Extract common server packages and services

This should improve maintainability a bit by combining common services
running on the servers.

Additionally, this parameterises common parts by servers' host names
instead of the host-name-like symbols as before.

5 files changed, 114 insertions, 133 deletions

diff --git a/tw/system/common.scm b/tw/system/common.scm
index fb8c50f9..57be678b 100644
--- a/tw/system/common.scm
+++ b/tw/system/common.scm
@@ -1,22 +1,24 @@
 (define-module (tw system common)
   #:use-module (ice-9 format)
   #:use-module (ice-9 regex)
+  #:use-module (ice-9 string-fun)
   #:use-module ((srfi srfi-1)
                 #:select (fold fold-right))
   #:use-module (gnu)
   #:use-module (gnu services)
-  #:use-module (gnu services vpn)
   #:use-module (gnu system)
   #:use-module (gnu system keyboard)
   #:use-module (guix gexp))
 
 (use-package-modules admin avahi certs disk file-systems linux lsof man
-                     moreutils search version-control vpn)
+                     moreutils python rsync search shells version-control vpn)
+(use-service-modules mcron monitoring networking ssh vpn)
 
-(define-public %common-system-packages
-  (list acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales
-        hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate
-        moreutils nss-certs nss-mdns strace wireguard-tools))
+(define-public %base-system-packages
+  (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales
+         hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate
+         moreutils nss-certs nss-mdns python rsync strace wireguard-tools
+         %base-packages))
 
 (define-public %british-keyboard
   (keyboard-layout
@@ -27,6 +29,59 @@
                     "keypad:oss"
                     "kpdl:kposs")))
 
+;; This is used for the servers, and also by (tw home common) to generate the
+;; appropriate ~/.ssh/config.
+(define-public %ssh-ports
+  '(("lud.twilken.net" . 22022)
+    ("vin.twilken.net" . 22022)
+    ("pi3.twilken.net" . 51022)))
+
+(define-public (server-base-services host-name)
+  (cons*
+   ;; SSH login, allowing access only for me.  To give more public keys
+   ;; access, extend `openssh-service-type'.
+   (service openssh-service-type
+     (openssh-configuration
+      (port-number (assoc-ref %ssh-ports host-name))
+      (password-authentication? #f)
+      (accepted-environment '("LANG" "LC_*"))
+      (authorized-keys
+       `(("timo"
+          ,(local-file "files/timo.pub")
+          ,(local-file "files/timo-phone-gpg.pub"))))))
+
+   ;; Prometheus node exporter
+   (service prometheus-node-exporter-service-type
+     (prometheus-node-exporter-configuration
+      (web-listen-address
+       (string-replace-substring
+        (car   ; get the IPv4 address
+         (wireguard-peer-allowed-ips
+          (assoc-ref %wireguard-peers host-name)))
+        "/32" ":9100"))))
+
+   (simple-service 'disk-maintenance mcron-service-type
+     (list #~(job "0 2 * * *" "guix gc -d 2w")
+           #~(job "0 4 * * *"  ; after guix gc
+                  (string-append #$(file-append util-linux "/sbin/fstrim")
+                                 " --fstab --verbose"))))
+
+   ;; Network setup
+   (service dhcp-client-service-type)
+   (service ntp-service-type)
+   (wireguard-service host-name)
+
+   ;; Delete the annoying message on SSH login.  Beware when setting up a new
+   ;; host, as `allow-empty-passwords' will block login and sudo execution for
+   ;; all Guix-declared users (as these have no initial password).
+   (modify-services %base-services
+     (login-service-type
+      config =>
+      (login-configuration
+       (inherit config)
+       (motd (plain-file "no-motd" ""))
+       (allow-empty-passwords? #f))))))
+
 (define-public %server-base-user-accounts
   (cons* (user-account
           (name "timo")
@@ -45,34 +100,39 @@
          %base-user-accounts))
 
