system) (arguments (list #:tests? #f ;no tests #:phases #~(modify-phases %standard-phases (delete 'build) (delete 'configure) (replace 'install (lambda _ (chmod "first-boot.sh" #o755) (install-file "first-boot.sh" (string-append (string-append #$output "/bin")))))))) (synopsis "Script to run on first boot.") (description "The first-boot.sh script generates the TLS certificate and restart the services after that.") (home-page #f) (license license:gpl3+))) (define wireguard-post-up-fixups (package (name "wireguard-post-up-fixups") (version "0.1") (source (local-file "wireguard-post-up.sh" )) (build-system gnu-build-system) (arguments (list #:tests? #f ;no tests #:phases #~(modify-phases %standard-phases (delete 'build) (delete 'configure) (replace 'install (lambda _ (chmod "wireguard-post-up.sh" #o755) (install-file "wireguard-post-up.sh" (string-append (string-append #$output "/bin")))))))) (synopsis "Script to fixup the Wireguard interface(s).") (description "Currently, the wireguard-post-up.sh script sets up the interface MTU.") (home-page #f) (license license:gpl3+))) (define-public %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((nginx-pid (call-with-input-file "/var/run/nginx/pid" read)) (mumble-server-pid (call-with-input-file "/var/run/mumble-server/mumble-server.pid" read))) ((lambda _ (kill nginx-pid SIGHUP) (kill mumble-server-pid SIGUSR1)))))) (define-public %wireguard-post-up (list "/run/current-system/profile/bin/wireguard-post-up.sh")) (define mumble-vm-operating-system (operating-system (bootloader (bootloader-configuration (bootloader grub-minimal-bootloader) (targets '("/dev/vda")) (terminal-outputs '(serial_0)))) (kernel-arguments (append '("console=ttyS0"))) ;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4 ;; without doing many fsck? (file-systems (cons (file-system (device (file-system-label "Guix_image")) (mount-point "/") (type "ext4")) %base-file-systems)) (host-name "mumble-vm") (timezone "Europe/Paris") (packages (append (list certbot first-boot-script htop iftop `(,isc-bind "utils") net-tools nmon openssh-sans-x website) (if enable-wireguard? (list wireguard-post-up-fixups) (list )) %base-packages)) (services (append (list ;; Agetty ;; ttyS0 is already setup automatically due to the console=ttyS0 ;; kernel argument (service agetty-service-type (agetty-configuration (term "xterm-256color") (tty "ttyS1"))) (service agetty-service-type (agetty-configuration (term "xterm-256color") (tty "ttyS2"))) (service agetty-service-type (agetty-configuration (term "xterm-256color") (tty "ttyS3"))) ;; Certbot (service certbot-service-type (certbot-configuration (email "LETSENCRYPT_EMAIL") (certificates (list (certificate-configuration (domains '("DOMAIN")) (deploy-hook %nginx-deploy-hook)))))) ;; Mumble (service mumble-server-service-type (mumble-server-configuration (welcome-text "
Bienvenue sur le service d'audio-conférence de Libre en communs.
https://DOMAIN/
") (cert-required? #t) ;; Disallow text password logins (max-user-bandwidth 100000) (ssl-cert "/etc/letsencrypt/live/DOMAIN/fullchain.pem") (ssl-key "/etc/letsencrypt/live/DOMAIN/privkey.pem"))) ;; Networking (service static-networking-service-type (list (static-networking (addresses (list (network-address (device "eth0") (value "VM_IPV4_ADDRESS")) (network-address (device "eth0") (value "VM_IPV6_ADDRESS")))) (routes (list (network-route (destination "default") (gateway "VM_IPV4_GATEWAY")) (network-route (destination "default") (gateway "VM_IPV6_GATEWAY")))) (name-servers (list "VM_IPV4_DNS" "VM_IPV6_DNS"))))) ;; Nginx (service nginx-service-type (nginx-configuration (log-directory "/var/log") (server-blocks (list (nginx-server-configuration (listen '("80" "443 ssl")) (server-name '("DOMAIN")) (ssl-certificate (string-append "/etc/letsencrypt/live/" "DOMAIN/fullchain.pem")) (ssl-certificate-key (string-append "/etc/letsencrypt/live/" "DOMAIN/privkey.pem")) (root (string-append "/run/current-system/profile/" "var/www/DOMAIN"))))))) ;; OpenSSH (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (use-pam? #f) (port-number 222) (permit-root-login #t) (password-authentication? #f) (challenge-response-authentication? #f) (authorized-keys `(("root" , (local-file "id_ed25519.pub")) ("gnutoo" ,(local-file "id_ed25519.pub")))))) ;; Unattended Upgrades (service unattended-upgrade-service-type)) (if enable-wireguard? (list (service wireguard-service-type (wireguard-configuration (addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128")) (dns '("79.143.250.1" "79.143.250.2" "2001:678:938::53:1" "2001:678:938::53:2")) (port 0) (post-up %wireguard-post-up) (private-key (local-file "id_wireguard")) (peers (list (wireguard-peer (name "stephanie.franciliens.net") (endpoint "stephanie.franciliens.net:51820") (public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=") (allowed-ips '("0.0.0.0/0" "::/0")))))))) (list )) (modify-services %base-services (guix-service-type config => (guix-configuration (authorized-keys (append (list (local-file "signing-key.pub")) %default-authorized-guix-keys))))))))) mumble-vm-operating-system