From 7044c9b52f9c6b7aa2a006f09198fe98addcfc9d Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Sat, 18 Feb 2023 00:27:17 +0100
Subject: Extract common service sets into separate modules
Common service sets (NextCloud, Matrix, WireGuard) should be in their
own modules to make things neater, instead of being interleaved with
operating system declarations.
---
tw/system/lud.scm | 162 ++----------------------------------------------------
1 file changed, 4 insertions(+), 158 deletions(-)
(limited to 'tw/system/lud.scm')
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 9986c30a..b770fc90 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -5,6 +5,8 @@
#:use-module (gnu system nss)
#:use-module (guix gexp)
#:use-module (tw packages php)
+ #:use-module (tw services nextcloud)
+ #:use-module (tw services matrix)
#:use-module (tw system))
(use-package-modules admin bash certs databases linux man php python rsync
@@ -21,40 +23,6 @@
(define data-partition ; /dev/sdc1
(uuid "4715ae0e-5cef-48f2-a59e-025321153888" 'btrfs))
-(define httpd-cert-deploy-hook
- (program-file "httpd-cert-deploy-hook"
- #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP)))
-
-(define nextcloud-php.ini
- (computed-file "nextcloud-php.ini"
- #~(begin
- (use-modules (ice-9 popen) (ice-9 rdelim))
- (let* ((php-config #$(file-append php "/bin/php-config"))
- (pipe (open-pipe* OPEN_READ php-config "--extension-dir"))
- (php-extdir (read-line pipe)))
- (unless (zero? (status:exit-val (close-pipe pipe)))
- (error "Failed to get PHP extension dir"))
- (with-output-to-file #$output
- ;; Guix's PHP comes with the following extensions built-in,
- ;; so no extension= line necessary:
- ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl
- (lambda () (display (string-append "\
-memory_limit=512M
-extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) "
-; Caching extensions for Nextcloud
-extension=apcu
-apc.enable_cli=1
-zend_extension=opcache
-; https://www.php.net/manual/en/opcache.configuration.php
-opcache.enable=1
-opcache.interned_strings_buffer=32
-opcache.max_accelerated_files=10000
-opcache.memory_consumption=128
-opcache.save_comments=1
-; It will take up to revalidate_freq seconds for changes to config.php to be applied.
-opcache.revalidate_freq=120
-"))))))))
-
(define httpd-intermediate-ssl-config "\
# SSL configuration.
# https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1n&ocsp=false&guideline=5.6
@@ -70,128 +38,6 @@ SSLSessionCache \"shmcb:logs/ssl_scache(65535)\"
SSLSessionCacheTimeout 1200
")
-(define nextcloud-services
- (list (simple-service 'nextcloud-https-server httpd-service-type
- ;; The certbot service redirects everything on port 80 to
- ;; port 443 by default, modulo its own /.well-known paths.
- (list (httpd-virtualhost "*:443" (list "\
-# For Nextcloud.
-ServerName cloud.wilkenfamily.de
-DocumentRoot /var/www/nextcloud
-SSLEngine on
-SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\"
-SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\"
-Header always set Strict-Transport-Security \"max-age=15552000\"
-
-# Don't check for .htaccess files above DocumentRoot.
-
- AllowOverride None
-
-
-
- Options +FollowSymlinks
- AllowOverride All
-
- Dav off
-
- SetEnv HOME /var/www/nextcloud
- SetEnv HTTP_HOME /var/www/nextcloud
-
-
-# Redirect to local php-fpm if mod_php is not available
-
-
- # Enable http authorization headers
-
- SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1
-
-
-
- SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\"
-
-
- # Deny access to raw PHP sources and files without filename (e.g. '.php')
-
- Require all denied
-
-
-
-"))))
-
- (service php-fpm-service-type
- (php-fpm-configuration
- (user "httpd")
- (group "httpd")
- (socket "/var/run/php-fpm.sock")
- (socket-user "httpd")
- (socket-group "httpd")
- (php-ini-file nextcloud-php.ini)))
-
- (simple-service 'nextcloud-certificates certbot-service-type
- (list (certificate-configuration
- (domains '("cloud.wilkenfamily.de"))
- (deploy-hook httpd-cert-deploy-hook))))
-
- ;; Nextcloud cron
- (simple-service 'nextcloud-cron mcron-service-type
- (list #~(job "*/5 * * * *"
- (lambda ()
- (chdir "/var/www/nextcloud")
- ;; `setgid' first while we're still root
- (setgid (group:gid (getgr "httpd")))
- (setuid (passwd:uid (getpw "httpd")))
- (execl #$(file-append php "/bin/php") "php"
- "-c" #$nextcloud-php.ini "cron.php"))
- (string-append
- #$(file-append php "/bin/php")
- " -c " #$nextcloud-php.ini
- " /var/www/nextcloud/cron.php"))
-
- ;; Nextcloud backups
- ;; Requires: sudo, php, btrfs, mysqldump, rsync
- (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t)))
- #~(job "0 6 * * *"
- (lambda ()
- ;; Pass through the php.ini file that allows us to
- ;; use Nextcloud's occ script.
- (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini))
- (string-append #$backup-script " " #$nextcloud-php.ini)))))))
-
-(define matrix-services
- (list (simple-service 'synapse-certificates certbot-service-type
- (list (certificate-configuration
- (domains '("matrix.twilken.net"))
- (deploy-hook httpd-cert-deploy-hook))))
-
- (simple-service 'synapse-https-proxy httpd-service-type
- ;; Synapse can't access certbot certs, but Apache/httpd
- ;; can, so proxy HTTPS access through. It's good to have
- ;; Synapse available on port 443 anyway.
- (list (httpd-virtualhost "*:443" (list "\
-# Redirect to Synapse, to avoid having to specify its port number in Matrix clients.
-ServerName matrix.twilken.net
-SSLEngine on
-SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\"
-SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\"
-ProxyPass \"/\" \"https://127.0.0.1:48448/\"
-"))))
-
- ;; TODO: Postgres for Synapse
- ;; (service postgresql-service-type
- ;; (postgresql-configuration
- ;; (postgresql postgresql-15)
- ;; (data-directory "/var/lib/postgresql/data")))
-
- ;; (service postgresql-role-service-type
- ;; (postgresql-role-configuration
- ;; (roles (list (postgresql-role
- ;; (name "synapse") ; TODO
- ;; (create-database? #t))))))
-
- ;; TODO: Matrix/Synapse
- ;; TODO: Matrix bridges
- ))
-
(define-public %lud-system
(operating-system
(host-name "lud.twilken.net")
@@ -313,8 +159,8 @@ innodb_io_capacity = 4000
;; TODO: Transmission exporter
)
- nextcloud-services
- matrix-services
+ %nextcloud-services
+ %matrix-services
(server-base-services host-name)))
;; The list of user accounts ('root' is implicit).
--
cgit v1.2.3