 (define %wireguard-peers
-  `((lap . ,(wireguard-peer
-             (name "lap.wg")
-             (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=")
-             (preshared-key "/etc/wireguard/lap.psk")
-             (allowed-ips '("10.0.0.1/32" "fc00::1/128"))))
-    (lud . ,(wireguard-peer
-             (name "lud.wg")
-             (endpoint "lud.twilken.net:58921")
-             (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=")
-             (preshared-key "/etc/wireguard/lud.psk")
-             (allowed-ips '("10.0.0.2/32" "fc00::2/128"))))
-    (vin . ,(wireguard-peer
-             (name "vin.wg")
-             (endpoint "vin.twilken.net:58921")
-             (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=")
-             (preshared-key "/etc/wireguard/vin.psk")
-             (allowed-ips '("10.0.0.3/32" "fc00::3/128"))))
-    (fp4 . ,(wireguard-peer
-             (name "fp4.wg")
-             (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=")
-             (preshared-key "/etc/wireguard/fp4.psk")
-             (allowed-ips '("10.0.0.4/32" "fc00::4/128"))))
-    (pi3 . ,(wireguard-peer
-             (name "pi3.wg")
-             (endpoint "pi3.twilken.net:58922")
-             (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=")
-             (preshared-key "/etc/wireguard/pi3.psk")
-             (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))))
+  `(("lap.twilken.net" .
+     ,(wireguard-peer
+       (name "lap.wg")
+       (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=")
+       (preshared-key "/etc/wireguard/lap.psk")
+       (allowed-ips '("10.0.0.1/32" "fc00::1/128"))))
+    ("lud.twilken.net" .
+     ,(wireguard-peer
+       (name "lud.wg")
+       (endpoint "lud.twilken.net:58921")
+       (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=")
+       (preshared-key "/etc/wireguard/lud.psk")
+       (allowed-ips '("10.0.0.2/32" "fc00::2/128"))))
+    ("vin.twilken.net" .
+     ,(wireguard-peer
+       (name "vin.wg")
+       (endpoint "vin.twilken.net:58921")
+       (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=")
+       (preshared-key "/etc/wireguard/vin.psk")
+       (allowed-ips '("10.0.0.3/32" "fc00::3/128"))))
+    ("fp4.twilken.net" .
+     ,(wireguard-peer
+       (name "fp4.wg")
+       (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=")
+       (preshared-key "/etc/wireguard/fp4.psk")
+       (allowed-ips '("10.0.0.4/32" "fc00::4/128"))))
+    ("pi3.twilken.net" .
+     ,(wireguard-peer
+       (name "pi3.wg")
+       (endpoint "pi3.twilken.net:58922")
+       (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=")
+       (preshared-key "/etc/wireguard/pi3.psk")
+       (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))))
 
 (define-public %wireguard-etc-hosts
   (let ((basic-hosts-file "\
@@ -99,8 +159,8 @@ ff02::3         ip6-allhosts
            basic-hosts-file
            (map cdr %wireguard-peers)))))
 
-(define-public (wireguard-service host)
-  (let ((own-peer (assoc-ref %wireguard-peers host)))
+(define-public (wireguard-service host-name)
+  (let ((own-peer (assoc-ref %wireguard-peers host-name)))
     (service wireguard-service-type
       (wireguard-configuration
        (addresses
diff --git a/tw/system/files/timo-phone-gpg.pub b/tw/system/files/timo-phone-gpg.pub
new file mode 100644
index 00000000..6ba20c18
--- /dev/null
+++ b/tw/system/files/timo-phone-gpg.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSgivq2ubXUyxkpBs7xEaozdnvEETKx/h11y+d7PyO4
diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index cd2e4496..2cdfb9c9 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -274,7 +274,7 @@ support extra features (acr, pmu, gr).")
     ;; location.
     geoclue
     ;; Base packages
-    (append %common-system-packages %base-packages)))
+    %base-system-packages))
 
   ;; Use the "desktop" services, which include the X11
   ;; log-in service, networking with NetworkManager, and more.
@@ -295,7 +295,7 @@ support extra features (acr, pmu, gr).")
 
     (bluetooth-service)
 
-    (wireguard-service 'lap)
+    (wireguard-service host-name)
 
     (service docker-service-type
       (docker-configuration))
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index fcf86279..5e0ffda0 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -215,51 +215,29 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\"
   ;; under their own account: use 'guix search KEYWORD' to search
   ;; for packages and 'guix install PACKAGE' to install a package.
   (packages
-   (append (list
-            ;; For nightly yt-dlp.
-            ffmpeg
-            ;; For video downloader.
-            python tor
-            ;; For Nextcloud backup script.
-            btrfs-progs mariadb rsync
-            ;; For Nextcloud. PHP modules must be installed in system
-            ;; profile, as that's referred to in Nextcloud's php.ini.
-            php php-apcu)
-           %common-system-packages
-           %base-packages))
+   (cons*
+    ffmpeg tor   ; for video downloader
+    mariadb      ; for Nextcloud backup script
+    ;; For Nextcloud. PHP modules must be installed in system
+    ;; profile, as that's referred to in Nextcloud's php.ini.
+    php php-apcu
+    %base-system-packages))
 
