diff options
author | Timo Wilken | 2023-01-22 22:56:03 +0100 |
---|---|---|
committer | Timo Wilken | 2023-01-22 23:08:18 +0100 |
commit | ae3206dbf89b494264afbe457b13afebdea920d2 (patch) | |
tree | 6d18a37769387d913ce91c2af80cbadd7c020363 /tw/system/common.scm | |
parent | 599f82d0857d408b25f2df95163c3bd1ae596eda (diff) |
Rename "common" modules to be base modules
Diffstat (limited to 'tw/system/common.scm')
-rw-r--r-- | tw/system/common.scm | 191 |
1 files changed, 0 insertions, 191 deletions
diff --git a/tw/system/common.scm b/tw/system/common.scm deleted file mode 100644 index 1eb48c52..00000000 --- a/tw/system/common.scm +++ /dev/null @@ -1,191 +0,0 @@ -(define-module (tw system common) - #:use-module (ice-9 format) - #:use-module (ice-9 regex) - #:use-module (ice-9 string-fun) - #:use-module ((srfi srfi-1) - #:select (fold fold-right)) - #:use-module (gnu) - #:use-module (gnu services) - #:use-module (gnu system) - #:use-module (gnu system keyboard) - #:use-module (guix gexp)) - -(use-package-modules admin avahi certs disk file-systems linux lsof man - moreutils python rsync search shells version-control vpn) -(use-service-modules mcron monitoring networking ssh vpn) - -(define-public %base-system-packages - (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales - hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate - moreutils nss-certs nss-mdns python rsync strace wireguard-tools - %base-packages)) - -(define-public %british-keyboard - (keyboard-layout - "gb" #:options '("caps:swapescape" - "parens:swap_brackets" - "terminate:ctrl_alt_bksp" - "compose:rctrl" - "keypad:oss" - "kpdl:kposs"))) - -(define-public %sudoers-file - (plain-file "sudoers" - (string-append - (plain-file-content %sudoers-specification) - ;; Let the "guixdeploy" user do anything as root, without a - ;; password required. "guix deploy" needs this, so that it can - ;; reconfigure the system without logging in as root. - ;; See: '(guix)Invoking guix deploy' info node. - "guixdeploy ALL = NOPASSWD: ALL\n"))) - -;; This is used for the servers, and also by (tw home common) to generate the -;; appropriate ~/.ssh/config. -(define-public %ssh-ports - '(("lud.twilken.net" . 22022) - ("vin.twilken.net" . 22022) - ("pi3.twilken.net" . 51022))) - -(define-public (server-base-services host-name) - (cons* - ;; SSH login, allowing access only for me. To give more public keys - ;; access, extend `openssh-service-type'. - (service openssh-service-type - (openssh-configuration - (port-number (assoc-ref %ssh-ports host-name)) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" - ,(local-file "files/timo.pub") - ,(local-file "files/timo-phone-gpg.pub")))))) - - ;; Prometheus node exporter - (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address - (string-replace-substring - (car ; get the IPv4 address - (wireguard-peer-allowed-ips - (assoc-ref %wireguard-peers host-name))) - "/32" ":9100")))) - - (simple-service 'disk-maintenance mcron-service-type - (list #~(job "0 2 * * *" "guix gc -d 2w") - #~(job "0 4 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - ;; Network setup - (service dhcp-client-service-type) - (service ntp-service-type) - (wireguard-service host-name) - - ;; Delete the annoying message on SSH login. Beware when setting up a new - ;; host, as `allow-empty-passwords' will block login and sudo execution for - ;; all Guix-declared users (as these have no initial password). - (modify-services %base-services - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f)))))) - -(define-public %server-base-user-accounts - (cons* (user-account - (name "timo") - (comment "Timo Wilken") - (group "users") - (home-directory "/home/timo") - (supplementary-groups '("wheel" "netdev" "audio" "video")) - (shell (file-append zsh "/bin/zsh"))) - (user-account ; needs a matching sudoers entry - (system? #t) - (name "guixdeploy") - (comment "Guix-deploy access") - (group "root") - (home-directory "/var/empty") - (create-home-directory? #f)) - %base-user-accounts)) - -(define %wireguard-peers - `(("lap.twilken.net" . - ,(wireguard-peer - (name "lap.wg") - (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") - (preshared-key "/etc/wireguard/lap.psk") - (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) - ("lud.twilken.net" . - ,(wireguard-peer - (name "lud.wg") - (endpoint "lud.twilken.net:58921") - (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") - (preshared-key "/etc/wireguard/lud.psk") - (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) - ("vin.twilken.net" . - ,(wireguard-peer - (name "vin.wg") - (endpoint "vin.twilken.net:58921") - (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") - (preshared-key "/etc/wireguard/vin.psk") - (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) - ("fp4.twilken.net" . - ,(wireguard-peer - (name "fp4.wg") - (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") - (preshared-key "/etc/wireguard/fp4.psk") - (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) - ("pi3.twilken.net" . - ,(wireguard-peer - (name "pi3.wg") - (endpoint "pi3.twilken.net:58922") - (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") - (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) - -(define-public %wireguard-etc-hosts - (let ((basic-hosts-file "\ -# This file was generated from your Guix configuration. -# Any changes will be lost upon reboot or reconfiguration. -127.0.0.1 localhost -255.255.255.255 broadcasthost -::1 localhost ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -ff02::3 ip6-allhosts -")) - (plain-file - "hosts" - (fold (lambda (peer hosts-file) - (apply string-append hosts-file - (map (lambda (allowed-ip-cidr) - (format #f "~16a~a~%" - (car (string-split allowed-ip-cidr #\/)) - (wireguard-peer-name peer))) - (wireguard-peer-allowed-ips peer)))) - basic-hosts-file - (map cdr %wireguard-peers))))) - -(define-public (wireguard-service host-name) - (let ((own-peer (assoc-ref %wireguard-peers host-name))) - (service wireguard-service-type - (wireguard-configuration - (addresses - (map (lambda (cidr) - (let ((ipv4 (string-match "/32$" cidr)) - (ipv6 (string-match "/128$" cidr))) - (cond - (ipv4 (regexp-substitute #f ipv4 'pre "/24")) - (ipv6 (regexp-substitute #f ipv6 'pre "/64")) - (#t cidr)))) - (wireguard-peer-allowed-ips own-peer))) - (port - (let ((endpoint (wireguard-peer-endpoint own-peer))) - (if endpoint - (string->number (cadr (string-split endpoint #\:))) - 58921))) - (private-key "/etc/wireguard/private.key") - (peers (delq own-peer (map cdr %wireguard-peers))))))) |