diff options
Diffstat (limited to 'tw/system/lud.scm')
-rw-r--r-- | tw/system/lud.scm | 162 |
1 files changed, 4 insertions, 158 deletions
diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 9986c30a..b770fc90 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -5,6 +5,8 @@ #:use-module (gnu system nss) #:use-module (guix gexp) #:use-module (tw packages php) + #:use-module (tw services nextcloud) + #:use-module (tw services matrix) #:use-module (tw system)) (use-package-modules admin bash certs databases linux man php python rsync @@ -21,40 +23,6 @@ (define data-partition ; /dev/sdc1 (uuid "4715ae0e-5cef-48f2-a59e-025321153888" 'btrfs)) -(define httpd-cert-deploy-hook - (program-file "httpd-cert-deploy-hook" - #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP))) - -(define nextcloud-php.ini - (computed-file "nextcloud-php.ini" - #~(begin - (use-modules (ice-9 popen) (ice-9 rdelim)) - (let* ((php-config #$(file-append php "/bin/php-config")) - (pipe (open-pipe* OPEN_READ php-config "--extension-dir")) - (php-extdir (read-line pipe))) - (unless (zero? (status:exit-val (close-pipe pipe))) - (error "Failed to get PHP extension dir")) - (with-output-to-file #$output - ;; Guix's PHP comes with the following extensions built-in, - ;; so no extension= line necessary: - ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl - (lambda () (display (string-append "\ -memory_limit=512M -extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) " -; Caching extensions for Nextcloud -extension=apcu -apc.enable_cli=1 -zend_extension=opcache -; https://www.php.net/manual/en/opcache.configuration.php -opcache.enable=1 -opcache.interned_strings_buffer=32 -opcache.max_accelerated_files=10000 -opcache.memory_consumption=128 -opcache.save_comments=1 -; It will take up to revalidate_freq seconds for changes to config.php to be applied. -opcache.revalidate_freq=120 -")))))))) - (define httpd-intermediate-ssl-config "\ # SSL configuration. # https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1n&ocsp=false&guideline=5.6 @@ -70,128 +38,6 @@ SSLSessionCache \"shmcb:logs/ssl_scache(65535)\" SSLSessionCacheTimeout 1200 ") -(define nextcloud-services - (list (simple-service 'nextcloud-https-server httpd-service-type - ;; The certbot service redirects everything on port 80 to - ;; port 443 by default, modulo its own /.well-known paths. - (list (httpd-virtualhost "*:443" (list "\ -# For Nextcloud. -ServerName cloud.wilkenfamily.de -DocumentRoot /var/www/nextcloud -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\" -Header always set Strict-Transport-Security \"max-age=15552000\" - -# Don't check for .htaccess files above DocumentRoot. -<Directory \"/\"> - AllowOverride None -</Directory> - -<Directory /var/www/nextcloud> - Options +FollowSymlinks - AllowOverride All - <IfModule mod_dav.c> - Dav off - </IfModule> - SetEnv HOME /var/www/nextcloud - SetEnv HTTP_HOME /var/www/nextcloud -</Directory> - -# Redirect to local php-fpm if mod_php is not available -<IfModule !mod_php7.c> - <IfModule proxy_fcgi_module> - # Enable http authorization headers - <IfModule setenvif_module> - SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1 - </IfModule> - <FilesMatch \".+\\.ph(ar|p|tml)$\"> - <If \"-f %{REQUEST_FILENAME}\"> - SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\" - </If> - </FilesMatch> - # Deny access to raw PHP sources and files without filename (e.g. '.php') - <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\"> - Require all denied - </FilesMatch> - </IfModule> -</IfModule> -")))) - - (service php-fpm-service-type - (php-fpm-configuration - (user "httpd") - (group "httpd") - (socket "/var/run/php-fpm.sock") - (socket-user "httpd") - (socket-group "httpd") - (php-ini-file nextcloud-php.ini))) - - (simple-service 'nextcloud-certificates certbot-service-type - (list (certificate-configuration - (domains '("cloud.wilkenfamily.de")) - (deploy-hook httpd-cert-deploy-hook)))) - - ;; Nextcloud cron - (simple-service 'nextcloud-cron mcron-service-type - (list #~(job "*/5 * * * *" - (lambda () - (chdir "/var/www/nextcloud") - ;; `setgid' first while we're still root - (setgid (group:gid (getgr "httpd"))) - (setuid (passwd:uid (getpw "httpd"))) - (execl #$(file-append php "/bin/php") "php" - "-c" #$nextcloud-php.ini "cron.php")) - (string-append - #$(file-append php "/bin/php") - " -c " #$nextcloud-php.ini - " /var/www/nextcloud/cron.php")) - - ;; Nextcloud backups - ;; Requires: sudo, php, btrfs, mysqldump, rsync - (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) - #~(job "0 6 * * *" - (lambda () - ;; Pass through the php.ini file that allows us to - ;; use Nextcloud's occ script. - (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) - (string-append #$backup-script " " #$nextcloud-php.ini))))))) - -(define matrix-services - (list (simple-service 'synapse-certificates certbot-service-type - (list (certificate-configuration - (domains '("matrix.twilken.net")) - (deploy-hook httpd-cert-deploy-hook)))) - - (simple-service 'synapse-https-proxy httpd-service-type - ;; Synapse can't access certbot certs, but Apache/httpd - ;; can, so proxy HTTPS access through. It's good to have - ;; Synapse available on port 443 anyway. - (list (httpd-virtualhost "*:443" (list "\ -# Redirect to Synapse, to avoid having to specify its port number in Matrix clients. -ServerName matrix.twilken.net -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\" -ProxyPass \"/\" \"https://127.0.0.1:48448/\" -")))) - - ;; TODO: Postgres for Synapse - ;; (service postgresql-service-type - ;; (postgresql-configuration - ;; (postgresql postgresql-15) - ;; (data-directory "/var/lib/postgresql/data"))) - - ;; (service postgresql-role-service-type - ;; (postgresql-role-configuration - ;; (roles (list (postgresql-role - ;; (name "synapse") ; TODO - ;; (create-database? #t)))))) - - ;; TODO: Matrix/Synapse - ;; TODO: Matrix bridges - )) - (define-public %lud-system (operating-system (host-name "lud.twilken.net") @@ -313,8 +159,8 @@ innodb_io_capacity = 4000 ;; TODO: Transmission exporter ) - nextcloud-services - matrix-services + %nextcloud-services + %matrix-services (server-base-services host-name))) ;; The list of user accounts ('root' is implicit). |