diff options
Diffstat (limited to 'tw/system/lud.scm')
| -rw-r--r-- | tw/system/lud.scm | 240 |
1 files changed, 117 insertions, 123 deletions
diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 0035d1ab..15cdbeaf 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -72,11 +72,10 @@ SSLSessionCacheTimeout 1200 ") (define nextcloud-services - (list (simple-service - 'nextcloud-https-server httpd-service-type - ;; The certbot service redirects everything on port 80 to - ;; port 443 by default, modulo its own /.well-known paths. - (list (httpd-virtualhost "*:443" (list "\ + (list (simple-service 'nextcloud-https-server httpd-service-type + ;; The certbot service redirects everything on port 80 to + ;; port 443 by default, modulo its own /.well-known paths. + (list (httpd-virtualhost "*:443" (list "\ # For Nextcloud. ServerName cloud.wilkenfamily.de DocumentRoot /var/www/nextcloud @@ -121,59 +120,55 @@ Header always set Strict-Transport-Security \"max-age=15552000\" ")))) (service php-fpm-service-type - (php-fpm-configuration - (user "httpd") - (group "httpd") - (socket "/var/run/php-fpm.sock") - (socket-user "httpd") - (socket-group "httpd") - (php-ini-file nextcloud-php.ini))) - - (simple-service - 'nextcloud-certificates certbot-service-type - (list (certificate-configuration - (domains '("cloud.wilkenfamily.de")) - (deploy-hook httpd-cert-deploy-hook)))) + (php-fpm-configuration + (user "httpd") + (group "httpd") + (socket "/var/run/php-fpm.sock") + (socket-user "httpd") + (socket-group "httpd") + (php-ini-file nextcloud-php.ini))) + + (simple-service 'nextcloud-certificates certbot-service-type + (list (certificate-configuration + (domains '("cloud.wilkenfamily.de")) + (deploy-hook httpd-cert-deploy-hook)))) ;; Nextcloud cron - (simple-service - 'nextcloud-cron mcron-service-type - (list #~(job "*/5 * * * *" - (lambda () - (chdir "/var/www/nextcloud") - ;; `setgid' first while we're still root - (setgid (group:gid (getgr "httpd"))) - (setuid (passwd:uid (getpw "httpd"))) - (execl #$(file-append php "/bin/php") "php" - "-c" #$nextcloud-php.ini "cron.php")) - (string-append - #$(file-append php "/bin/php") - " -c " #$nextcloud-php.ini - " /var/www/nextcloud/cron.php")) - - ;; Nextcloud backups - ;; Requires: sudo, php, btrfs, mysqldump, rsync - (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) - #~(job "0 6 * * *" - (lambda () - ;; Pass through the php.ini file that allows us to - ;; use Nextcloud's occ script. - (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) - (string-append #$backup-script " " #$nextcloud-php.ini))))))) + (simple-service 'nextcloud-cron mcron-service-type + (list #~(job "*/5 * * * *" + (lambda () + (chdir "/var/www/nextcloud") + ;; `setgid' first while we're still root + (setgid (group:gid (getgr "httpd"))) + (setuid (passwd:uid (getpw "httpd"))) + (execl #$(file-append php "/bin/php") "php" + "-c" #$nextcloud-php.ini "cron.php")) + (string-append + #$(file-append php "/bin/php") + " -c " #$nextcloud-php.ini + " /var/www/nextcloud/cron.php")) + + ;; Nextcloud backups + ;; Requires: sudo, php, btrfs, mysqldump, rsync + (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) + #~(job "0 6 * * *" + (lambda () + ;; Pass through the php.ini file that allows us to + ;; use Nextcloud's occ script. + (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) + (string-append #$backup-script " " #$nextcloud-php.ini))))))) (define matrix-services - (list (simple-service - 'synapse-certificates certbot-service-type - (list (certificate-configuration - (domains '("matrix.twilken.net")) - (deploy-hook httpd-cert-deploy-hook)))) - - (simple-service - 'synapse-https-proxy httpd-service-type - ;; Synapse can't access certbot certs, but Apache/httpd - ;; can, so proxy HTTPS access through. It's good to have - ;; Synapse available on port 443 anyway. - (list (httpd-virtualhost "*:443" (list "\ + (list (simple-service 'synapse-certificates certbot-service-type + (list (certificate-configuration + (domains '("matrix.twilken.net")) + (deploy-hook httpd-cert-deploy-hook)))) + + (simple-service 'synapse-https-proxy httpd-service-type + ;; Synapse can't access certbot certs, but Apache/httpd + ;; can, so proxy HTTPS access through. It's good to have + ;; Synapse available on port 443 anyway. + (list (httpd-virtualhost "*:443" (list "\ # Redirect to Synapse, to avoid having to specify its port number in Matrix clients. ServerName matrix.twilken.net SSLEngine on @@ -184,15 +179,15 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" ;; TODO: Postgres for Synapse ;; (service postgresql-service-type - ;; (postgresql-configuration - ;; (postgresql postgresql-15) - ;; (data-directory "/var/lib/postgresql/data"))) + ;; (postgresql-configuration + ;; (postgresql postgresql-15) + ;; (data-directory "/var/lib/postgresql/data"))) ;; (service postgresql-role-service-type - ;; (postgresql-role-configuration - ;; (roles (list (postgresql-role - ;; (name "synapse") ; TODO - ;; (create-database? #t)))))) + ;; (postgresql-role-configuration + ;; (roles (list (postgresql-role + ;; (name "synapse") ; TODO + ;; (create-database? #t)))))) ;; TODO: Matrix/Synapse ;; TODO: