Extract common service sets into separate modules

Common service sets (NextCloud, Matrix, WireGuard) should be in their
own modules to make things neater, instead of being interleaved with
operating system declarations.

1 files changed, 125 insertions, 0 deletions

diff --git a/tw/services/nextcloud.scm b/tw/services/nextcloud.scm
new file mode 100644
index 00000000..ca68cf77
--- /dev/null
+++ b/tw/services/nextcloud.scm
@@ -0,0 +1,125 @@
+(define-module (tw services nextcloud)
+  #:use-module (gnu)
+  #:use-module (gnu packages php)
+  #:use-module (gnu services certbot)
+  #:use-module (gnu services mcron)
+  #:use-module (gnu services web)
+  #:use-module (guix gexp)
+  #:use-module (tw services))
+
+(define-public %nextcloud-php.ini
+  (computed-file "nextcloud-php.ini"
+    #~(begin
+        (use-modules (ice-9 popen) (ice-9 rdelim))
+        (let* ((php-config #$(file-append php "/bin/php-config"))
+               (pipe (open-pipe* OPEN_READ php-config "--extension-dir"))
+               (php-extdir (read-line pipe)))
+          (unless (zero? (status:exit-val (close-pipe pipe)))
+            (error "Failed to get PHP extension dir"))
+          (with-output-to-file #$output
+            ;; Guix's PHP comes with the following extensions built-in,
+            ;; so no extension= line necessary:
+            ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl
+            (lambda () (display (string-append "\
+memory_limit=512M
+extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) "
+; Caching extensions for Nextcloud
+extension=apcu
+apc.enable_cli=1
+zend_extension=opcache
+; https://www.php.net/manual/en/opcache.configuration.php
+opcache.enable=1
+opcache.interned_strings_buffer=32
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=128
+opcache.save_comments=1
+; It will take up to revalidate_freq seconds for changes to config.php to be applied.
+opcache.revalidate_freq=120
+"))))))))
+
+(define-public %nextcloud-services
+  (list (simple-service 'nextcloud-https-server httpd-service-type
+          ;; The certbot service redirects everything on port 80 to
+          ;; port 443 by default, modulo its own /.well-known paths.
+          (list (httpd-virtualhost "*:443" (list "\
+# For Nextcloud.
+ServerName cloud.wilkenfamily.de
+DocumentRoot /var/www/nextcloud
+SSLEngine on
+SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\"
+SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\"
+Header always set Strict-Transport-Security \"max-age=15552000\"
+
+# Don't check for .htaccess files above DocumentRoot.
+<Directory \"/\">
+    AllowOverride None
+</Directory>
+
+<Directory /var/www/nextcloud>
+    Options +FollowSymlinks
+    AllowOverride All
+    <IfModule mod_dav.c>
+        Dav off
+    </IfModule>
+    SetEnv HOME /var/www/nextcloud
+    SetEnv HTTP_HOME /var/www/nextcloud
+</Directory>
+
+# Redirect to local php-fpm if mod_php is not available
+<IfModule !mod_php7.c>
+    <IfModule proxy_fcgi_module>
+        # Enable http authorization headers
+        <IfModule setenvif_module>
+            SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1
+        </IfModule>
+        <FilesMatch \".+\\.ph(ar|p|tml)$\">
+            <If \"-f %{REQUEST_FILENAME}\">
+                SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\"
+            </If>
+        </FilesMatch>
+        # Deny access to raw PHP sources and files without filename (e.g. '.php')
+        <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\">
+            Require all denied
+        </FilesMatch>
+    </IfModule>
+</IfModule>
+"))))
+
+        (service php-fpm-service-type
+          (php-fpm-configuration
+           (user "httpd")
+           (group "httpd")
+           (socket "/var/run/php-fpm.sock")
+           (socket-user "httpd")
+           (socket-group "httpd")
+           (php-ini-file %nextcloud-php.ini)))
+
+        (simple-service 'nextcloud-certificates certbot-service-type
+          (list (certificate-configuration
+                 (domains '("cloud.wilkenfamily.de"))
+                 (deploy-hook %httpd-cert-deploy-hook))))
+
+        ;; Nextcloud cron
+        (simple-service 'nextcloud-cron mcron-service-type
+          (list #~(job "*/5 * * * *"
+                       (lambda ()
+                         (chdir "/var/www/nextcloud")
+                         ;; `setgid' first while we're still root
+                         (setgid (group:gid (getgr "httpd")))
+                         (setuid (passwd:uid (getpw "httpd")))
+                         (execl #$(file-append php "/bin/php") "php"
+                                "-c" #$%nextcloud-php.ini "cron.php"))
+                       (string-append
+                        #$(file-append php "/bin/php")
+                        " -c " #$%nextcloud-php.ini
+                        " /var/www/nextcloud/cron.php"))
+
+                ;; Nextcloud backups
+                ;; Requires: sudo, php, btrfs, mysqldump, rsync
+                (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t)))
+                  #~(job "0 6 * * *"
+                         (lambda ()
+                           ;; Pass through the php.ini file that allows us to
+                           ;; use Nextcloud's occ script.
+                           (execl #$backup-script "nextcloud-backup" #$%nextcloud-php.ini))
+                         (string-append #$backup-script " " #$%nextcloud-php.ini)))))))