linode-locke-lamora-current-config.scm 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274
  1. ;; this is the current configuration for my linode "Guix System"
  2. (add-to-load-path (dirname (current-filename)))
  3. (use-modules (gnu)
  4. (guix modules)
  5. (secret nginx)
  6. (public-keys)
  7. ;;(gnucode-form)
  8. (endlessh-service)
  9. (opensmtpd))
  10. (use-service-modules admin ; unattended-upgrades
  11. certbot
  12. mail
  13. mcron
  14. messaging
  15. networking
  16. ssh
  17. vpn ;;wireguard
  18. web)
  19. (use-package-modules admin
  20. certs
  21. package-management
  22. ssh
  23. tls)
  24. (define %nginx-deploy-hook
  25. (program-file
  26. "nginx-deploy-hook"
  27. #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
  28. (kill pid SIGHUP))))
  29. (define %user "joshua")
  30. (operating-system
  31. (host-name "locke-lamora")
  32. (timezone "America/Chicago")
  33. (locale "en_US.UTF-8")
  34. ;; This goofy code will generate the grub.cfg
  35. ;; without installing the grub bootloader on disk.
  36. (bootloader (bootloader-configuration
  37. (bootloader
  38. (bootloader
  39. (inherit grub-bootloader)
  40. (installer #~(const #t))))))
  41. (file-systems (cons (file-system
  42. (device "/dev/sda")
  43. (mount-point "/")
  44. (type "ext4"))
  45. %base-file-systems))
  46. (swap-devices (list "/dev/sdb"))
  47. (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
  48. %base-initrd-modules))
  49. (users (cons* (user-account
  50. (name "joshua")
  51. (group "users")
  52. ;; Adding the account to the "wheel" group
  53. ;; makes it a sudoer.
  54. (supplementary-groups '("wheel"))
  55. (home-directory "/home/joshua"))
  56. ;; (user-account
  57. ;; (name "vmail")
  58. ;; (group "vmail")
  59. ;; (home-directory "vmail")
  60. ;; (system? #t)
  61. ;; (comment "User that dovecot users to deliver emails
  62. ;; to /home/vmail/gnucode.me/joshua"))
  63. %base-user-accounts))
  64. ;; (groups (cons* (user-group
  65. ;; (name "vmail")
  66. ;; (system? #t))
  67. ;; %base-groups))
  68. (sudoers-file
  69. (plain-file "sudoers"
  70. (string-append (plain-file-content %sudoers-specification)
  71. (format #f "~a ALL = NOPASSWD: ALL~%"
  72. "joshua"))))
  73. (packages (cons* nss-certs ;for HTTPS access
  74. openssh-sans-x
  75. %base-packages))
  76. (services (cons*
  77. (service dhcp-client-service-type)
  78. (service certbot-service-type
  79. (certbot-configuration
  80. (email "jbranso@dismail.de")
  81. (webroot "/srv/www")
  82. (certificates
  83. (list
  84. (certificate-configuration
  85. (name "gnucode.me")
  86. (domains '("gnucode.me" "www.gnucode.me"
  87. "mail.gnucode.me" "imap.gnucode.me"
  88. "smtp.gnucode.me" "wireguard.gnucode.me"))
  89. (deploy-hook %nginx-deploy-hook))
  90. (certificate-configuration
  91. (name "gnu-hurd.com")
  92. (domains '("gnu-hurd.com" "www.gnu-hurd.com"))
  93. (deploy-hook %nginx-deploy-hook))
  94. (certificate-configuration
  95. (name "propernaming.org")
  96. (domains '("propernaming.org" "www.propernaming.org"))
  97. (deploy-hook %nginx-deploy-hook))
  98. ))))
  99. (dovecot-service #:config
  100. (dovecot-configuration
  101. (mail-location "maildir:/home/%n/Maildir")
  102. (protocols
  103. (list
  104. (protocol-configuration
  105. (name "imap")
  106. (mail-max-userip-connections 3))))
  107. ;; someone tries to login via joshua@gnucode.me
  108. ;; this strips away that login username to "joshua"
  109. ;; when I set up virtual users, I'll need to delete this!
  110. ;; https://wiki.dovecot.org/DomainLost
  111. ;; auth_username_format = %Ln
  112. ;; lowercases the username but also
  113. ;; drops the domain. Use
  114. ;; auth_username_format = %Lu instead.
  115. ;; (auth-username-format "%Ln")
  116. ;; for now just use the defaults...
  117. ;; (services
  118. ;; (list
  119. ;; (service-configuration
  120. ;; (kind "imap")
  121. ;; (client-limit 2))
  122. ;; (service-configuration
  123. ;; (kind "imap-login")
  124. ;; (clint-limit 2))
  125. ;; (service-configuration
  126. ;; (kind "auth")
  127. ;; (client-limit 2))
  128. ;; (service-configuration
  129. ;; (kind "auth-worker")
  130. ;; (client-limit 2))
  131. ;; (service-configuration
  132. ;; (kind "dict")
  133. ;; (client-limit 2)))
  134. ;; )
  135. ;; perhaps I DO NOT need to use letsencrypt certs...
