diff options
Diffstat (limited to 'tw/system')
| -rw-r--r-- | tw/system/common.scm | 37 | ||||
| -rw-r--r-- | tw/system/lap.scm | 80 | ||||
| -rw-r--r-- | tw/system/lud.scm | 240 |
3 files changed, 174 insertions, 183 deletions
diff --git a/tw/system/common.scm b/tw/system/common.scm index 2266cbb9..d96faef8 100644 --- a/tw/system/common.scm +++ b/tw/system/common.scm @@ -82,22 +82,21 @@ ff02::3 ip6-allhosts (define-public (wireguard-service host) (let ((own-peer (assoc-ref %wireguard-peers host))) - (service - wireguard-service-type - (wireguard-configuration - (addresses - (map (lambda (cidr) - (let ((ipv4 (string-match "/32$" cidr)) - (ipv6 (string-match "/128$" cidr))) - (cond - (ipv4 (regexp-substitute #f ipv4 'pre "/24")) - (ipv6 (regexp-substitute #f ipv6 'pre "/64")) - (#t cidr)))) - (wireguard-peer-allowed-ips own-peer))) - (port - (let ((endpoint (wireguard-peer-endpoint own-peer))) - (if endpoint - (string->number (cadr (string-split endpoint #\:))) - 58921))) - (private-key "/etc/wireguard/private.key") - (peers (delq own-peer (map cdr %wireguard-peers))))))) + (service wireguard-service-type + (wireguard-configuration + (addresses + (map (lambda (cidr) + (let ((ipv4 (string-match "/32$" cidr)) + (ipv6 (string-match "/128$" cidr))) + (cond + (ipv4 (regexp-substitute #f ipv4 'pre "/24")) + (ipv6 (regexp-substitute #f ipv6 'pre "/64")) + (#t cidr)))) + (wireguard-peer-allowed-ips own-peer))) + (port + (let ((endpoint (wireguard-peer-endpoint own-peer))) + (if endpoint + (string->number (cadr (string-split endpoint #\:))) + 58921))) + (private-key "/etc/wireguard/private.key") + (peers (delq own-peer (map cdr %wireguard-peers))))))) diff --git a/tw/system/lap.scm b/tw/system/lap.scm index 9dd81d80..504f5cc7 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -166,12 +166,12 @@ support extra features (acr, pmu, gr).") (kernel nongnu:linux-lts) (kernel-arguments (cons* ;;"nosplash" - ;;"vt.global_cursor_default=0" - ;;"video.use_native_backlight=1" - ;;"nvidia-drm.modeset=1" - ;;"acpi_osi=\"!Windows 2015\"" - ;;"acpi_enforce_resources=lax" - %default-kernel-arguments)) + ;;"vt.global_cursor_default=0" + ;;"video.use_native_backlight=1" + ;;"nvidia-drm.modeset=1" + ;;"acpi_osi=\"!Windows 2015\"" + ;;"acpi_enforce_resources=lax" + %default-kernel-arguments)) (initrd microcode-initrd) ;; TODO: nouveau complains about missing firmware (see dmesg). (firmware (cons* nongnu:atheros-firmware ; for atk10k/QCA6174/hw3.0 (wifi card) @@ -282,42 +282,42 @@ support extra features (acr, pmu, gr).") (services (cons* (service syncthing-service-type - (syncthing-configuration - (user "timo"))) + (syncthing-configuration + (user "timo"))) (service cups-service-type - (cups-configuration - (web-interface? #t) - (default-shared? #f) - ;; See info '(guix)Printing Services' for more extensions. - (extensions - (list cups-filters foomatic-filters brlaser)))) + (cups-configuration + (web-interface? #t) + (default-shared? #f) + ;; See info '(guix)Printing Services' for more extensions. + (extensions + (list cups-filters foomatic-filters brlaser)))) (bluetooth-service) (wireguard-service 'lap) (service docker-service-type - (docker-configuration)) + (docker-configuration)) (service krb5-service-type - (krb5-configuration - (default-realm "CERN.CH") - (rdns? #f) - (realms (list (krb5-realm - (name "CERN.CH") - (default-domain "cern.ch") - (kdc "cerndc.cern.ch")))))) + (krb5-configuration + (default-realm "CERN.CH") + (rdns? #f) + (realms (list (krb5-realm + (name "CERN.CH") + (default-domain "cern.ch") + (kdc "cerndc.cern.ch")))))) (service tlp-service-type - (tlp-configuration)) ; TODO: configure properly + (tlp-configuration)) ; TODO: configure properly (service thermald-service-type - (thermald-configuration - (adaptive? #t))) + (thermald-configuration + (adaptive? #t))) (service earlyoom-service-type - (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' + (earlyoom-configuration)) ; TODO: configure at least `avoid-regexp' ;; Disabled