blob: c9904e244a9bc82c316379a456281d58267a571d (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
(define-module (tw system)
#:use-module (ice-9 string-fun)
#:use-module (gnu)
#:use-module (gnu services)
#:use-module (gnu system)
#:use-module (gnu system keyboard)
#:use-module (guix gexp)
#:use-module (tw services wireguard))
(use-package-modules admin avahi certs curl disk file-systems linux lsof man
moreutils python rsync search shells version-control vpn)
(use-service-modules mcron monitoring networking ssh vpn)
(define-public %base-system-packages
(cons* acpi btrfs-progs cpupower curl efibootmgr exfat-utils git glibc-locales
hddtemp htop lshw lsof man-db man-pages man-pages-posix mlocate
moreutils nss-certs nss-mdns python rsync strace wireguard-tools
%base-packages))
(define-public %british-keyboard
(keyboard-layout
"gb" #:options '("caps:swapescape"
"parens:swap_brackets"
"terminate:ctrl_alt_bksp"
"compose:rctrl"
"keypad:oss"
"kpdl:kposs")))
(define-public %server-base-user-accounts
(cons* (user-account
(name "timo")
(comment "Timo Wilken")
(group "users")
(home-directory "/home/timo")
(supplementary-groups '("wheel" "netdev" "audio" "video"))
(shell (file-append zsh "/bin/zsh")))
%base-user-accounts))
;; This is used for the servers, and also by (tw home) to generate the
;; appropriate ~/.ssh/config.
(define-public %ssh-ports
'(("lud.twilken.net" . 22022)
("vin.twilken.net" . 22022)
("pi3.twilken.net" . 51022)))
(define-public (server-base-services host-name)
(cons*
;; SSH login, allowing access only for me. To give more public keys
;; access, extend `openssh-service-type'.
(service openssh-service-type
(openssh-configuration
(port-number (assoc-ref %ssh-ports host-name))
(password-authentication? #f)
(accepted-environment '("LANG" "LC_*"))
(authorized-keys
`(("timo"
,(local-file "system/files/timo.pub")
,(local-file "system/files/timo-phone-gpg.pub"))))))
;; Prometheus node exporter
(service prometheus-node-exporter-service-type
(prometheus-node-exporter-configuration
(web-listen-address
(string-replace-substring
(car ; get the IPv4 address
(wireguard-peer-allowed-ips
(assoc-ref %wireguard-peers host-name)))
"/32" ":9100"))))
(simple-service 'disk-maintenance mcron-service-type
(list #~(job "0 2 * * *" "guix gc -d 2w")
#~(job "0 4 * * *" ; after guix gc
(string-append #$(file-append util-linux "/sbin/fstrim")
" --fstab --verbose"))))
;; Network setup
(service dhcp-client-service-type)
(service ntp-service-type)
(service tw-wireguard-service-type
(tw-wireguard-configuration
(this-host host-name)))
;; Delete the annoying message on SSH login. Beware when setting up a new
;; host, as `allow-empty-passwords' will block login and sudo execution for
;; all Guix-declared users (as these have no initial password).
(modify-services %base-services
(login-service-type
config =>
(login-configuration
(inherit config)
(motd (plain-file "no-motd" ""))
(allow-empty-passwords? #f))))))
|