  136. ;; because guix creates these certs for me by default in
  137. ;; /etc/dovecot/
  138. ;; I guess that I do need/want these certs. Otherwise dovecot
  139. ;; tries to connect to my server insecurely.
  140. ;; which means that I probably need to change my user joshua password
  141. ;; since I have been sending it insecurely!
  142. (ssl-cert "</etc/letsencrypt/live/gnucode.me/fullchain.pem")
  143. (ssl-key "</etc/letsencrypt/live/gnucode.me/privkey.pem")
  144. ))
  145. (service endlessh-service-type)
  146. ;;(service gnucode -form-service-type)
  147. (service mcron-service-type
  148. (mcron-configuration
  149. (jobs (list
  150. ;; run endlessh every 5 minutes
  151. #~(job "*/1 0 * * *"
  152. (string-append #$endlessh "/bin/endlessh -p 22")
  153. #:user "root")))))
  154. (service nginx-service-type
  155. (nginx-configuration
  156. (server-blocks
  157. (list
  158. (nginx-server-configuration
  159. (server-name '("gnucode.me"))
  160. (listen '("80" "443 ssl http2"
  161. "[::]:80" "[::]:443 ssl http2"))
  162. (root "/srv/www/html/gnucode.me/site/")
  163. ;; tell browsers my site supports HTTPS, and tell them that it will
  164. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  165. (ssl-certificate "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
  166. (ssl-certificate-key "/etc/letsencrypt/live/gnucode.me/privkey.pem")
  167. (raw-content (list "add_header Strict-Transport-Security max-age=1800;"))
  168. (locations
  169. (list
  170. (nginx-location-configuration ;certbot
  171. (uri "/.well-known")
  172. (body (list "root /srv/www;")))
  173. (nginx-location-configuration
  174. (uri "/form/")
  175. (body '("proxy_pass http://127.0.0.1:8081;")))
  176. %secret-nginx-location
  177. )))
  178. (nginx-server-configuration
  179. (server-name '("gnu-hurd.com"))
  180. (listen '("80" "443 ssl"))
  181. (root "/srv/www/html/gnu-hurd.com/")
  182. (ssl-certificate "/etc/letsencrypt/live/gnu-hurd.com/fullchain.pem")
  183. (ssl-certificate-key "/etc/letsencrypt/live/gnu-hurd.com/privkey.pem")
  184. ;; tell browsers my site supports HTTPS, and tell them that it will
  185. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  186. (raw-content (list "add_header Strict-Transport-Security max-age=1800;"))
  187. (locations
  188. (list
  189. (nginx-location-configuration ;certbot
  190. (uri "/.well-known")
  191. (body (list "root /srv/www;"))))))
  192. (nginx-server-configuration
  193. (server-name '("propernaming.org"))
  194. (listen '("80" "443 ssl"))
  195. (root "/srv/www/html/propernaming.org/site/")
  196. (ssl-certificate "/etc/letsencrypt/live/propernaming.org/fullchain.pem")
  197. (ssl-certificate-key "/etc/letsencrypt/live/propernaming.org/privkey.pem")
  198. ;; tell browsers my site supports HTTPS, and tell them that it will
  199. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  200. (raw-content (list "add_header Strict-Transport-Security max-age=1800;"))
  201. (locations
  202. (list
  203. (nginx-location-configuration ;certbot
  204. (uri "/.well-known")
  205. (body (list "root /srv/www;"))))))
  206. ))))
  207. (service openssh-service-type
  208. (openssh-configuration
  209. (openssh openssh-sans-x)
  210. (password-authentication? #f)
  211. (port-number 63355)
  212. (authorized-keys
  213. `(
  214. ;; ("joshua" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  215. ;; ("root" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  216. ;; local file is simpler. I can get rid of (use-module (secret ssh-keys))
  217. ("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  218. ("root" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  219. ))))
  220. ;; I've created the prosody admin user, and I imported the cert...
  221. ;; but pidgin tells me that I the XMPP server at gnucode.me does not support encryption.
  222. (service prosody-service-type
  223. (prosody-configuration
  224. ;;(certificates "/etc/")
  225. (admins '("jbranso@gnucode.me"))
  226. (virtualhosts
  227. (list
  228. (virtualhost-configuration
  229. (domain "gnucode.me"))))))
  230. (service mail-aliases-service-type
  231. '(("webmaster" "root")
  232. ("postmaster" "root")
  233. ("abuse" "root")))
  234. ;; I can test send an email from my ssh machine via:
  235. ;; cat test-email.txt | msmtp -- jbranso@dismail.de
  236. (service opensmtpd-service-type
  237. (opensmtpd-configuration
  238. (config-file %smtpd.conf)))
  239. (service unattended-upgrade-service-type)
  240. ;; (service wireguard-service-type
  241. ;; (wireguard-configuration
  242. ;; (private-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/server.private.key")
  243. ;; (peers
  244. ;; (list
  245. ;; (wireguard-peer
  246. ;; (name "my servers peer for my laptop")
  247. ;; (public-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/laptop.pub"))))))
  248. %base-services)))