From 21ead4bff50f058bfdecdcbb5bda6965a756ed93 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Sun, 22 Jan 2023 22:34:59 +0100 Subject: Extract common server packages and services This should improve maintainability a bit by combining common services running on the servers. Additionally, this parameterises common parts by servers' host names instead of the host-name-like symbols as before. --- tw/system/common.scm | 132 +++++++++++++++++++++++++++---------- tw/system/files/timo-phone-gpg.pub | 1 + tw/system/lap.scm | 4 +- tw/system/lud.scm | 65 ++++-------------- tw/system/vin.scm | 45 +------------ 5 files changed, 114 insertions(+), 133 deletions(-) create mode 100644 tw/system/files/timo-phone-gpg.pub (limited to 'tw') diff --git a/tw/system/common.scm b/tw/system/common.scm index fb8c50f9..57be678b 100644 --- a/tw/system/common.scm +++ b/tw/system/common.scm @@ -1,22 +1,24 @@ (define-module (tw system common) #:use-module (ice-9 format) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module ((srfi srfi-1) #:select (fold fold-right)) #:use-module (gnu) #:use-module (gnu services) - #:use-module (gnu services vpn) #:use-module (gnu system) #:use-module (gnu system keyboard) #:use-module (guix gexp)) (use-package-modules admin avahi certs disk file-systems linux lsof man - moreutils search version-control vpn) + moreutils python rsync search shells version-control vpn) +(use-service-modules mcron monitoring networking ssh vpn) -(define-public %common-system-packages - (list acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales - hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate - moreutils nss-certs nss-mdns strace wireguard-tools)) +(define-public %base-system-packages + (cons* acpi btrfs-progs cpupower efibootmgr exfat-utils git glibc-locales + hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate + moreutils nss-certs nss-mdns python rsync strace wireguard-tools + %base-packages)) (define-public %british-keyboard (keyboard-layout @@ -27,6 +29,59 @@ "keypad:oss" "kpdl:kposs"))) +;; This is used for the servers, and also by (tw home common) to generate the +;; appropriate ~/.ssh/config. +(define-public %ssh-ports + '(("lud.twilken.net" . 22022) + ("vin.twilken.net" . 22022) + ("pi3.twilken.net" . 51022))) + +(define-public (server-base-services host-name) + (cons* + ;; SSH login, allowing access only for me. To give more public keys + ;; access, extend `openssh-service-type'. + (service openssh-service-type + (openssh-configuration + (port-number (assoc-ref %ssh-ports host-name)) + (password-authentication? #f) + (accepted-environment '("LANG" "LC_*")) + (authorized-keys + `(("timo" + ,(local-file "files/timo.pub") + ,(local-file "files/timo-phone-gpg.pub")))))) + + ;; Prometheus node exporter + (service prometheus-node-exporter-service-type + (prometheus-node-exporter-configuration + (web-listen-address + (string-replace-substring + (car ; get the IPv4 address + (wireguard-peer-allowed-ips + (assoc-ref %wireguard-peers host-name))) + "/32" ":9100")))) + + (simple-service 'disk-maintenance mcron-service-type + (list #~(job "0 2 * * *" "guix gc -d 2w") + #~(job "0 4 * * *" ; after guix gc + (string-append #$(file-append util-linux "/sbin/fstrim") + " --fstab --verbose")))) + + ;; Network setup + (service dhcp-client-service-type) + (service ntp-service-type) + (wireguard-service host-name) + + ;; Delete the annoying message on SSH login. Beware when setting up a new + ;; host, as `allow-empty-passwords' will block login and sudo execution for + ;; all Guix-declared users (as these have no initial password). + (modify-services %base-services + (login-service-type + config => + (login-configuration + (inherit config) + (motd (plain-file "no-motd" "")) + (allow-empty-passwords? #f)))))) + (define-public %server-base-user-accounts (cons* (user-account (name "timo") @@ -45,34 +100,39 @@ %base-user-accounts)) (define %wireguard-peers - `((lap . ,(wireguard-peer - (name "lap.wg") - (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") - (preshared-key "/etc/wireguard/lap.psk") - (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) - (lud . ,(wireguard-peer - (name "lud.wg") - (endpoint "lud.twilken.net:58921") - (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") - (preshared-key "/etc/wireguard/lud.psk") - (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) - (vin . ,(wireguard-peer - (name "vin.wg") - (endpoint "vin.twilken.net:58921") - (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") - (preshared-key "/etc/wireguard/vin.psk") - (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) - (fp4 . ,(wireguard-peer - (name "fp4.wg") - (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") - (preshared-key "/etc/wireguard/fp4.psk") - (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) - (pi3 . ,(wireguard-peer - (name "pi3.wg") - (endpoint "pi3.twilken.net:58922") - (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") - (preshared-key "/etc/wireguard/pi3.psk") - (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) + `(("lap.twilken.net" . + ,(wireguard-peer + (name "lap.wg") + (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=") + (preshared-key "/etc/wireguard/lap.psk") + (allowed-ips '("10.0.0.1/32" "fc00::1/128")))) + ("lud.twilken.net" . + ,(wireguard-peer + (name "lud.wg") + (endpoint "lud.twilken.net:58921") + (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=") + (preshared-key "/etc/wireguard/lud.psk") + (allowed-ips '("10.0.0.2/32" "fc00::2/128")))) + ("vin.twilken.net" . + ,(wireguard-peer + (name "vin.wg") + (endpoint "vin.twilken.net:58921") + (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=") + (preshared-key "/etc/wireguard/vin.psk") + (allowed-ips '("10.0.0.3/32" "fc00::3/128")))) + ("fp4.twilken.net" . + ,(wireguard-peer + (name "fp4.wg") + (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=") + (preshared-key "/etc/wireguard/fp4.psk") + (allowed-ips '("10.0.0.4/32" "fc00::4/128")))) + ("pi3.twilken.net" . + ,(wireguard-peer + (name "pi3.wg") + (endpoint "pi3.twilken.net:58922") + (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=") + (preshared-key "/etc/wireguard/pi3.psk") + (allowed-ips '("10.0.0.5/32" "fc00::5/128")))))) (define-public %wireguard-etc-hosts (let ((basic-hosts-file "\ @@ -99,8 +159,8 @@ ff02::3 ip6-allhosts basic-hosts-file (map cdr %wireguard-peers))))) -(define-public (wireguard-service host) - (let ((own-peer (assoc-ref %wireguard-peers host))) +(define-public (wireguard-service host-name) + (let ((own-peer (assoc-ref %wireguard-peers host-name))) (service wireguard-service-type (wireguard-configuration (addresses diff --git a/tw/system/files/timo-phone-gpg.pub b/tw/system/files/timo-phone-gpg.pub new file mode 100644 index 00000000..6ba20c18 --- /dev/null +++ b/tw/system/files/timo-phone-gpg.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSgivq2ubXUyxkpBs7xEaozdnvEETKx/h11y+d7PyO4 diff --git a/tw/system/lap.scm b/tw/system/lap.scm index cd2e4496..2cdfb9c9 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -274,7 +274,7 @@ support extra features (acr, pmu, gr).") ;; location. geoclue ;; Base packages - (append %common-system-packages %base-packages))) + %base-system-packages)) ;; Use the "desktop" services, which include the X11 ;; log-in service, networking with NetworkManager, and more. @@ -295,7 +295,7 @@ support extra features (acr, pmu, gr).") (bluetooth-service) - (wireguard-service 'lap) + (wireguard-service host-name) (service docker-service-type (docker-configuration)) diff --git a/tw/system/lud.scm b/tw/system/lud.scm index fcf86279..5e0ffda0 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -215,51 +215,29 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\" ;; under their own account: use 'guix search KEYWORD' to search ;; for packages and 'guix install PACKAGE' to install a package. (packages - (append (list - ;; For nightly yt-dlp. - ffmpeg - ;; For video downloader. - python tor - ;; For Nextcloud backup script. - btrfs-progs mariadb rsync - ;; For Nextcloud. PHP modules must be installed in system - ;; profile, as that's referred to in Nextcloud's php.ini. - php