diff options
Diffstat (limited to 'tw')
-rw-r--r-- | tw/services.scm | 6 | ||||
-rwxr-xr-x | tw/services/files/nextcloud-backup (renamed from tw/system/files/nextcloud-backup) | 0 | ||||
-rw-r--r-- | tw/services/matrix.scm | 40 | ||||
-rw-r--r-- | tw/services/nextcloud.scm | 125 | ||||
-rw-r--r-- | tw/services/wireguard.scm | 107 | ||||
-rw-r--r-- | tw/system.scm | 126 | ||||
-rw-r--r-- | tw/system/lap.scm | 1 | ||||
-rw-r--r-- | tw/system/lud.scm | 162 |
8 files changed, 296 insertions, 271 deletions
diff --git a/tw/services.scm b/tw/services.scm new file mode 100644 index 00000000..2ef11298 --- /dev/null +++ b/tw/services.scm @@ -0,0 +1,6 @@ +(define-module (tw services) + #:use-module (guix gexp)) + +(define-public %httpd-cert-deploy-hook + (program-file "httpd-cert-deploy-hook" + #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP))) diff --git a/tw/system/files/nextcloud-backup b/tw/services/files/nextcloud-backup index 4c533758..4c533758 100755 --- a/tw/system/files/nextcloud-backup +++ b/tw/services/files/nextcloud-backup diff --git a/tw/services/matrix.scm b/tw/services/matrix.scm new file mode 100644 index 00000000..db21f172 --- /dev/null +++ b/tw/services/matrix.scm @@ -0,0 +1,40 @@ +(define-module (tw services matrix) + #:use-module (gnu services) + #:use-module (gnu services certbot) + #:use-module (gnu services web) + #:use-module (tw services)) + +(define-public %matrix-services + (list (simple-service 'synapse-certificates certbot-service-type + (list (certificate-configuration + (domains '("matrix.twilken.net")) + (deploy-hook %httpd-cert-deploy-hook)))) + + (simple-service 'synapse-https-proxy httpd-service-type + ;; Synapse can't access certbot certs, but Apache/httpd + ;; can, so proxy HTTPS access through. It's good to have + ;; Synapse available on port 443 anyway. + (list (httpd-virtualhost "*:443" (list "\ +# Redirect to Synapse, to avoid having to specify its port number in Matrix clients. +ServerName matrix.twilken.net +SSLEngine on +SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\" +SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\" +ProxyPass \"/\" \"https://127.0.0.1:48448/\" +")))) + + ;; TODO: Postgres for Synapse + ;; (service postgresql-service-type + ;; (postgresql-configuration + ;; (postgresql postgresql-15) + ;; (data-directory "/var/lib/postgresql/data"))) + + ;; (service postgresql-role-service-type + ;; (postgresql-role-configuration + ;; (roles (list (postgresql-role + ;; (name "synapse") ; TODO + ;; (create-database? #t)))))) + + ;; TODO: Matrix/Synapse + ;; TODO: Matrix bridges + )) diff --git a/tw/services/nextcloud.scm b/tw/services/nextcloud.scm new file mode 100644 index 00000000..ca68cf77 --- /dev/null +++ b/tw/services/nextcloud.scm @@ -0,0 +1,125 @@ +(define-module (tw services nextcloud) + #:use-module (gnu) + #:use-module (gnu packages php) + #:use-module (gnu services certbot) + #:use-module (gnu services mcron) + #:use-module (gnu services web) + #:use-module (guix gexp) + #:use-module (tw services)) + +(define-public %nextcloud-php.ini + (computed-file "nextcloud-php.ini" + #~(begin + (use-modules (ice-9 popen) (ice-9 rdelim)) + (let* ((php-config #$(file-append php "/bin/php-config")) + (pipe (open-pipe* OPEN_READ php-config "--extension-dir")) + (php-extdir (read-line pipe))) + (unless (zero? (status:exit-val (close-pipe pipe))) + (error "Failed to get PHP extension dir")) + (with-output-to-file #$output + ;; Guix's PHP comes with the following extensions built-in, + ;; so no extension= line necessary: + ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl + (lambda () (display (string-append "\ +memory_limit=512M +extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) " +; Caching extensions for Nextcloud +extension=apcu +apc.enable_cli=1 +zend_extension=opcache +; https://www.php.net/manual/en/opcache.configuration.php +opcache.enable=1 +opcache.interned_strings_buffer=32 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=128 +opcache.save_comments=1 +; It will take up to revalidate_freq seconds for changes to config.php to be applied. +opcache.revalidate_freq=120 +")))))))) + +(define-public %nextcloud-services + (list (simple-service 'nextcloud-https-server httpd-service-type + ;; The certbot service redirects everything on port 80 to + ;; port 443 by default, modulo its own /.well-known paths. + (list (httpd-virtualhost "*:443" (list "\ +# For Nextcloud. +ServerName cloud.wilkenfamily.de +DocumentRoot /var/www/nextcloud +SSLEngine on +SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\" +SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\" +Header always set Strict-Transport-Security \"max-age=15552000\" + +# Don't check for .htaccess files above DocumentRoot. +<Directory \"/\"> + AllowOverride None +</Directory> + +<Directory /var/www/nextcloud> + Options +FollowSymlinks + AllowOverride All + <IfModule mod_dav.c> + Dav off + </IfModule> + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud +</Directory> + +# Redirect to local php-fpm if mod_php is not available +<IfModule !mod_php7.c> + <IfModule proxy_fcgi_module> + # Enable http authorization headers + <IfModule setenvif_module> + SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1 + </IfModule> + <FilesMatch \".+\\.ph(ar|p|tml)$\"> + <If \"-f %{REQUEST_FILENAME}\"> + SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\" + </If> + </FilesMatch> + # Deny access to raw PHP sources and files without filename (e.g. '.php') + <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\"> + Require all denied + </FilesMatch> + </IfModule> +</IfModule> +")))) + + (service php-fpm-service-type + (php-fpm-configuration + (user "httpd") + (group "httpd") + (socket "/var/run/php-fpm.sock") + (socket-user "httpd") + (socket-group "httpd") + (php-ini-file %nextcloud-php.ini))) + + (simple-service 'nextcloud-certificates certbot-service-type + (list (certificate-configuration + (domains '("cloud.wilkenfamily.de")) + (deploy-hook %httpd-cert-deploy-hook)))) + + ;; Nextcloud cron + (simple-service 'nextcloud-cron mcron-service-type + (list #~(job "*/5 * * * *" + (lambda () + (chdir "/var/www/nextcloud") + ;; `setgid' first while we're still root + (setgid (group:gid (getgr "httpd"))) + (setuid (passwd:uid (getpw "httpd"))) + (execl #$(file-append php "/bin/php") "php" + "-c" #$%nextcloud-php.ini "cron.php")) + (string-append + #$(file-append php "/bin/php") + " -c " #$%nextcloud-php.ini + " /var/www/nextcloud/cron.php")) + + ;; Nextcloud backups + ;; Requires: sudo, php, btrfs, mysqldump, rsync + (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) + #~(job "0 6 * * *" + (lambda () + ;; Pass through the php.ini file that allows us to + ;; use Nextcloud's occ script. + (execl #$backup-script "nextcloud-backup" #$%nextcloud-php.ini)) + (string-append #$backup-script " " #$%nextcloud-php.ini))))))) diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm new file mode 100644 index 00000000..3d35cd2e --- /dev/null +++ b/tw/services/wireguard.scm @@ -0,0 +1,107 @@ +(define-module (tw services wireguard) + #:use-module (ice-9 regex) + #:use-module ((srfi srfi-1) #:select (append-map every)) + #:use-module ((srfi srfi-26) #:select (cut)) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) + #:use-module (gnu services vpn) + #:export (%wireguard-peers + tw-wireguard-configuration + tw-wireguard-service-type)) + +(define %wireguard-peers + `(("lap.twilken.net" . + ,(wireguard-peer + (name "lap.wg") + (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") + (preshared-key "/etc/wireguard/lap.psk") + (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) + ("lud.twilken.net" . + ,(wireguard-peer + (name "lud.wg") + (endpoint "lud.twilken.net:58921") + (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") + (preshared-key "/etc/wireguard/lud.psk") + (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) + ("vin.twilken.net" . + ,(wireguard-peer + (name "vin.wg") + (endpoint "vin.twilken.net:58921") + (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") + (preshared-key "/etc/wireguard/vin.psk") + (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) + ("fp4.twilken.net" . + ,(wireguard-peer + (name "fp4.wg") + (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") + (preshared-key "/etc/wireguard/fp4.psk") + (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) + ("pi3.twilken.net" . + ,(wireguard-peer + (name "pi3.wg") + (endpoint "pi3.twilken.net:58922") + (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") + (preshared-key "/etc/wireguard/pi3.psk") + (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) + +(define (wireguard-peers-list? object) + (and (list? object) + (every (compose string? car) object) + (every (compose wireguard-peer? cdr) object))) + +(define-configuration/no-serialization tw-wireguard-configuration + (this-host + (string) + "The host name of the machine being configured.") + (peers + (wireguard-peers-list %wireguard-peers) + "An alist of WireGuard peers to install.")) + +(define (tw-wireguard-service config) + "Create a full WireGuard config from the personal network CONFIG." + (let ((own-peer (assoc-ref (tw-wireguard-configuration-peers config) + (tw-wireguard-configuration-this-host config)))) + (wireguard-configuration + (addresses + (map (lambda (cidr) + (let ((ipv4 (string-match "/32$" cidr)) + (ipv6 (string-match "/128$" cidr))) + (cond + (ipv4 (regexp-substitute #f ipv4 'pre "/24")) + (ipv6 (regexp-substitute #f ipv6 'pre "/64")) + (#t cidr)))) + (wireguard-peer-allowed-ips own-peer))) + (port + (let ((endpoint (wireguard-peer-endpoint own-peer))) + (if endpoint + (string->number (cadr (string-split endpoint #\:))) + 58921))) + (private-key "/etc/wireguard/private.key") + (peers (delq own-peer (map cdr (tw-wireguard-configuration-peers config))))))) + +(define (peer->ips peer) + "Extract IP addresses assigned to the given `wireguard-peer' PEER." + (map (compose car (cut string-split <> #\/)) + (wireguard-peer-allowed-ips peer))) + +(define (tw-wireguard-hosts config) + "Generate a hosts file entries from the personal WireGuard network CONFIG." + (append-map (lambda (peer) + (map (cut host <> (wireguard-peer-name peer)) + (peer->ips peer))) + (map cdr (tw-wireguard-configuration-peers config)))) + +(define tw-wireguard-service-type + (service-type + (name 'tw-wireguard) + (description "Set up my personal WireGuard network.") + (extensions + (cons* (service-extension hosts-service-type tw-wireguard-hosts) + ;; FIXME: `wireguard-service-type' cannot be extended, so copy its + ;; service-extensions directly. + (map (lambda (ext) + (service-extension (service-extension-target ext) + (compose (service-extension-compute ext) + tw-wireguard-service))) + (service-type-extensions wireguard-service-type)))))) diff --git a/tw/system.scm b/tw/system.scm index 92eadeba..c9904e24 100644 --- a/tw/system.scm +++ b/tw/system.scm @@ -1,18 +1,15 @@ (define-module (tw system) - #:use-module (ice-9 format) - #:use-module (ice-9 regex) #:use-module (ice-9 string-fun) - #:use-module ((srfi srfi-1) #:select (append-map every)) - #:use-module ((srfi srfi-26) #:select (cut)) #:use-module (gnu) #:use-module (gnu services) #:use-module (gnu system) #:use-module (gnu system