1 files changed, 4 insertions, 158 deletions
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 9986c30a..b770fc90 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -5,6 +5,8 @@
   #:use-module (gnu system nss)
   #:use-module (guix gexp)
   #:use-module (tw packages php)
+  #:use-module (tw services nextcloud)
+  #:use-module (tw services matrix)
   #:use-module (tw system))
 
 (use-package-modules admin bash certs databases linux man php python rsync
@@ -21,40 +23,6 @@
 (define data-partition                ; /dev/sdc1
   (uuid "4715ae0e-5cef-48f2-a59e-025321153888" 'btrfs))
 
-(define httpd-cert-deploy-hook
-  (program-file "httpd-cert-deploy-hook"
-                #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP)))
-
-(define nextcloud-php.ini
-  (computed-file "nextcloud-php.ini"
-    #~(begin
-        (use-modules (ice-9 popen) (ice-9 rdelim))
-        (let* ((php-config #$(file-append php "/bin/php-config"))
-               (pipe (open-pipe* OPEN_READ php-config "--extension-dir"))
-               (php-extdir (read-line pipe)))
-          (unless (zero? (status:exit-val (close-pipe pipe)))
-            (error "Failed to get PHP extension dir"))
-          (with-output-to-file #$output
-            ;; Guix's PHP comes with the following extensions built-in,
-            ;; so no extension= line necessary:
-            ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl
-            (lambda () (display (string-append "\
-memory_limit=512M
-extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) "
-; Caching extensions for Nextcloud
-extension=apcu
-apc.enable_cli=1
-zend_extension=opcache
-; https://www.php.net/manual/en/opcache.configuration.php
-opcache.enable=1
-opcache.interned_strings_buffer=32
-opcache.max_accelerated_files=10000
-opcache.memory_consumption=128
-opcache.save_comments=1
-; It will take up to revalidate_freq seconds for changes to config.php to be applied.
-opcache.revalidate_freq=120
-"))))))))
-
 (define httpd-intermediate-ssl-config "\
 # SSL configuration.
 # https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1n&ocsp=false&guideline=5.6
@@ -70,128 +38,6 @@ SSLSessionCache         \"shmcb:logs/ssl_scache(65535)\"
 SSLSessionCacheTimeout  1200
 ")
 
-(define nextcloud-services
-  (list (simple-service 'nextcloud-https-server httpd-service-type
-          ;; The certbot service redirects everything on port 80 to
-          ;; port 443 by default, modulo its own /.well-known paths.
-          (list (httpd-virtualhost "*:443" (list "\
-# For Nextcloud.
-ServerName cloud.wilkenfamily.de
-DocumentRoot /var/www/nextcloud
-SSLEngine on
-SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\"
-SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\"
-Header always set Strict-Transport-Security \"max-age=15552000\"
-
-# Don't check for .htaccess files above DocumentRoot.
-<Directory \"/\">
-    AllowOverride None
-</Directory>
-
-<Directory /var/www/nextcloud>
-    Options +FollowSymlinks
-    AllowOverride All
-    <IfModule mod_dav.c>
-        Dav off
-    </IfModule>
-    SetEnv HOME /var/www/nextcloud
-    SetEnv HTTP_HOME /var/www/nextcloud
-</Directory>
-
-# Redirect to local php-fpm if mod_php is not available
-<IfModule !mod_php7.c>
-    <IfModule proxy_fcgi_module>
-        # Enable http authorization headers
-        <IfModule setenvif_module>
-            SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1
-        </IfModule>
-        <FilesMatch \".+\\.ph(ar|p|tml)$\">
-            <If \"-f %{REQUEST_FILENAME}\">
-                SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\"
-            </If>
-        </FilesMatch>
-        # Deny access to raw PHP sources and files without filename (e.g. '.php')
-        <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\">
-            Require all denied
-        </FilesMatch>
-    </IfModule>
-</IfModule>
-"))))
-
-        (service php-fpm-service-type
-          (php-fpm-configuration
-           (user "httpd")
-           (group "httpd")
-           (socket "/var/run/php-fpm.sock")
-           (socket-user "httpd")
-           (socket-group "httpd")
-           (php-ini-file nextcloud-php.ini)))
-
-        (simple-service 'nextcloud-certificates certbot-service-type
-          (list (certificate-configuration
-                 (domains '("cloud.wilkenfamily.de"))
-                 (deploy-hook httpd-cert-deploy-hook))))
-
-        ;; Nextcloud cron
-        (simple-service 'nextcloud-cron mcron-service-type
-          (list #~(job "*/5 * * * *"
-                       (lambda ()
-                         (chdir "/var/www/nextcloud")
-                         ;; `setgid' first while we're still root
-                         (setgid (group:gid (getgr "httpd")))
-                         (setuid (passwd:uid (getpw "httpd")))
-                         (execl #$(file-append php "/bin/php") "php"
-                                "-c" #$nextcloud-php.ini "cron.php"))
-                       (string-append
-                        #$(file-append php "/bin/php")
-                        " -c " #$nextcloud-php.ini
-                        " /var/www/nextcloud/cron.php"))
-
-                ;; Nextcloud backups
-                ;; Requires: sudo, php, btrfs, mysqldump, rsync
-                (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t)))
-                  #~(job "0 6 * * *"
-                         (lambda ()
-                           ;; Pass through the php.ini file that allows us to
-                           ;; use Nextcloud's occ script.
-                           (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini))
-                         (string-append #$backup-script " " #$nextcloud-php.ini)))))))
-
-(define matrix-services
-  (list (simple-service 'synapse-certificates certbot-service-type
-          (list (certificate-configuration
-                 (domains '("matrix.twilken.net"))
-                 (deploy-hook httpd-cert-deploy-hook))))
-
-        (simple-service 'synapse-https-proxy httpd-service-type
-          ;; Synapse can't access certbot certs, but Apache/httpd
-          ;; can, so proxy HTTPS access through. It's good to have
-          ;; Synapse available on port 443 anyway.
-          (list (httpd-virtualhost "*:443" (list "\
-# Redirect to Synapse, to avoid having to specify its port number in Matrix clients.
-ServerName matrix.twilken.net
-SSLEngine on
-SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\"
-SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\"
-ProxyPass \"/\" \"https://127.0.0.1:48448/\"
-"))))
-
-        ;; TODO: Postgres for Synapse
-        ;; (service postgresql-service-type
-        ;;   (postgresql-configuration
-        ;;    (postgresql postgresql-15)
-        ;;    (data-directory "/var/lib/postgresql/data")))
-
-        ;; (service postgresql-role-service-type
-        ;;   (postgresql-role-configuration
-        ;;    (roles (list (postgresql-role
-        ;;                  (name "synapse")  ; TODO
-        ;;                  (create-database? #t))))))
-
-        ;; TODO: Matrix/Synapse
-        ;; TODO: Matrix bridges
-        ))
-
 (define-public %lud-system
   (operating-system
     (host-name "lud.twilken.net")
@@ -313,8 +159,8 @@ innodb_io_capacity = 4000
             ;; TODO: Transmission exporter
             )
 
-      nextcloud-services
-      matrix-services
+      %nextcloud-services
+      %matrix-services
       (server-base-services host-name)))
 
     ;; The list of user accounts ('root' is implicit).