php-apcu) - %common-system-packages - %base-packages)) + (cons* + ffmpeg tor ; for video downloader + mariadb ; for Nextcloud backup script + ;; For Nextcloud. PHP modules must be installed in system + ;; profile, as that's referred to in Nextcloud's php.ini. + php php-apcu + %base-system-packages)) ;; Below is the list of system services. To search for available ;; services, run 'guix system search KEYWORD' in a terminal. (services (append - (list (service openssh-service-type - (openssh-configuration - (port-number 22022) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" - ,(local-file "files/timo.pub")) - ("ira" ; for Duplicity backups - ,(local-file "files/kitchen-pc.pub") - ,(local-file "files/wilken-laptop.pub")))))) + (list (simple-service 'duplicity-backup-access openssh-service-type + `(("ira" ; for Duplicity backups + ,(local-file "files/kitchen-pc.pub") + ,(local-file "files/wilken-laptop.pub")))) (service tor-service-type) - (service dhcp-client-service-type) - - (service ntp-service-type) - (service thermald-service-type (thermald-configuration (adaptive? #t))) - (simple-service 'cronjobs mcron-service-type - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - ;; Transmission (torrents) (service transmission-daemon-service-type (transmission-daemon-configuration @@ -329,31 +307,14 @@ innodb_buffer_pool_size = 1G innodb_io_capacity = 4000 "))) - ;; Prometheus node exporter - (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address "10.0.0.2:9100"))) - ;; TODO: JSON exporter (Nextcloud) - ;; TODO: Syncthing exporter - ;; TODO: Transmission exporter - - ;; TODO: git-daemon-service-type / cgit-service-type? - - (wireguard-service 'lud)) + ) nextcloud-services matrix-services - - (modify-services %base-services - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f)))))) + (server-base-services host-name))) ;; The list of user accounts ('root' is implicit). (users diff --git a/tw/system/vin.scm b/tw/system/vin.scm index c3e6ab16..ddecc127 100644 --- a/tw/system/vin.scm +++ b/tw/system/vin.scm @@ -6,9 +6,6 @@ #:use-module (guix gexp) #:use-module (tw system common)) -(use-package-modules admin bash certs databases linux man rsync shells video) -(use-service-modules mcron monitoring networking pm ssh vpn) - ;; The device's BIOS does not support UEFI, sadly. It also doesn't recognise ;; NVME devices, so we can only use SATA hard disks, not the M.2 SSD. ;; /dev/sda1 is the https://en.wikipedia.org/wiki/BIOS_boot_partition for grub. @@ -40,49 +37,11 @@ ;; Packages installed system-wide. Users can also install packages ;; under their own account: use 'guix search KEYWORD' to search ;; for packages and 'guix install PACKAGE' to install a package. - (packages - (append (list - ;; For eventual backup scripts? - btrfs-progs rsync) - %common-system-packages - %base-packages)) + (packages %base-system-packages) ;; Below is the list of system services. To search for available ;; services, run 'guix system search KEYWORD' in a terminal. - (services - (append - (list (service openssh-service-type - (openssh-configuration - (port-number 22022) - (password-authentication? #f) - (accepted-environment '("LANG" "LC_*")) - (authorized-keys - `(("timo" ,(local-file "files/timo.pub")))))) - - (service dhcp-client-service-type) - - (service ntp-service-type) - - (simple-service 'cronjobs mcron-service-type - (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G") - #~(job "0 22 * * *" ; after guix gc - (string-append #$(file-append util-linux "/sbin/fstrim") - " --fstab --verbose")))) - - ;; Prometheus node exporter - (service prometheus-node-exporter-service-type - (prometheus-node-exporter-configuration - (web-listen-address "10.0.0.3:9100"))) - - (wireguard-service 'vin)) - - (modify-services %base-services - (login-service-type - config => - (login-configuration - (inherit config) - (motd (plain-file "no-motd" "")) - (allow-empty-passwords? #f)))))) + (services (server-base-services host-name)) ;; The list of user accounts ('root' is implicit). (users %server-base-user-accounts) -- cgit v1.2.3