Rename "common" modules to be base modules

1 files changed, 191 insertions, 0 deletions

diff --git a/tw/system.scm b/tw/system.scm
new file mode 100644
index 00000000..8734885b
--- /dev/null
+++ b/tw/system.scm
@@ -0,0 +1,191 @@
+(define-module (tw system)
+  #:use-module (ice-9 format)
+  #:use-module (ice-9 regex)
+  #:use-module (ice-9 string-fun)
+  #:use-module ((srfi srfi-1)
+                #:select (fold fold-right))
+  #:use-module (gnu)
+  #:use-module (gnu services)
+  #:use-module (gnu system)
+  #:use-module (gnu system keyboard)
+  #:use-module (guix gexp))
+
+(use-package-modules admin avahi certs disk file-systems linux lsof man
+                     moreutils python rsync search shells version-control vpn)
+(use-service-modules mcron monitoring networking ssh vpn)
+
+(define-public %base-system-packages
+  (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales
+         hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate
+         moreutils nss-certs nss-mdns python rsync strace wireguard-tools
+         %base-packages))
+
+(define-public %british-keyboard
+  (keyboard-layout
+   "gb" #:options '("caps:swapescape"
+                    "parens:swap_brackets"
+                    "terminate:ctrl_alt_bksp"
+                    "compose:rctrl"
+                    "keypad:oss"
+                    "kpdl:kposs")))
+
+(define-public %sudoers-file
+  (plain-file "sudoers"
+              (string-append
+               (plain-file-content %sudoers-specification)
+               ;; Let the "guixdeploy" user do anything as root, without a
+               ;; password required.  "guix deploy" needs this, so that it can
+               ;; reconfigure the system without logging in as root.
+               ;; See: '(guix)Invoking guix deploy' info node.
+               "guixdeploy ALL = NOPASSWD: ALL\n")))
+
+;; This is used for the servers, and also by (tw home) to generate the
+;; appropriate ~/.ssh/config.
+(define-public %ssh-ports
+  '(("lud.twilken.net" . 22022)
+    ("vin.twilken.net" . 22022)
+    ("pi3.twilken.net" . 51022)))
+
+(define-public (server-base-services host-name)
+  (cons*
+   ;; SSH login, allowing access only for me.  To give more public keys
+   ;; access, extend `openssh-service-type'.
+   (service openssh-service-type
+     (openssh-configuration
+      (port-number (assoc-ref %ssh-ports host-name))
+      (password-authentication? #f)
+      (accepted-environment '("LANG" "LC_*"))
+      (authorized-keys
+       `(("timo"
+          ,(local-file "system/files/timo.pub")
+          ,(local-file "system/files/timo-phone-gpg.pub"))))))
+
+   ;; Prometheus node exporter
+   (service prometheus-node-exporter-service-type
+     (prometheus-node-exporter-configuration
+      (web-listen-address
+       (string-replace-substring
+        (car   ; get the IPv4 address
+         (wireguard-peer-allowed-ips
+          (assoc-ref %wireguard-peers host-name)))
+        "/32" ":9100"))))
+
+   (simple-service 'disk-maintenance mcron-service-type
+     (list #~(job "0 2 * * *" "guix gc -d 2w")
+           #~(job "0 4 * * *"  ; after guix gc
+                  (string-append #$(file-append util-linux "/sbin/fstrim")
+                                 " --fstab --verbose"))))
+
+   ;; Network setup
+   (service dhcp-client-service-type)
+   (service ntp-service-type)
+   (wireguard-service host-name)
+
+   ;; Delete the annoying message on SSH login.  Beware when setting up a new
+   ;; host, as `allow-empty-passwords' will block login and sudo execution for
+   ;; all Guix-declared users (as these have no initial password).