keyboard) - #:use-module (guix gexp)) + #:use-module (guix gexp) + #:use-module (tw services wireguard)) (use-package-modules admin avahi certs curl disk file-systems linux lsof man moreutils python rsync search shells version-control vpn) -(use-service-modules configuration mcron monitoring networking ssh vpn) +(use-service-modules mcron monitoring networking ssh vpn) (define-public %base-system-packages (cons* acpi btrfs-progs cpupower curl efibootmgr exfat-utils git glibc-locales @@ -29,6 +26,16 @@ "keypad:oss" "kpdl:kposs"))) +(define-public %server-base-user-accounts + (cons* (user-account + (name "timo") + (comment "Timo Wilken") + (group "users") + (home-directory "/home/timo") + (supplementary-groups '("wheel" "netdev" "audio" "video")) + (shell (file-append zsh "/bin/zsh"))) + %base-user-accounts)) + ;; This is used for the servers, and also by (tw home) to generate the ;; appropriate ~/.ssh/config. (define-public %ssh-ports @@ -83,110 +90,3 @@ (inherit config) (motd (plain-file "no-motd" "")) (allow-empty-passwords? #f)))))) - -(define-public %server-base-user-accounts - (cons* (user-account - (name "timo") - (comment "Timo Wilken") - (group "users") - (home-directory "/home/timo") - (supplementary-groups '("wheel" "netdev" "audio" "video")) - (shell (file-append zsh "/bin/zsh"))) - %base-user-accounts)) - -(define-public %wireguard-peers - `(("lap.twilken.net" . - ,(wireguard-peer - (name "lap.wg") - (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") - (preshared-key "/etc/wireguard/lap.psk") - (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) - ("lud.twilken.net" . - ,(wireguard-peer - (name "lud.wg") - (endpoint "lud.twilken.net:58921") - (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") - (preshared-key "/etc/wireguard/lud.psk") - (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) - ("vin.twilken.net" . - ,(wireguard-peer - (name "vin.wg") - (endpoint "vin.twilken.net:58921") - (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") - (preshared-key "/etc/wireguard/vin.psk") - (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) - ("fp4.twilken.net" . - ,(wireguard-peer - (name "fp4.wg") - (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") - (preshared-key "/etc/wireguard/fp4.psk") - (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) - ("pi3.twilken.net" . - ,(wireguard-peer - (name "pi3.wg") - (endpoint "pi3.twilken.net:58922") - (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") - (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) - -(define (wireguard-peers-list? object) - (and (list? object) - (every (compose string? car) object) - (every (compose wireguard-peer? cdr) object))) - -(export tw-wireguard-configuration) -(define-configuration/no-serialization tw-wireguard-configuration - (this-host - (string) - "The host name of the machine being configured.") - (peers - (wireguard-peers-list %wireguard-peers) - "An alist of WireGuard peers to install.")) - -(define (tw-wireguard-service config) - "Create a full WireGuard config from the personal network CONFIG." - (let ((own-peer (assoc-ref (tw-wireguard-configuration-peers config) - (tw-wireguard-configuration-this-host config)))) - (wireguard-configuration - (addresses - (map (lambda (cidr) - (let ((ipv4 (string-match "/32$" cidr)) - (ipv6 (string-match "/128$" cidr))) - (cond - (ipv4 (regexp-substitute #f ipv4 'pre "/24")) - (ipv6 (regexp-substitute #f ipv6 'pre "/64")) - (#t cidr)))) - (wireguard-peer-allowed-ips own-peer))) - (port - (let ((endpoint (wireguard-peer-endpoint own-peer))) - (if endpoint - (string->number (cadr (string-split endpoint #\:))) - 58921))) - (private-key "/etc/wireguard/private.key") - (peers (delq own-peer (map cdr (tw-wireguard-configuration-peers