255 lines
8.8 KiB
Cheetah
255 lines
8.8 KiB
Cheetah
;; Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
|
|
;;
|
|
;; This file is free software; you can redistribute it and/or modify it
|
|
;; under the terms of the GNU General Public License as published by
|
|
;; the Free Software Foundation; either version 3 of the License, or (at
|
|
;; your option) any later version.
|
|
;;
|
|
;; You should have received a copy of the GNU General Public License
|
|
;; along with this file. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
(define-module (mumble-vm-system)
|
|
#:use-module (gnu)
|
|
#:use-module (gnu packages admin)
|
|
#:use-module (gnu packages dns)
|
|
#:use-module (gnu packages linux)
|
|
#:use-module (gnu packages ssh)
|
|
#:use-module (gnu packages tls)
|
|
#:use-module (gnu services admin)
|
|
#:use-module (gnu services certbot)
|
|
#:use-module (gnu services ssh)
|
|
#:use-module (gnu services telephony)
|
|
#:use-module (gnu services vpn)
|
|
#:use-module (gnu services web)
|
|
#:use-module (guix build-system copy)
|
|
#:use-module (guix build-system gnu)
|
|
#:use-module ((guix licenses) #:prefix license:)
|
|
#:use-module (guix packages)
|
|
#:use-module (guix utils)
|
|
#:export (mumble-vm-operating-system))
|
|
|
|
(define website
|
|
(package
|
|
(name "website")
|
|
(version "0.1")
|
|
(source (local-file "index.html" ))
|
|
(build-system copy-build-system)
|
|
(arguments
|
|
(list
|
|
#:install-plan
|
|
#~(list '("index.html" "var/www/DOMAIN/"))))
|
|
(synopsis "The DOMAIN website.")
|
|
(description
|
|
"The website contains how to use the service, and how to
|
|
replicate or contribute to it.")
|
|
(home-page "DOMAIN")
|
|
(license license:gpl3+)))
|
|
|
|
(define first-boot-script
|
|
(package
|
|
(name "first-boot-script")
|
|
(version "0.1")
|
|
(source (local-file "first-boot.sh" ))
|
|
(build-system gnu-build-system)
|
|
(arguments
|
|
(list #:tests? #f ;no tests
|
|
#:phases
|
|
#~(modify-phases
|
|
%standard-phases
|
|
(delete 'build)
|
|
(delete 'configure)
|
|
(replace 'install
|
|
(lambda _
|
|
(chmod "first-boot.sh" #o755)
|
|
(install-file
|
|
"first-boot.sh"
|
|
(string-append (string-append #$output "/bin"))))))))
|
|
(synopsis "Script to run on first boot.")
|
|
(description
|
|
"The first-boot.sh script generates the TLS certificate and restart
|
|
the services after that.")
|
|
(home-page #f)
|
|
(license license:gpl3+)))
|
|
|
|
(define wireguard-post-up-fixups
|
|
(package
|
|
(name "wireguard-post-up-fixups")
|
|
(version "0.1")
|
|
(source (local-file "wireguard-post-up.sh" ))
|
|
(build-system gnu-build-system)
|
|
(arguments
|
|
(list #:tests? #f ;no tests
|
|
#:phases
|
|
#~(modify-phases
|
|
%standard-phases
|
|
(delete 'build)
|
|
(delete 'configure)
|
|
(replace 'install
|
|
(lambda _
|
|
(chmod "wireguard-post-up.sh" #o755)
|
|
(install-file
|
|
"wireguard-post-up.sh"
|
|
(string-append (string-append #$output "/bin"))))))))
|
|
(synopsis "Script to fixup the Wireguard interface(s).")
|
|
(description
|
|
"Currently, the wireguard-post-up.sh script sets up the interface
|
|
MTU.")
|
|
(home-page #f)
|
|
(license license:gpl3+)))
|
|
|
|
(define-public %nginx-deploy-hook
|
|
(program-file
|
|
"nginx-deploy-hook"
|
|
#~(let
|
|
((nginx-pid (call-with-input-file "/var/run/nginx/pid" read))
|
|
(mumble-server-pid
|
|
(call-with-input-file
|
|
"/var/run/mumble-server/mumble-server.pid" read)))
|
|
((lambda _
|
|
(kill nginx-pid SIGHUP)
|
|
(kill mumble-server-pid SIGUSR1))))))
|
|
|
|
(define-public %wireguard-post-up
|
|
(list "/run/current-system/profile/bin/wireguard-post-up.sh"))
|
|
|
|
(define mumble-vm-operating-system
|
|
(operating-system
|
|
(bootloader (bootloader-configuration
|
|
(bootloader grub-minimal-bootloader)
|
|
(targets '("/dev/vda"))
|
|
(terminal-outputs '(serial_0))))
|
|
(kernel-arguments (append '("console=ttyS0")))
|
|
;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4
|
|
;; without doing many fsck?