+   (modify-services %base-services
+     (login-service-type
+      config =>
+      (login-configuration
+       (inherit config)
+       (motd (plain-file "no-motd" ""))
+       (allow-empty-passwords? #f))))))
+
+(define-public %server-base-user-accounts
+  (cons* (user-account
+          (name "timo")
+          (comment "Timo Wilken")
+          (group "users")
+          (home-directory "/home/timo")
+          (supplementary-groups '("wheel" "netdev" "audio" "video"))
+          (shell (file-append zsh "/bin/zsh")))
+         (user-account   ; needs a matching sudoers entry
+          (system? #t)
+          (name "guixdeploy")
+          (comment "Guix-deploy access")
+          (group "root")
+          (home-directory "/var/empty")
+          (create-home-directory? #f))
+         %base-user-accounts))
+
+(define %wireguard-peers
+  `(("lap.twilken.net" .
+     ,(wireguard-peer
+       (name "lap.wg")
+       (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=")
+       (preshared-key "/etc/wireguard/lap.psk")
+       (allowed-ips '("10.0.0.1/32" "fc00::1/128"))))
+    ("lud.twilken.net" .
+     ,(wireguard-peer
+       (name "lud.wg")
+       (endpoint "lud.twilken.net:58921")
+       (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=")
+       (preshared-key "/etc/wireguard/lud.psk")
+       (allowed-ips '("10.0.0.2/32" "fc00::2/128"))))
+    ("vin.twilken.net" .
+     ,(wireguard-peer
+       (name "vin.wg")
+       (endpoint "vin.twilken.net:58921")
+       (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=")
+       (preshared-key "/etc/wireguard/vin.psk")
+       (allowed-ips '("10.0.0.3/32" "fc00::3/128"))))
+    ("fp4.twilken.net" .
+     ,(wireguard-peer
+       (name "fp4.wg")
+       (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=")
+       (preshared-key "/etc/wireguard/fp4.psk")
+       (allowed-ips '("10.0.0.4/32" "fc00::4/128"))))
+    ("pi3.twilken.net" .
+     ,(wireguard-peer
+       (name "pi3.wg")
+       (endpoint "pi3.twilken.net:58922")
+       (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=")
+       (preshared-key "/etc/wireguard/pi3.psk")
+       (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))))
+
+(define-public %wireguard-etc-hosts
+  (let ((basic-hosts-file "\
+# This file was generated from your Guix configuration.
+# Any changes will be lost upon reboot or reconfiguration.
+127.0.0.1       localhost
+255.255.255.255 broadcasthost
+::1             localhost ip6-localhost ip6-loopback
+fe00::0         ip6-localnet
+ff00::0         ip6-mcastprefix
+ff02::1         ip6-allnodes
+ff02::2         ip6-allrouters
+ff02::3         ip6-allhosts
+"))
+    (plain-file
+     "hosts"
+     (fold (lambda (peer hosts-file)
+             (apply string-append hosts-file
+                    (map (lambda (allowed-ip-cidr)
+                           (format #f "~16a~a~%"
+                                   (car (string-split allowed-ip-cidr #\/))
+                                   (wireguard-peer-name peer)))
+                         (wireguard-peer-allowed-ips peer))))
+           basic-hosts-file
+           (map cdr %wireguard-peers)))))
+
+(define-public (wireguard-service host-name)
+  (let ((own-peer (assoc-ref %wireguard-peers host-name)))
+    (service wireguard-service-type
+      (wireguard-configuration
+       (addresses
+        (map (lambda (cidr)
+               (let ((ipv4 (string-match "/32$" cidr))
+                     (ipv6 (string-match "/128$" cidr)))
+                 (cond
+                  (ipv4 (regexp-substitute #f ipv4 'pre "/24"))
+                  (ipv6 (regexp-substitute #f ipv6 'pre "/64"))
+                  (#t cidr))))
+             (wireguard-peer-allowed-ips own-peer)))
+       (port
+        (let ((endpoint (wireguard-peer-endpoint own-peer)))
+          (if endpoint
+              (string->number (cadr (string-split endpoint #\:)))
+              58921)))
+       (private-key "/etc/wireguard/private.key")
+       (peers (delq own-peer (map cdr %wireguard-peers)))))))