Matrix bridges @@ -236,16 +231,16 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" (services (append (list (service openssh-service-type - (openssh-configuration - (port-number 22022) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" - ,(local-file "files/timo.pub")) - ("ira" ; for Duplicity backups - ,(local-file "files/kitchen-pc.pub") - ,(local-file "files/wilken-laptop.pub")))))) + (openssh-configuration + (port-number 22022) + (password-authentication? #f) + (accepted-environment '("LANG" "LC_*")) + (authorized-keys + `(("timo" + ,(local-file "files/timo.pub")) + ("ira" ; for Duplicity backups + ,(local-file "files/kitchen-pc.pub") + ,(local-file "files/wilken-laptop.pub")))))) (service tor-service-type) @@ -254,74 +249,73 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" (service ntp-service-type) (service thermald-service-type - (thermald-configuration - (adaptive? #t))) + (thermald-configuration + (adaptive? #t))) - (simple-service - 'cronjobs mcron-service-type - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) + (simple-service 'cronjobs mcron-service-type + (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") + #~(job "0 22 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) ;; Transmission (torrents) (service transmission-daemon-service-type - (transmission-daemon-configuration - (download-dir "/var/data/bt") - (incomplete-dir "/var/data/bt/incomplete") - (incomplete-dir-enabled? #t) - (speed-limit-up-enabled? #t) - (speed-limit-up 512) ; KiB/s - (encryption 'require-encrypted-connections) - ;; Don't try to configure port forwarding automatically. - (port-forwarding-enabled? #f) - ;; Make RPC interface only accessible via WireGuard. - (rpc-bind-address "10.0.0.2") - (rpc-whitelist-enabled? #t) - (rpc-whitelist '("127.0.0.1" "::1" - "10.0.0.*" "fc00::*")) - (rpc-host-whitelist-enabled? #t) - (rpc-host-whitelist '("lud.wg")))) + (transmission-daemon-configuration + (download-dir "/var/data/bt") + (incomplete-dir "/var/data/bt/incomplete") + (incomplete-dir-enabled? #t) + (speed-limit-up-enabled? #t) + (speed-limit-up 512) ; KiB/s + (encryption 'require-encrypted-connections) + ;; Don't try to configure port forwarding automatically. + (port-forwarding-enabled? #f) + ;; Make RPC interface only accessible via WireGuard. + (rpc-bind-address "10.0.0.2") + (rpc-whitelist-enabled? #t) + (rpc-whitelist '("127.0.0.1" "::1" + "10.0.0.*" "fc00::*")) + (rpc-host-whitelist-enabled? #t) + (rpc-host-whitelist '("lud.wg")))) ;; TODO: Streama ;; Syncthing (service syncthing-service-type - (syncthing-configuration - (user "syncthing") - (group "syncthing"))) + (syncthing-configuration + (user "syncthing") + (group "syncthing"))) ;; certbot for Synapse + Apache/Nextcloud ;; This also installs a nginx server on port 80, redirecting to port 443. (service certbot-service-type - (certbot-configuration - (email "letsencrypt@twilken.net"))) + (certbot-configuration + (email "letsencrypt@twilken.net"))) (service httpd-service-type - (httpd-configuration - (config - (httpd-config-file - (listen '("443")) ; leave port 80 free for certbot/nginx - (modules - (cons* (httpd-module (name "ssl_module") (file "modules/mod_ssl.so")) - (httpd-module (name "proxy_module") (file "modules/mod_proxy.so")) - (httpd-module (name "rewrite_module") (file "modules/mod_rewrite.so")) - (httpd-module (name "alias_module") (file "modules/mod_alias.so")) - (httpd-module (name "socache_shmcb_module") ; for SSLStaplingCache - (file "modules/mod_socache_shmcb.so")) - (httpd-module (name "proxy_fcgi_module") ; for PHP/FastCGI - (file "modules/mod_proxy_fcgi.so")) - %default-httpd-modules)) - ;; Preserve default value for `extra-config'. - (extra-config - (list "TypesConfig etc/httpd/mime.types\n" - "ServerAdmin webmaster@twilken.net\n" - httpd-intermediate-ssl-config)))))) + (httpd-configuration + (config + (httpd-config-file + (listen '("443")) ; leave port 80 free for certbot/nginx + (modules + (cons* (httpd-module (name "ssl_module") (file "modules/mod_ssl.so")) + (httpd-module (name "proxy_module") (file "modules/mod_proxy.so")) + (httpd-module (name "rewrite_module") (file "modules/mod_rewrite.so")) + (httpd-module (name "alias_module") (file "modules/mod_alias.so")) + (httpd-module (name "socache_shmcb_module") ; for SSLStaplingCache + (file "modules/mod_socache_shmcb.so")) + (httpd-module (name "proxy_fcgi_module") ; for PHP/FastCGI + (file "modules/mod_proxy_fcgi.so")) + %default-httpd-modules)) + ;; Preserve default value for `extra-config'. + (extra-config + (list "TypesConfig etc/httpd/mime.types\n" + "ServerAdmin webmaster@twilken.net\n" + httpd-intermediate-ssl-config)))))) ;; For Nextcloud (and Streama) (service mysql-service-type - (mysql-configuration - (extra-content "\ + (mysql-configuration + (extra-content "\ [mysqld] character-set-server = utf8mb4 collation-server = utf8mb4_general_ci @@ -335,8 +329,8 @@ innodb_io_capacity = 4000 ;; Prometheus node exporter (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address "10.0.0.2:9100"))) + (prometheus-node-exporter-configuration + (web-listen-address "10.0.0.2:9100"))) ;; TODO: JSON exporter (Nextcloud) |