gnucode.me-current-config.scm 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539
  1. ;; this is the current configuration for my gnucode.me,
  2. ;; propernaming.org, and gnu-hurd.com
  3. (add-to-load-path (dirname (current-filename)))
  4. (add-to-load-path "/home/joshua/prog/gnu/guix/guixrus")
  5. (use-modules (gnu)
  6. (guix modules)
  7. ;;(secret nginx)
  8. (public-keys)
  9. ;;(gnucode-form)
  10. (nftables)
  11. (endlessh-service)
  12. ;;(opensmtpd-records)
  13. ;;(gnu services mail)
  14. (guixrus services opensmtpd)
  15. (gnu packages mail)
  16. ((gnu services mail)
  17. #:hide (opensmtpd-configuration
  18. opensmtpd-configuration?
  19. opensmtpd-service-type
  20. %default-opensmtpd-config-file))
  21. )
  22. (use-service-modules admin ; unattended-upgrades
  23. certbot
  24. ;; mail
  25. mcron
  26. messaging
  27. networking
  28. sysctl
  29. ssh
  30. vpn ;;wireguard
  31. web)
  32. (use-package-modules admin
  33. certs
  34. package-management
  35. ssh
  36. tls)
  37. (define %nginx-deploy-hook
  38. (program-file
  39. "nginx-deploy-hook"
  40. #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
  41. (kill pid SIGHUP))))
  42. (define %my-base-services
  43. (modify-services %base-services
  44. (guix-service-type config =>
  45. (guix-configuration (inherit config)
  46. (discover? #t)
  47. (substitute-urls
  48. (append (list
  49. "https://bordeaux-us-east-mirror.cbaines.net/"
  50. "https://guix.tobias.gr")
  51. %default-substitute-urls))
  52. (authorized-keys
  53. (append (list
  54. ;; setting up guix deploy from dobby.
  55. (local-file "./dobby-guix-signing-key.pub")
  56. (plain-file
  57. "guix.tobias.gr"
  58. "(public-key
  59. (ecc
  60. (curve Ed25519)
  61. (q #E21911E159DB6D031A763509A255B054360A4A96F5668CBBAC48052E67D274D3#)
  62. )
  63. )
  64. ")
  65. (plain-file
  66. "bordeaux.guix.gnu.org.signing.key"
  67. "
  68. (public-key
  69. (ecc
  70. (curve Ed25519)
  71. (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
  72. )
  73. )")
  74. )))
  75. (extra-options '("--max-jobs=1"))))
  76. ;; security stuff.
  77. (sysctl-service-type config =>
  78. (sysctl-configuration
  79. (settings
  80. (append
  81. '(
  82. ;;disable ipv6
  83. ("net.ipv6.conf.all.disable_ipv6" . "1")
  84. ("net.ipv6.conf.all.disable_policy" . "1")
  85. ("net.ipv6.conf.default.disable_ipv6" . "1")
  86. ("net.ipv6.conf.default.disable_policy" . "1")
  87. ("net.ipv6.conf.enp0s10.disable_ipv6" . "1")
  88. ("net.ipv6.conf.enp0s10.disable_policy" . "1")
  89. ("net.ipv6.conf.lo.disable_ipv6" . "1")
  90. ("net.ipv6.conf.lo.disable_policy" . "1")
  91. ;; disable ebpf in kernel virtual machine for unprivledged users
  92. ("sysctl kernel.unprivileged_bpf_disabled" . "1")
  93. ("spec_store_bypass_disable" . "on")
  94. ("spectre_v2" . "on")
  95. ("lld_flush" . "on")
  96. ;; need to enable apparmor for this...
