blob: 51146eedc40c5cd0b43b0f29c736237fa0e8d9c2 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
(define-module (tw system)
#:use-module (ice-9 string-fun)
#:use-module (gnu)
#:use-module (gnu services)
#:use-module (gnu system)
#:use-module (gnu system keyboard)
#:use-module (guix gexp)
#:use-module (tw channels)
#:use-module (tw services wireguard))
(use-package-modules acl admin avahi backup certs curl disk file-systems
golang linux lsof man moreutils python rsync search
shells version-control vpn)
(use-service-modules mcron monitoring networking ssh vpn)
(define-public %base-system-packages
(cons* acl acpi age btrfs-progs cpupower curl efibootmgr exfat-utils git
glibc-locales hddtemp htop lshw lsof man-db man-pages man-pages-posix
mlocate moreutils nss-certs nss-mdns python restic rsync strace
wireguard-tools
%base-packages))
(define-public %british-keyboard
(keyboard-layout
"gb" #:options '("caps:swapescape"
"parens:swap_brackets"
"terminate:ctrl_alt_bksp"
"compose:rctrl"
"keypad:oss"
"kpdl:kposs")))
(define-public %server-base-user-accounts
(cons* (user-account
(name "timo")
(comment "Timo Wilken")
(group "users")
(home-directory "/home/timo")
(supplementary-groups '("wheel" "netdev" "audio" "video"))
(shell (file-append zsh "/bin/zsh")))
%base-user-accounts))
;; This is used for the servers, and also by (tw home) to generate the
;; appropriate ~/.ssh/config.
(define-public %ssh-ports
'(("lud.twilken.net" . 22022)
("vin.twilken.net" . 22022)
("pi3.twilken.net" . 51022)))
(export server-wireguard-address)
(define* (server-wireguard-address host-name #:optional port #:key (ipv6? #f))
(let ((ip (string-replace-substring
((if ipv6? cadr car)
(wireguard-peer-allowed-ips
(assoc-ref %wireguard-peers host-name)))
(if ipv6? "/128" "/32") "")))
(cond
((and port ipv6?) (format #f "[~a]:~a" ip port))
(port (format #f "~a:~a" ip port))
(else ip))))
(define-public (server-base-services host-name)
(cons*
;; SSH login, allowing access only for me. To give more public keys
;; access, extend `openssh-service-type'.
(service openssh-service-type
(openssh-configuration
(port-number (assoc-ref %ssh-ports host-name))
(password-authentication? #f)
(accepted-environment '("LANG" "LC_*"))
(authorized-keys
`(("timo"
,(local-file "system/files/timo.pub")
,(local-file "system/files/timo-phone-gpg.pub"))))))
;; Prometheus node exporter
(service prometheus-node-exporter-service-type
(prometheus-node-exporter-configuration
(web-listen-address
(server-wireguard-address host-name 9100))))
(simple-service 'guix-gc mcron-service-type
(list #~(job "0 2 * * *" "guix gc -d 2w")))
;; Network setup
(service dhcp-client-service-type)
(service ntp-service-type)
(service tw-wireguard-service-type
(tw-wireguard-configuration
(this-host host-name)))
(modify-services (append %system-channel-services %base-services)
;; Delete the annoying message on SSH login. Beware when setting up a new
;; host, as `allow-empty-passwords' will block login and sudo execution for
;; all Guix-declared users (as these have no initial password).
(login-service-type
config =>
(login-configuration
(inherit config)
(motd (plain-file "no-motd" ""))
(allow-empty-passwords? #f))))))
|