|
|
(file-systems (cons (file-system
|
|
(device (file-system-label "Guix_image"))
|
|
(mount-point "/")
|
|
(type "ext4")) %base-file-systems))
|
|
(host-name "mumble-vm")
|
|
(timezone "Europe/Paris")
|
|
(packages
|
|
(append
|
|
(list certbot
|
|
first-boot-script
|
|
htop
|
|
iftop
|
|
`(,isc-bind "utils")
|
|
net-tools
|
|
nmon
|
|
openssh-sans-x
|
|
website
|
|
wireguard-post-up-fixups)
|
|
%base-packages))
|
|
(services
|
|
(append
|
|
(list
|
|
;; Agetty
|
|
|
|
;; ttyS0 is already setup automatically due to the console=ttyS0
|
|
;; kernel argument
|
|
(service agetty-service-type
|
|
(agetty-configuration (term "xterm-256color")
|
|
(tty "ttyS1")))
|
|
(service agetty-service-type
|
|
(agetty-configuration (term "xterm-256color")
|
|
(tty "ttyS2")))
|
|
(service agetty-service-type
|
|
(agetty-configuration (term "xterm-256color")
|
|
(tty "ttyS3")))
|
|
;; Certbot
|
|
(service
|
|
certbot-service-type
|
|
(certbot-configuration
|
|
(email "LETSENCRYPT_EMAIL")
|
|
(certificates
|
|
(list
|
|
(certificate-configuration
|
|
(domains '("DOMAIN"))
|
|
(deploy-hook %nginx-deploy-hook))))))
|
|
;; Mumble
|
|
(service mumble-server-service-type
|
|
(mumble-server-configuration
|
|
(welcome-text
|
|
"<br />
|
|
Bienvenue sur le service d'audio-conférence de <b>Libre en communs</b>.<br />
|
|
https://DOMAIN/
|
|
<br />")
|
|
(cert-required? #t) ;; Disallow text password logins
|
|
(max-user-bandwidth 100000)
|
|
(ssl-cert
|
|
"/etc/letsencrypt/live/DOMAIN/fullchain.pem")
|
|
(ssl-key
|
|
"/etc/letsencrypt/live/DOMAIN/privkey.pem")))
|
|
;; Networking
|
|
(service
|
|
static-networking-service-type
|
|
(list
|
|
(static-networking
|
|
(addresses (list (network-address
|
|
(device "eth0")
|
|
(value "VM_IPV4_ADDRESS"))))
|
|
(routes (list (network-route
|
|
(destination "default")
|
|
(gateway "192.168.10.1"))))
|
|
(name-servers '("192.168.10.1")))))
|
|
;; Nginx
|
|
(service
|
|
nginx-service-type
|
|
(nginx-configuration
|
|
(log-directory "/var/log")
|
|
(server-blocks
|
|
(list
|
|
(nginx-server-configuration
|
|
(listen '("80" "443 ssl"))
|
|
(server-name '("DOMAIN"))
|
|
(ssl-certificate
|
|
(string-append
|
|
"/etc/letsencrypt/live/"
|
|
"DOMAIN/fullchain.pem"))
|
|
(ssl-certificate-key
|
|
(string-append
|
|
"/etc/letsencrypt/live/"
|
|
"DOMAIN/privkey.pem"))
|
|
(root (string-append
|
|
"/run/current-system/profile/"
|
|
"var/www/DOMAIN")))))))
|
|
;; OpenSSH
|
|
(service openssh-service-type
|
|
(openssh-configuration
|
|
(openssh openssh-sans-x)
|
|
(use-pam? #f)
|
|
(port-number 222)
|
|
(permit-root-login #t)
|
|
(password-authentication? #f)
|
|
(challenge-response-authentication? #f)
|
|
(authorized-keys
|
|
`(("root" , (local-file "id_ed25519.pub"))
|
|
("gnutoo" ,(local-file "id_ed25519.pub"))))))
|
|
;; Unattended Upgrades
|
|
(service unattended-upgrade-service-type)
|
|
(service wireguard-service-type
|
|
(wireguard-configuration
|
|
(addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128"))
|
|
(dns '("79.143.250.1" "79.143.250.2"
|
|
"2001:678:938::53:1" "2001:678:938::53:2"))
|
|
(port 0)
|
|
(post-up %wireguard-post-up)
|
|
(private-key (local-file "id_wireguard"))
|
|
(peers
|
|
(list
|
|
(wireguard-peer
|
|
(name "stephanie.franciliens.net")
|
|
(endpoint "stephanie.franciliens.net:51820")
|
|
(public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=")
|
|
(allowed-ips '("0.0.0.0/0" "::/0"))))))))
|
|
(modify-services
|
|
%base-services
|
|
(guix-service-type config => (guix-configuration
|
|
(authorized-keys
|
|
(append
|
|
(list
|
|
(local-file
|
|
"signing-key.pub"))
|
|
%default-authorized-guix-keys)))))))))
|
|
mumble-vm-operating-system
|