  97. ;;("lockdown" . "confidentiality")
  98. ("init_on_alloc" . "1")
  99. ("init_on_free" . "1")
  100. ("page_alloc.shuffle" . "1")
  101. ;;("slab_nomerge")
  102. ("vsyscall" . "1")
  103. ;; ("slub_debug" . "F")
  104. ("randomize_kstack_offset" . "1")
  105. ;; disable re-leading a running kernel
  106. ("kernel.kexec_load_disabled" . "1")
  107. ;; restrict kernel pointers
  108. ("kernel.kptr_restrict" . "2")
  109. ;; unprivledegd users cannot get perf events
  110. ("kernel.perf_event_paranoid" . "3")
  111. ;; only privledged users can use bpf
  112. ("net.core.bpf_jit_harden" . "2")
  113. ("kernel.unprivleged_bpf" . "1")
  114. ;; prevest some proofing attacks
  115. ("net.ipv4.conf.all.rp_filter" . "1")
  116. ("net.ipv4.conf.default.rp_filter" . "1")
  117. ;; disable icmp redirects and
  118. ;; RFC1620 shared media redirects
  119. ("net.ipv4.conf.all.accept_redirects" . "0")
  120. ("net.ipv4.conf.all.secure_redirects" . "0")
  121. ("net.ipv4.conf.all.send_redirects" . "0")
  122. ("net.ipv4.conf.all.shared_media" . "0")
  123. ("net.ipv4.conf.default.accept_redirects" . "0")
  124. ("net.ipv4.conf.default.secure_redirects" . "0")
  125. ("net.ipv4.conf.default.send_redirects" . "0")
  126. ("net.ipv4.conf.default.shared_media" . "0")
  127. ("net.ipv6.conf.all.accept_redirects" . "0")
  128. ("net.ipv6.conf.default.accept_redirects" . "0")
  129. ;; disallow source-routed packets
  130. ("net.ipv4.conf.all.accept_source_route" . "0")
  131. ("net.ipv4.conf.default.accept_source_route" . "0")
  132. ("net.ipv6.conf.all.accept_source_route" . "0")
  133. ("net.ipv6.conf.default.accept_source_route" . "0")
  134. ;; disable pings sent to a broadcast address
  135. ("net.ipv4.icmp_echo_ignore_broadcasts" . "1")
  136. ;; disable bogus icmp error responses
  137. ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
  138. ;; protect against time-wait assassination hazards in tcp
  139. ("net.ipv4.tcp_rfc1337" . "1")
  140. ("net.ipv4.tcp_sack" . "0")
  141. ("net.ipv4.tcp_dsack" . "0")
  142. ("net.ipv4.tcp_timestamps" . "0")
  143. ("vm.mmap_rnd_bits" . "32")
  144. ("vm.mmap_rnd_compat_bits" . "16")
  145. ("net.ipv4.icmp_echo_ignore_all" . "1")
  146. )
  147. %default-sysctl-settings))))))
  148. (define %system
  149. (operating-system
  150. (host-name "copertino")
  151. (timezone "America/Chicago")
  152. (locale "en_US.UTF-8")
  153. ;; This goofy code will generate the grub.cfg
  154. ;; without installing the grub bootloader on disk.
  155. (bootloader (bootloader-configuration
  156. (bootloader
  157. (bootloader
  158. (inherit grub-bootloader)
  159. (installer #~(const #t))))))
  160. (file-systems (cons (file-system
  161. (device "/dev/sda")
  162. (mount-point "/")
  163. (type "ext4"))
  164. %base-file-systems))
  165. (swap-devices (list
  166. (swap-space (target "/dev/sdb"))))
  167. (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
  168. %base-initrd-modules))
  169. (users (cons* (user-account
  170. (name "joshua")
  171. (group "users")
  172. ;; Adding the account to the "wheel" group
  173. ;; makes it a sudoer.
  174. (supplementary-groups '("wheel"))
  175. (home-directory "/home/joshua"))
  176. ;; (user-account
  177. ;; (name "vmail")
  178. ;; (group "vmail")
  179. ;; (home-directory "vmail")
  180. ;; (system? #t)
  181. ;; (comment "User that dovecot users to deliver emails
  182. ;; to /home/vmail/gnucode.me/joshua"))
  183. %base-user-accounts))
  184. ;; (groups (cons* (user-group
  185. ;; (name "vmail")
  186. ;; (system? #t))
  187. ;; %base-groups))
  188. ;; I can read 'man 5 suoders' for tips about the syntax of suoders file.
  189. ;; the very end of the file has some examples.
