diff options
author | Timo Wilken | 2023-01-22 22:34:59 +0100 |
---|---|---|
committer | Timo Wilken | 2023-01-22 22:58:58 +0100 |
commit | 21ead4bff50f058bfdecdcbb5bda6965a756ed93 (patch) | |
tree | 92506909c26bc0a08557849b262abdebb67b710b /tw/system/common.scm | |
parent | 33a632b790b83a7c03e2692d1029ddf1d9c62911 (diff) |
Extract common server packages and services
This should improve maintainability a bit by combining common services
running on the servers.
Additionally, this parameterises common parts by servers' host names
instead of the host-name-like symbols as before.
Diffstat (limited to 'tw/system/common.scm')
-rw-r--r-- | tw/system/common.scm | 132 |
1 files changed, 96 insertions, 36 deletions
diff --git a/tw/system/common.scm b/tw/system/common.scm index fb8c50f9..57be678b 100644 --- a/tw/system/common.scm +++ b/tw/system/common.scm @@ -1,22 +1,24 @@ (define-module (tw system common) #:use-module (ice-9 format) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module ((srfi srfi-1) #:select (fold fold-right)) #:use-module (gnu) #:use-module (gnu services) - #:use-module (gnu services vpn) #:use-module (gnu system) #:use-module (gnu system keyboard) #:use-module (guix gexp)) (use-package-modules admin avahi certs disk file-systems linux lsof man - moreutils search version-control vpn) + moreutils python rsync search shells version-control vpn) +(use-service-modules mcron monitoring networking ssh vpn) -(define-public %common-system-packages - (list acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales - hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate - moreutils nss-certs nss-mdns strace wireguard-tools)) +(define-public %base-system-packages + (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales + hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate + moreutils nss-certs nss-mdns python rsync strace wireguard-tools + %base-packages)) (define-public %british-keyboard (keyboard-layout @@ -27,6 +29,59 @@ "keypad:oss" "kpdl:kposs"))) +;; This is used for the servers, and also by (tw home common) to generate the +;; appropriate ~/.ssh/config. +(define-public %ssh-ports + '(("lud.twilken.net" . 22022) + ("vin.twilken.net" . 22022) + ("pi3.twilken.net" . 51022))) + +(define-public (server-base-services host-name) + (cons* + ;; SSH login, allowing access only for me. To give more public keys + ;; access, extend `openssh-service-type'. + (service openssh-service-type + (openssh-configuration + (port-number (assoc-ref %ssh-ports host-name)) + (password-authentication? #f) + (accepted-environment '("LANG" "LC_*")) + (authorized-keys + `(("timo" + ,(local-file "files/timo.pub") + ,(local-file "files/timo-phone-gpg.pub")))))) + + ;; Prometheus node exporter + (service prometheus-node-exporter-service-type + (prometheus-node-exporter-configuration + (web-listen-address + (string-replace-substring + (car ; get the IPv4 address + (wireguard-peer-allowed-ips + (assoc-ref %wireguard-peers host-name))) + "/32" ":9100")))) + + (simple-service 'disk-maintenance mcron-service-type + (list #~(job "0 2 * * *" "guix gc -d 2w") + #~(job "0 4 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + ;; Network setup + (service dhcp-client-service-type) + (service ntp-service-type) + (wireguard-service host-name) + + ;; Delete the annoying message on SSH login. Beware when setting up a new + ;; host, as `allow-empty-passwords' will block login and sudo execution for + ;; all Guix-declared users (as these have no initial password). + (modify-services %base-services + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f)))))) + (define-public %server-base-user-accounts (cons* (user-account (name "timo") @@ -45,34 +100,39 @@ %base-user-accounts)) (define %wireguard-peers - `((lap . ,(wireguard-peer - (name "lap.wg") - (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") - (preshared-key "/etc/wireguard/lap.psk") - (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) - (lud . ,(wireguard-peer - (name "lud.wg") - (endpoint "lud.twilken.net:58921") - (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") - (preshared-key "/etc/wireguard/lud.psk") - (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) - (vin . ,(wireguard-peer - (name "vin.wg") - (endpoint "vin.twilken.net:58921") - (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") - (preshared-key "/etc/wireguard/vin.psk") - (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) - (fp4 . ,(wireguard-peer - (name "fp4.wg") - (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") - (preshared-key "/etc/wireguard/fp4.psk") - (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) - (pi3 . ,(wireguard-peer - (name "pi3.wg") - (endpoint "pi3.twilken.net:58922") - (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") - (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) + `(("lap.twilken.net" . + ,(wireguard-peer + (name "lap.wg") + (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") + (preshared-key "/etc/wireguard/lap.psk") + (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) + ("lud.twilken.net" . + ,(wireguard-peer + (name "lud.wg") + (endpoint "lud.twilken.net:58921") + (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") + (preshared-key "/etc/wireguard/lud.psk") + (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) + ("vin.twilken.net" . + ,(wireguard-peer + (name "vin.wg") + (endpoint "vin.twilken.net:58921") + (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") + (preshared-key "/etc/wireguard/vin.psk") + (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) + ("fp4.twilken.net" . + ,(wireguard-peer + (name "fp4.wg") + (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") + (preshared-key "/etc/wireguard/fp4.psk") + (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) + ("pi3.twilken.net" . + ,(wireguard-peer + (name "pi3.wg") + (endpoint "pi3.twilken.net:58922") + (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") + (preshared-key "/etc/wireguard/pi3.psk") + (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) (define-public %wireguard-etc-hosts (let ((basic-hosts-file "\ @@ -99,8 +159,8 @@ ff02::3 ip6-allhosts basic-hosts-file (map cdr %wireguard-peers))))) -(define-public (wireguard-service host) - (let ((own-peer (assoc-ref %wireguard-peers host))) +(define-public (wireguard-service host-name) + (let ((own-peer (assoc-ref %wireguard-peers host-name))) (service wireguard-service-type (wireguard-configuration (addresses |