   ;; Below is the list of system services.  To search for available
   ;; services, run 'guix system search KEYWORD' in a terminal.
   (services
    (append
-    (list (service openssh-service-type
-            (openssh-configuration
-             (port-number 22022)
-             (password-authentication? #f)
-             (accepted-environment '("LANG" "LC_*"))
-             (authorized-keys
-              `(("timo"
-                 ,(local-file "files/timo.pub"))
-                ("ira"   ; for Duplicity backups
-                 ,(local-file "files/kitchen-pc.pub")
-                 ,(local-file "files/wilken-laptop.pub"))))))
+    (list (simple-service 'duplicity-backup-access openssh-service-type
+            `(("ira"   ; for Duplicity backups
+               ,(local-file "files/kitchen-pc.pub")
+               ,(local-file "files/wilken-laptop.pub"))))
 
           (service tor-service-type)
 
-          (service dhcp-client-service-type)
-
-          (service ntp-service-type)
-
           (service thermald-service-type
             (thermald-configuration
              (adaptive? #t)))
 
-          (simple-service 'cronjobs mcron-service-type
-            (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G")
-                  #~(job "0 22 * * *"  ; after guix gc
-                         (string-append #$(file-append util-linux "/sbin/fstrim")
-                                        " --fstab --verbose"))))
-
           ;; Transmission (torrents)
           (service transmission-daemon-service-type
             (transmission-daemon-configuration
@@ -329,31 +307,14 @@ innodb_buffer_pool_size = 1G
 innodb_io_capacity = 4000
 ")))
 
-          ;; Prometheus node exporter
-          (service prometheus-node-exporter-service-type
-            (prometheus-node-exporter-configuration
-             (web-listen-address "10.0.0.2:9100")))
-
           ;; TODO: JSON exporter (Nextcloud)
-
           ;; TODO: Syncthing exporter
-
           ;; TODO: Transmission exporter
-
-          ;; TODO: git-daemon-service-type / cgit-service-type?
-
-          (wireguard-service 'lud))
+          )
 
     nextcloud-services
     matrix-services
-
-    (modify-services %base-services
-      (login-service-type
-       config =>
-       (login-configuration
-        (inherit config)
-        (motd (plain-file "no-motd" ""))
-        (allow-empty-passwords? #f))))))
+    (server-base-services host-name)))
 
   ;; The list of user accounts ('root' is implicit).
   (users
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index c3e6ab16..ddecc127 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -6,9 +6,6 @@
   #:use-module (guix gexp)
   #:use-module (tw system common))
 
-(use-package-modules admin bash certs databases linux man rsync shells video)
-(use-service-modules mcron monitoring networking pm ssh vpn)
-
 ;; The device's BIOS does not support UEFI, sadly.  It also doesn't recognise
 ;; NVME devices, so we can only use SATA hard disks, not the M.2 SSD.
 ;; /dev/sda1 is the https://en.wikipedia.org/wiki/BIOS_boot_partition for grub.
@@ -40,49 +37,11 @@
     ;; Packages installed system-wide.  Users can also install packages
     ;; under their own account: use 'guix search KEYWORD' to search
     ;; for packages and 'guix install PACKAGE' to install a package.
-    (packages
-     (append (list
-              ;; For eventual backup scripts?
-              btrfs-progs rsync)
-             %common-system-packages
-             %base-packages))
+    (packages %base-system-packages)
 
     ;; Below is the list of system services.  To search for available
     ;; services, run 'guix system search KEYWORD' in a terminal.
-    (services
-     (append
-      (list (service openssh-service-type
-              (openssh-configuration
-               (port-number 22022)
-               (password-authentication? #f)
-               (accepted-environment '("LANG" "LC_*"))
-               (authorized-keys
-                `(("timo" ,(local-file "files/timo.pub"))))))
-
-            (service dhcp-client-service-type)
-
-            (service ntp-service-type)
-
-            (simple-service 'cronjobs mcron-service-type
-              (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G")
-                    #~(job "0 22 * * *"  ; after guix gc
-                           (string-append #$(file-append util-linux "/sbin/fstrim")
-                                          " --fstab --verbose"))))
-
-            ;; Prometheus node exporter
-            (service prometheus-node-exporter-service-type
-              (prometheus-node-exporter-configuration
-               (web-listen-address "10.0.0.3:9100")))
-
-            (wireguard-service 'vin))
-
-      (modify-services %base-services
-        (login-service-type
-         config =>
-         (login-configuration
-          (inherit config)
-          (motd (plain-file "no-motd" ""))
-          (allow-empty-passwords? #f))))))
+    (services (server-base-services host-name))
 
     ;; The list of user accounts ('root' is implicit).
     (users %server-base-user-accounts)