  190. (sudoers-file
  191. (plain-file "sudoers"
  192. (string-append (plain-file-content %sudoers-specification)
  193. (format #f "~a ALL = NOPASSWD: ALL~%"
  194. "joshua"))))
  195. (packages (cons* nss-certs ;for HTTPS access
  196. openssh-sans-x
  197. %base-packages))
  198. (services (cons*
  199. (service dhcp-client-service-type)
  200. (service certbot-service-type
  201. (certbot-configuration
  202. (email "jbranso@dismail.de")
  203. (webroot "/srv/www")
  204. (certificates
  205. (list
  206. (certificate-configuration
  207. (name "gnucode.me")
  208. (domains '("gnucode.me" "www.gnucode.me"
  209. "imap.gnucode.me"
  210. "smtp.gnucode.me"))
  211. (deploy-hook %nginx-deploy-hook))
  212. (certificate-configuration
  213. (name "gnu-hurd.com")
  214. (domains '("gnu-hurd.com" "www.gnu-hurd.com"))
  215. (deploy-hook %nginx-deploy-hook))
  216. (certificate-configuration
  217. (name "propernaming.org")
  218. (domains '("propernaming.org" "www.propernaming.org"))
  219. (deploy-hook %nginx-deploy-hook))
  220. ))))
  221. (dovecot-service #:config
  222. (dovecot-configuration
  223. (mail-location "maildir:/home/%n/Maildir")
  224. (protocols
  225. (list
  226. (protocol-configuration
  227. (name "imap")
  228. (mail-max-userip-connections 3))
  229. ;;(protocol-configuration name "lmtp")
  230. ))
  231. ;; I am hoping to set up LMTP, that way I can set up Sieve filtering.
  232. ;; https://doc.dovecot.org/configuration_manual/sieve/configuration/
  233. ;; https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server
  234. ;; (services
  235. ;; (list
  236. ;; (service-configuration
  237. ;; (kind "imap"))))
  238. ;; someone tries to login via joshua@gnucode.me
  239. ;; this strips away that login username to "joshua"
  240. ;; when I set up virtual users, I'll need to delete this!
  241. ;; https://wiki.dovecot.org/DomainLost
  242. ;; auth_username_format = %Ln
  243. ;; lowercases the username but also
  244. ;; drops the domain. Use
  245. ;; auth_username_format = %Lu instead.
  246. ;; (auth-username-format "%Ln")
  247. ;; for now just use the defaults...
  248. ;; (services
  249. ;; (list
  250. ;; (service-configuration
  251. ;; (kind "imap")
  252. ;; (client-limit 2))
  253. ;; (service-configuration
  254. ;; (kind "imap-login")
  255. ;; (clint-limit 2))
  256. ;; (service-configuration
  257. ;; (kind "auth")
  258. ;; (client-limit 2))
  259. ;; (service-configuration
  260. ;; (kind "auth-worker")
  261. ;; (client-limit 2))
  262. ;; (service-configuration
  263. ;; (kind "dict")
  264. ;; (client-limit 2)))
  265. ;; )
  266. ;; perhaps I DO NOT need to use letsencrypt certs...
  267. ;; because guix creates these certs for me by default in
  268. ;; /etc/dovecot/
  269. ;; I guess that I do need/want these certs. Otherwise dovecot
  270. ;; tries to connect to my server insecurely.
  271. ;; which means that I probably need to change my user joshua password
  272. ;; since I have been sending it insecurely!
  273. (ssl-cert "</etc/letsencrypt/live/gnucode.me/fullchain.pem")
  274. (ssl-key "</etc/letsencrypt/live/gnucode.me/privkey.pem")
  275. ))
  276. ;; (service endlessh-service-type)
  277. ;;(service gnucode -form-service-type)
  278. ;; (service mcron-service-type
  279. ;; (mcron-configuration
  280. ;; (jobs (list
  281. ;; ;; run endlessh every 5 minutes
  282. ;; #~(job "*/1 0 * * *"
  283. ;; (string-append #$endlessh "/bin/endlessh -p 22")
  284. ;; #:user "root")))))
  285. (let ([default-listen (list "80"
  286. "443 ssl http2"
  287. "[::]:80"
  288. "[::]:443 ssl http2"
  289. )]
  290. [default-raw-content (list "add_header Strict-Transport-Security max-age=1800;")]
  291. [srv-root-dir "/srv/www/html/"]
  292. [letsencrypt-dir "/etc/letsencrypt/live/"]
  293. [letsencrypt-acme-challenge (nginx-location-configuration ;; for certbot
  294. (uri "/.well-known")
  295. (body (list "root /srv/www;")))])
  296. ;; make a pubnix nginx-servec-configuration
  297. ;; I can use this-operating-system ...read more about it in the manual.