config))))))) - -(define (peer->ips peer) - "Extract IP addresses assigned to the given `wireguard-peer' PEER." - (map (compose car (cut string-split <> #\/)) - (wireguard-peer-allowed-ips peer))) - -(define (tw-wireguard-hosts config) - "Generate a hosts file entries from the personal WireGuard network CONFIG." - (append-map (lambda (peer) - (map (cut host <> (wireguard-peer-name peer)) - (peer->ips peer))) - (map cdr (tw-wireguard-configuration-peers config)))) - -(define-public tw-wireguard-service-type - (service-type - (name 'tw-wireguard) - (description "Set up my personal WireGuard network.") - (extensions - (cons* (service-extension hosts-service-type tw-wireguard-hosts) - ;; FIXME: `wireguard-service-type' cannot be extended, so copy its - ;; service-extensions directly. - (map (lambda (ext) - (service-extension (service-extension-target ext) - (compose (service-extension-compute ext) - tw-wireguard-service))) - (service-type-extensions wireguard-service-type)))))) diff --git a/tw/system/lap.scm b/tw/system/lap.scm index d9793ab7..efbe19f7 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -17,6 +17,7 @@ #:use-module (nongnu packages scanner) #:use-module (nongnu system linux-initrd) #:use-module (nonguix licenses) + #:use-module (tw services wireguard) #:use-module (tw system)) (use-package-modules android certs cups disk docker file-systems gnome diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 9986c30a..b770fc90 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -5,6 +5,8 @@ #:use-module (gnu system nss) #:use-module (guix gexp) #:use-module (tw packages php) + #:use-module (tw services nextcloud) + #:use-module (tw services matrix) #:use-module (tw system)) (use-package-modules admin bash certs databases linux man php python rsync @@ -21,40 +23,6 @@ (define data-partition ; /dev/sdc1 (uuid "4715ae0e-5cef-48f2-a59e-025321153888" 'btrfs)) -(define httpd-cert-deploy-hook - (program-file "httpd-cert-deploy-hook" - #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP))) - -(define nextcloud-php.ini - (computed-file "nextcloud-php.ini" - #~(begin - (use-modules (ice-9 popen) (ice-9 rdelim)) - (let* ((php-config #$(file-append php "/bin/php-config")) - (pipe (open-pipe* OPEN_READ php-config "--extension-dir")) - (php-extdir (read-line pipe))) - (unless (zero? (status:exit-val (close-pipe pipe))) - (error "Failed to get PHP extension dir")) - (with-output-to-file #$output - ;; Guix's PHP comes with the following extensions built-in, - ;; so no extension= line necessary: - ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl - (lambda () (display (string-append "\ -memory_limit=512M -extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) " -; Caching extensions for Nextcloud -extension=apcu -apc.enable_cli=1 -zend_extension=opcache -; https://www.php.net/manual/en/opcache.configuration.php -opcache.enable=1 -opcache.interned_strings_buffer=32 -opcache.max_accelerated_files=10000 -opcache.memory_consumption=128 -opcache.save_comments=1 -; It will take up to revalidate_freq seconds for changes to config.php to be applied. -opcache.revalidate_freq=120 -")))))))) - (define httpd-intermediate-ssl-config "\ # SSL configuration. # https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1n&ocsp=false&guideline=5.6 @@ -70,128 +38,6 @@ SSLSessionCache \"shmcb:logs/ssl_scache(65535)\" SSLSessionCacheTimeout 1200 ") -(define nextcloud-services - (list (simple-service 'nextcloud-https-server httpd-service-type - ;; The certbot service redirects everything on port 80 to - ;; port 443 by default, modulo its own /.well-known paths. - (list (httpd-virtualhost "*:443" (list "\ -# For Nextcloud. -ServerName cloud.wilkenfamily.de -DocumentRoot /var/www/nextcloud -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\" -Header always set Strict-Transport-Security \"max-age=15552000\" - -# Don't check for .htaccess files above DocumentRoot. -<Directory \"/\"> - AllowOverride None -</Directory> - -<Directory /var/www/nextcloud> - Options +FollowSymlinks - AllowOverride All - <IfModule mod_dav.c> - Dav off - </IfModule> - SetEnv HOME /var/www/nextcloud - SetEnv HTTP_HOME /var/www/nextcloud -</Directory> - -# Redirect to local php-fpm if mod_php is not available -<IfModule !mod_php7.c> - <IfModule proxy_fcgi_module> - # Enable http authorization headers - <IfModule setenvif_module> - SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1 - </IfModule> - <FilesMatch \".+\\.ph(ar|p|tml)$\"> - <If \"-f %{REQUEST_FILENAME}\"> - SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\" - </If> - </FilesMatch> - # Deny access to raw PHP sources and files without filename (e.g. '.php') - <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\"> - Require all denied - </FilesMatch> - </IfModule> -</IfModule> -")))) - - (service php-fpm-service-type - (php-fpm-configuration - (user "httpd") - (group "httpd") - (socket "/var/run/php-fpm.sock") - (socket-user "httpd") - (socket-group "httpd") - (php-ini-file nextcloud-php.ini))) - - (simple-service 'nextcloud-certificates certbot-service-type - (list (certificate-configuration - (domains '("cloud.wilkenfamily.de")) - (deploy-hook httpd-cert-deploy-hook)))) - - ;; Nextcloud cron - (simple-service 'nextcloud-cron mcron-service-type - (list #~(job "*/5 * * * *" - (lambda () - (chdir "/var/www/nextcloud") - ;; `setgid' first while we're still root - (setgid (group:gid (getgr "httpd"))) - (setuid (passwd:uid (getpw "httpd"))) - (execl #$(file-append php "/bin/php") "php" - "-c" #$nextcloud-php.ini "cron.php")) - (string-append - #$(file-append php "/bin/php") - " -c " #$nextcloud-php.ini - " /var/www/nextcloud/cron.php")) - - ;; Nextcloud backups - ;; Requires: sudo, php, btrfs, mysqldump, rsync - (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) - #~(job "0 6 * * *" - (lambda () - ;; Pass through the php.ini file that allows us to - ;; use Nextcloud's occ script. - (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) - (string-append #$backup-script " " #$nextcloud-php.ini))))))) - -(define matrix-services - (list (simple-service 'synapse-certificates certbot-service-type - (list (certificate-configuration - (domains '("matrix.twilken.net")) - (deploy-hook httpd-cert-deploy-hook)))) - - (simple-service 'synapse-https-proxy httpd-service-type - ;; Synapse can't access certbot certs, but Apache/httpd - ;; can, so proxy HTTPS access through. It's good to have - ;; Synapse available on port 443 anyway. - (list (httpd-virtualhost "*:443" (list "\ -# Redirect to Synapse, to avoid having to specify its port number in Matrix clients. -ServerName matrix.twilken.net -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\" -ProxyPass \"/\" \"https://127.0.0.1:48448/\" -")))) - - ;; TODO: Postgres for Synapse - ;; (service postgresql-service-type - ;; (postgresql-configuration - ;; (postgresql postgresql-15) - ;; (data-directory "/var/lib/postgresql/data"))) - - ;; (service postgresql-role-service-type - ;; (postgresql-role-configuration - ;; (roles (list (postgresql-role - ;; (name "synapse") ; TODO - ;; (create-database? #t)))))) - - ;; TODO: Matrix/Synapse - ;; TODO: Matrix bridges - )) - (define-public %lud-system (operating-system (host-name "lud.twilken.net") @@ -313,8 +159,8 @@ innodb_io_capacity = 4000 ;; TODO: Transmission exporter ) - nextcloud-services - matrix-services + %nextcloud-services + %matrix-services (server-base-services host-name))) ;; The list of user accounts ('root' is implicit). |