;; Copyright (C) 2023 Denis 'GNUtoo' Carikli ;; ;; This file is free software; you can redistribute it and/or modify it ;; under the terms of the GNU General Public License as published by ;; the Free Software Foundation; either version 3 of the License, or (at ;; your option) any later version. ;; ;; You should have received a copy of the GNU General Public License ;; along with this file. If not, see . (define-module (mumble-vm-system) #:use-module (gnu) #:use-module (gnu packages admin) #:use-module (gnu packages dns) #:use-module (gnu packages linux) #:use-module (gnu packages ssh) #:use-module (gnu packages tls) #:use-module (gnu services admin) #:use-module (gnu services certbot) #:use-module (gnu services ssh) #:use-module (gnu services telephony) #:use-module (gnu services web) #:use-module (guix build-system copy) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix utils) #:export (mumble-vm-operating-system)) (define website (package (name "website") (version "0.1") (source (local-file "index.html" )) (build-system copy-build-system) (arguments (list #:install-plan #~(list '("index.html" "var/www/DOMAIN/")))) (synopsis "The DOMAIN website.") (description "The website contains how to use the service, and how to replicate or contribute to it.") (home-page "DOMAIN") (license license:gpl3+))) (define-public %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((nginx-pid (call-with-input-file "/var/run/nginx/pid" read)) (mumble-server-pid (call-with-input-file "/var/run/mumble-server/mumble-server.pid" read))) ((lambda _ (kill nginx-pid SIGHUP) (kill mumble-server-pid SIGUSR1)))))) (define mumble-vm-operating-system (operating-system (bootloader (bootloader-configuration (bootloader grub-minimal-bootloader) (targets '("/dev/vda")))) ;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4 ;; without doing many fsck? (file-systems (cons (file-system (device (file-system-label "Guix_image")) (mount-point "/") (type "ext4")) %base-file-systems)) (host-name "mumble-vm") (timezone "Europe/Paris") (packages (append (list certbot htop iftop `(,isc-bind "utils") net-tools nmon openssh-sans-x website) %base-packages)) (services (append (list ;; Certbot (service certbot-service-type (certbot-configuration (email "cominfra@a-lec.org") (certificates (list (certificate-configuration (domains '("DOMAIN")) (deploy-hook %nginx-deploy-hook)))))) ;; Mumble (service mumble-server-service-type (mumble-server-configuration (welcome-text "
Bienvenue sur le service d'audio-conférence de Libre en communs.
https://DOMAIN/
") (cert-required? #t) ;; Disallow text password logins (max-user-bandwidth 100000) (ssl-cert "/etc/letsencrypt/live/DOMAIN/fullchain.pem") (ssl-key "/etc/letsencrypt/live/DOMAIN/privkey.pem"))) ;; Networking (service static-networking-service-type (list (static-networking (addresses (list (network-address (device "eth0") (value "192.168.10.37/24")))) (routes (list (network-route (destination "default") (gateway "192.168.10.1")))) (name-servers '("192.168.10.1"))))) ;; Nginx (service nginx-service-type (nginx-configuration (log-directory "/var/log") (server-blocks (list (nginx-server-configuration (listen '("80" "443 ssl")) (server-name '("DOMAIN")) (ssl-certificate (string-append "/etc/letsencrypt/live/" "DOMAIN/fullchain.pem")) (ssl-certificate-key (string-append "/etc/letsencrypt/live/" "DOMAIN/privkey.pem")) (root (string-append "/run/current-system/profile/" "var/www/DOMAIN"))))))) ;; OpenSSH (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (use-pam? #f) (port-number 222) (permit-root-login #t) (password-authentication? #f) (challenge-response-authentication? #f) (authorized-keys `(("root" , (local-file "id_ed25519.pub")) ("gnutoo" ,(local-file "id_ed25519.pub")))))) ;; Unattended Upgrades (service unattended-upgrade-service-type)) (modify-services %base-services (guix-service-type config => (guix-configuration (authorized-keys (append (list (local-file "signing-key.pub")) %default-authorized-guix-keys))))))))) mumble-vm-operating-system