  298. ;; then I can do something like: for all users, make gnucode.me/~<user>/ serve
  299. ;; their html files.
  300. (service nginx-service-type
  301. (nginx-configuration
  302. (server-blocks
  303. (list
  304. (nginx-server-configuration
  305. ;; perhaps make a macro for the next 6 lines:
  306. ;; (letsencrypt-certs "gnucode.me")
  307. ;; local.gnucode.me
  308. (server-name '("gnucode.me"))
  309. (listen default-listen)
  310. (root (string-append srv-root-dir "gnucode.me/site/"))
  311. (ssl-certificate (string-append letsencrypt-dir "gnucode.me/fullchain.pem"))
  312. (ssl-certificate-key (string-append letsencrypt-dir "gnucode.me/privkey.pem"))
  313. ;; tell browsers my site supports HTTPS, and tell them that it will
  314. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  315. (raw-content default-raw-content)
  316. (locations
  317. (list
  318. letsencrypt-acme-challenge ;; for certbot
  319. (nginx-location-configuration
  320. (uri "/form/")
  321. (body '("proxy_pass http://127.0.0.1:8081;")))
  322. (nginx-location-configuration ;; for certbot
  323. (uri "/agenda/")
  324. (body
  325. (list
  326. (string-append "root " srv-root-dir "gnucode.me/agenda/;\n")
  327. ;(string-append "auth_basic \"Yearly Agenda\";\n")
  328. ;(string-append "auth_basic_user_file " srv-root-dir "gnucode.me/agenda/htpasswd;")
  329. ))))))
  330. (nginx-server-configuration
  331. (server-name '("gnu-hurd.com"))
  332. (listen default-listen)
  333. (root (string-append srv-root-dir "gnu-hurd.com/"))
  334. (ssl-certificate (string-append letsencrypt-dir "gnu-hurd.com/fullchain.pem"))
  335. (ssl-certificate-key (string-append letsencrypt-dir "gnu-hurd.com/privkey.pem"))
  336. ;; tell browsers my site supports HTTPS, and tell them that it will
  337. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  338. (raw-content default-raw-content)
  339. (locations
  340. (list
  341. letsencrypt-acme-challenge ;; for certbot
  342. )))
  343. (nginx-server-configuration
  344. (server-name '("propernaming.org"))
  345. (listen default-listen)
  346. (root (string-append srv-root-dir "propernaming.org/site/"))
  347. (ssl-certificate (string-append letsencrypt-dir "propernaming.org/fullchain.pem"))
  348. (ssl-certificate-key (string-append letsencrypt-dir "propernaming.org/privkey.pem"))
  349. ;; tell browsers my site supports HTTPS, and tell them that it will
  350. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  351. (raw-content default-raw-content)
  352. (locations
  353. (list
  354. letsencrypt-acme-challenge ;; for certbot
  355. )))
  356. )))))
  357. (service openssh-service-type
  358. (openssh-configuration
  359. (openssh openssh-sans-x)
  360. (password-authentication? #f)
  361. (port-number 22)
  362. (authorized-keys
  363. `(
  364. ;; ("joshua" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  365. ;; ("root" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  366. ;; local file is simpler. I can get rid of (use-module (secret ssh-keys))
  367. ("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  368. ("root" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  369. ))))
  370. ;; I've created the prosody admin user, and I imported the cert...
  371. ;; but pidgin tells me that I the XMPP server at gnucode.me does not support encryption.
  372. (service prosody-service-type
  373. (prosody-configuration
  374. ;;(certificates "/etc/")
  375. (admins '("jbranso@gnucode.me"))
  376. (virtualhosts
  377. (list
  378. (virtualhost-configuration
  379. (domain "gnucode.me"))))))
  380. ;; (service mail-aliases-service-type
  381. ;; '(("webmaster" "root")
  382. ;; ("postmaster" "root")
  383. ;; ("abuse" "root")))
  384. ;; I can test send an email from my ssh machine via:
  385. ;; cat test-email.txt | msmtp -- jbranso@dismail.de
  386. ;; (service opensmtpd-service-type
  387. ;; (opensmtpd-configuration
  388. ;; (config-file %smtpd.conf)))
  389. ;; TODO my nftables for a server ARE NOT working.