as it doesn't work with my hardware. ;; It always says "logging in with fingerprint failed" and blocks password login in gdm. @@ -331,7 +331,7 @@ support extra features (acr, pmu, gr).") ;; If using a DM other than GDM, add it to `pam-services' in ;; `gnome-keyring-configuration' (see its docs). (service gnome-keyring-service-type - (gnome-keyring-configuration)) + (gnome-keyring-configuration)) ;; Allow anyone in the "video" group to set the display's brightness. ;; Run `udevadm info -q all /sys/class/backlight/intel_backlight' @@ -346,23 +346,21 @@ support extra features (acr, pmu, gr).") (set-xorg-configuration custom-xorg-config) - (simple-service - 'cronjobs mcron-service-type - ;; I don't think jobs run on boot if they would have run when the - ;; computer was turned off, so choose a time when the computer is - ;; probably turned on. - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) + (simple-service 'cronjobs mcron-service-type + ;; I don't think jobs run on boot if they would have run when the + ;; computer was turned off, so choose a time when the computer is + ;; probably turned on. + (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") + #~(job "0 22 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) ;; The nonguix channel is added to channels.scm as an `extra-special-file'. ;; The gaming channel (https://gitlab.com/guix-gaming-channels) is per-user only. - (simple-service - 'nonguix guix-service-type - (guix-extension - (authorized-keys (list nonguix-signing-key)) - (substitute-urls '("https://substitutes.nonguix.org")))) + (simple-service 'nonguix guix-service-type + (guix-extension + (authorized-keys (list nonguix-signing-key)) + (substitute-urls '("https://substitutes.nonguix.org")))) (extra-special-file "/etc/guix/channels.scm" extra-channels) diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 0035d1ab..15cdbeaf 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -72,11 +72,10 @@ SSLSessionCacheTimeout 1200 ") (define nextcloud-services - (list (simple-service - 'nextcloud-https-server httpd-service-type - ;; The certbot service redirects everything on port 80 to - ;; port 443 by default, modulo its own /.well-known paths. - (list (httpd-virtualhost "*:443" (list "\ + (list (simple-service 'nextcloud-https-server httpd-service-type + ;; The certbot service redirects everything on port 80 to + ;; port 443 by default, modulo its own /.well-known paths. + (list (httpd-virtualhost "*:443" (list "\ # For Nextcloud. ServerName cloud.wilkenfamily.de DocumentRoot /var/www/nextcloud @@ -121,59 +120,55 @@ Header always set Strict-Transport-Security \"max-age=15552000\" ")))) (service php-fpm-service-type - (php-fpm-configuration - (user "httpd") - (group "httpd") - (socket "/var/run/php-fpm.sock") - (socket-user "httpd") - (socket-group "httpd") - (php-ini-file nextcloud-php.ini))) - - (simple-service - 'nextcloud-certificates certbot-service-type - (list (certificate-configuration - (domains '("cloud.wilkenfamily.de")) - (deploy-hook httpd-cert-deploy-hook)))) + (php-fpm-configuration + (user "httpd") + (group "httpd") + (socket "/var/run/php-fpm.sock") + (socket-user "httpd") + (socket-group "httpd") + (php-ini-file nextcloud-php.ini))) + + (simple-service 'nextcloud-certificates certbot-service-type + (list (certificate-configuration + (domains '("cloud.wilkenfamily.de")) + (deploy-hook httpd-cert-deploy-hook)))) ;; Nextcloud cron - (simple-service - 'nextcloud-cron mcron-service-type - (list #~(job "*/5 * * * *" - (lambda () - (chdir "/var/www/nextcloud") - ;; `setgid' first while we're still root - (setgid (group:gid (getgr "httpd"))) - (setuid (passwd:uid (getpw "httpd"))) - (execl #$(file-append php "/bin/php") "php" - "-c" #$nextcloud-php.ini "cron.php")) - (string-append - #$(file-append php "/bin/php") - " -c " #$nextcloud-php.ini - " /var/www/nextcloud/cron.php")) - - ;; Nextcloud backups - ;; Requires: sudo, php, btrfs, mysqldump, rsync - (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) - #~(job "0 6 * * *" - (lambda () - ;; Pass through the php.ini file that allows us to - ;; use Nextcloud's occ script. - (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) - (string-append #$backup-script " " #$nextcloud-php.ini))))))) + (simple-service 'nextcloud-cron mcron-service-type + (list #~(job "*/5 * * * *" + (lambda () + (chdir "/var/www/nextcloud") + ;; `setgid' first while we're still root + (setgid (group:gid (getgr "httpd"))) + (setuid (passwd:uid (getpw "httpd"))) + (execl #$(file-append php "/bin/php") "php" + "-c" #$nextcloud-php.ini "cron.php")) + (string-append + #$(file-append php "/bin/php") + " -c " #$nextcloud-php.ini + " /var/www/nextcloud/cron.php")) + + ;; Nextcloud backups + ;; Requires: sudo, php, btrfs, mysqldump, rsync + (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) + #~(job "0 6 * * *" + (lambda () + ;; Pass through the php.ini file that allows us to + ;; use Nextcloud's occ script. + (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) + (string-append #$backup-script " " #$nextcloud-php.ini))))))) (define matrix-services - (list (simple-service - 'synapse-certificates certbot-service-type - (list (certificate-configuration - (domains '("matrix.twilken.net")) - (deploy-hook httpd-cert-deploy-hook)))) - - (simple-service - 'synapse-https-proxy httpd-service-type - ;; Synapse can't access certbot certs, but Apache/httpd - ;; can, so proxy HTTPS access through. It's good to have - ;; Synapse available on port 443 anyway. - (list (httpd-virtualhost "*:443" (list "\ + (list (simple-service 'synapse-certificates certbot-service-type + (list (certificate-configuration + (domains '("matrix.twilken.net")) + (deploy-hook httpd-cert-deploy-hook)))) + + (simple-service 'synapse-https-proxy httpd-service-type + ;; Synapse can't access certbot certs, but Apache/httpd + ;; can, so proxy HTTPS access through. It's good to have + ;; Synapse available on port 443 anyway. + (list (httpd-virtualhost "*:443" (list "\ # Redirect to Synapse, to avoid having to specify its port number in Matrix clients. ServerName matrix.twilken.net SSLEngine on @@ -184,15 +179,15 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" ;; TODO: Postgres for Synapse ;; (service postgresql-service-type - ;; (postgresql-configuration - ;; (postgresql postgresql-15) - ;; (data-directory "/var/lib/postgresql/data"))) + ;; (postgresql-configuration + ;; (postgresql postgresql-15) + ;; (data-directory "/var/lib/postgresql/data"))) ;; (service postgresql-role-service-type - ;; (postgresql-role-configuration - ;; (roles (list (postgresql-role - ;; (name "synapse") ; TODO - ;; (create-database? #t)))))) + ;; (postgresql-role-configuration + ;; (roles (list (postgresql-role + ;; (name "synapse") ; TODO + ;; (create-database? #t)))))) ;; TODO: Matrix/Synapse ;; TODO: Matrix bridges @@ -236,16 +231,16 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" (services (append (list (service openssh-service-type - (openssh-configuration - (port-number 22022) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" - ,(local-file "files/timo.pub")) - ("ira" ; for Duplicity backups - ,(local-file "files/kitchen-pc.pub") - ,(local-file "files/wilken-laptop.pub")))))) + (openssh-configuration + (port-number 22022) + (password-authentication? #f) + (accepted-environment '("LANG" "LC_*")) + (authorized-keys + `(("timo" + ,(local-file "files/timo.pub")) + ("ira" ; for Duplicity backups + ,(local-file "files/kitchen-pc.pub") + ,(local-file "files/wilken-laptop.pub")))))) (service tor-service-type) @@ -254,74 +249,73 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" (service ntp-service-type) (service thermald-service-type - (thermald-configuration - (adaptive? #t))) + (thermald-configuration + (adaptive? #t))) - (simple-service - 'cronjobs mcron-service-type - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) + (simple-service 'cronjobs mcron-service-type + (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") + #~(job "0 22 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) ;; Transmission (torrents) (service transmission-daemon-service-type - (transmission-daemon-configuration - (download-dir "/var/data/bt") - (incomplete-dir "/var/data/bt/incomplete") - (incomplete-dir-enabled? #t) - (speed-limit-up-enabled? #t) - (speed-limit-up 512) ; KiB/s - (encryption 'require-encrypted-connections) - ;; Don't try to configure port forwarding automatically. - (port-forwarding-enabled? #f) - ;; Make RPC interface only accessible via WireGuard. - (rpc-bind-address "10.0.0.2") - (rpc-whitelist-enabled? #t) - (rpc-whitelist '("127.0.0.1" "::1" - "10.0.0.*" "fc00::*")) - (rpc-host-whitelist-enabled? #t) - (rpc-host-whitelist '("lud.wg")))) + (transmission-daemon-configuration + (download-dir "/var/data/bt") + (incomplete-dir "/var/data/bt/incomplete") + (incomplete-dir-enabled? #t) + (speed-limit-up-enabled? #t) + (speed-limit-up 512) ; KiB/s + (encryption 'require-encrypted-connections) + ;; Don't try to configure port forwarding automatically. + (port-forwarding-enabled? #f) + ;; Make RPC interface only accessible via WireGuard. + (rpc-bind-address "10.0.0.2") + (rpc-whitelist-enabled? #t) + (rpc-whitelist '("127.0.0.1" "::1" + "10.0.0.*" "fc00::*")) + (rpc-host-whitelist-enabled? #t) + (rpc-host-whitelist '("lud.wg")))) ;; TODO: Streama ;; Syncthing (service syncthing-service-type - (syncthing-configuration - (user "syncthing") - (group "syncthing"))) + (syncthing-configuration + (user "syncthing") + (group "syncthing"))) ;; certbot for Synapse + Apache/Nextcloud ;; This also installs a nginx server on port 80, redirecting to port 443. (service certbot-service-type - (certbot-configuration - (email "letsencrypt@twilken.net"))) + (certbot-configuration + (email "letsencrypt@twilken.net"))) (service httpd-service-type - (httpd-configuration - (config - (httpd-config-file - (listen '("443")) ; leave port 80 free for certbot/nginx - (modules - (cons* (httpd-module (name "ssl_module") (file "modules/mod_ssl.so")) - (httpd-module (name "proxy_module") (file "modules/mod_proxy.so")) - (httpd-module (name "rewrite_module") (file "modules/mod_rewrite.so")) - (httpd-module (name "alias_module") (file "modules/mod_alias.so")) - (httpd-module (name "socache_shmcb_module") ; for SSLStaplingCache - (file "modules/mod_socache_shmcb.so")) - (httpd-module (name "proxy_fcgi_module") ; for PHP/FastCGI - (file "modules/mod_proxy_fcgi.so")) - %default-httpd-modules)) - ;; Preserve default value for `extra-config'. - (extra-config - (list "TypesConfig etc/httpd/mime.types\n" - "ServerAdmin webmaster@twilken.net\n" - httpd-intermediate-ssl-config)))))) + (httpd-configuration + (config + (httpd-config-file + (listen '("443")) ; leave port 80 free for certbot/nginx + (modules + (cons* (httpd-module (name "ssl_module") (file "modules/mod_ssl.so")) + (httpd-module (name "proxy_module") (file "modules/mod_proxy.so")) + (httpd-module (name "rewrite_module") (file "modules/mod_rewrite.so")) + (httpd-module (name "alias_module") (file "modules/mod_alias.so")) + (httpd-module (name "socache_shmcb_module") ; for SSLStaplingCache + (file "modules/mod_socache_shmcb.so")) + (httpd-module (name "proxy_fcgi_module") ; for PHP/FastCGI + (file "modules/mod_proxy_fcgi.so")) + %default-httpd-modules)) + ;; Preserve default value for `extra-config'. + (extra-config + (list "TypesConfig etc/httpd/mime.types\n" + "ServerAdmin webmaster@twilken.net\n" + httpd-intermediate-ssl-config)))))) ;; For Nextcloud (and Streama) (service mysql-service-type - (mysql-configuration - (extra-content "\ + (mysql-configuration + (extra-content "\ [mysqld] character-set-server = utf8mb4 collation-server = utf8mb4_general_ci @@ -335,8 +329,8 @@ innodb_io_capacity = 4000 ;; Prometheus node exporter (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address "10.0.0.2:9100"))) + (prometheus-node-exporter-configuration + (web-listen-address "10.0.0.2:9100"))) ;; TODO: JSON exporter (Nextcloud) |