  390. ;; (service nftables-service-type
  391. ;; (nftables-configuration
  392. ;; (ruleset
  393. ;; (plain-file "nftables.conf" %gnucode-nftables-ruleset))))
  394. (service opensmtpd-service-type
  395. (let ([action-receive (opensmtpd-local-delivery
  396. (name "receive")
  397. (method (opensmtpd-maildir
  398. (pathname "/home/%{rcpt.user}/Maildir")
  399. (junk #t)))
  400. (virtual (opensmtpd-table
  401. (name "vusers")
  402. (data '(("joshua@gnucode.me" . "joshua")
  403. ("jbranso@gnucode.me" . "joshua")
  404. ("postmaster@gnucode.me" . "joshua"))))))]
  405. [pki-gnucode (opensmtpd-pki
  406. (domain "smtp.gnucode.me")
  407. (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
  408. (key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))]
  409. [filter-dkimsign (opensmtpd-filter
  410. (name "dkimsign")
  411. (exec #t)
  412. (proc (list (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign")
  413. " -d gnucode.me -s 2023-02-28 -c relaxed/relaxed -k "
  414. "/etc/opensmtpd/dkimsign/02-28-2023-rsa1024-gnucode.me-private.key "
  415. "user nobody group nogroup")))]
  416. [table-creds (opensmtpd-table
  417. (name "creds")
  418. (data
  419. (list
  420. (cons "joshua"
  421. "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))])
  422. (opensmtpd-configuration
  423. (interfaces
  424. (list
  425. ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
  426. ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
  427. ;; this listens for email from the outside world
  428. (opensmtpd-interface
  429. (interface "eth0")
  430. (port 25)
  431. (secure-connection "tls")
  432. (pki pki-gnucode))
  433. ;; this lets local users logged into the system via ssh send email
  434. (opensmtpd-interface
  435. (interface "lo")
  436. (port 25)
  437. (secure-connection "tls")
  438. (pki pki-gnucode))
  439. (opensmtpd-interface
  440. (interface "eth0")
  441. (port 465)
  442. (secure-connection "smtps")
  443. (pki pki-gnucode)
  444. (auth table-creds)
  445. (filters (list filter-dkimsign)))
  446. (opensmtpd-interface
  447. (interface "eth0")
  448. (port 587)
  449. (secure-connection "tls-require")
  450. (pki pki-gnucode)
  451. (auth table-creds)
  452. (filters (list filter-dkimsign)))))
  453. (matches (list
  454. (opensmtpd-match
  455. (action (opensmtpd-relay
  456. (name "relay")))
  457. (options
  458. (list
  459. (opensmtpd-option
  460. (option "for any"))
  461. (opensmtpd-option
  462. (option "from any"))
  463. (opensmtpd-option
  464. (option "auth")))))
  465. (opensmtpd-match
  466. (action action-receive)
  467. (options
  468. (list
  469. (opensmtpd-option
  470. (option "from any"))
  471. (opensmtpd-option
  472. (option "for domain")
  473. (data (opensmtpd-table
  474. (name "vdoms")
  475. (data (list "gnucode.me"
  476. "gnu-hurd.com"))))))))
  477. (opensmtpd-match
  478. (action action-receive)
  479. (options
  480. (list
  481. (opensmtpd-option
  482. (option "for local"))))))))))
  483. (service unattended-upgrade-service-type)
  484. ;; (service wireguard-service-type
  485. ;; (wireguard-configuration
  486. ;; (private-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/server.private.key")
  487. ;; (peers
  488. ;; (list
  489. ;; (wireguard-peer
  490. ;; (name "my servers peer for my laptop")
  491. ;; (public-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/laptop.pub"))))))
  492. %my-base-services))))
  493. (list (machine
  494. (operating-system %system)
  495. (environment managed-host-environment-type)
  496. (configuration (machine-ssh-configuration
  497. (host-name "45.56.66.20")
  498. (system "x86_64-linux")
  499. (user "joshua")
  500. (identity "~/.ssh/id_rsa")
  501. (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJgL0hBTWmCVGGvNJYa+YS+fEXs89v0GbdkQ+M+LdZlf root@(none)")
  502. (port 22)))))