linode-locke-lamora-current-config.scm 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395
  1. ;; this is the current configuration for my linode "Guix System"
  2. (add-to-load-path (dirname (current-filename)))
  3. (use-modules (gnu)
  4. (guix modules)
  5. (secret nginx)
  6. (public-keys)
  7. ;;(gnucode-form)
  8. (endlessh-service)
  9. ;;(opensmtpd-records)
  10. (gnu services mail)
  11. (opensmtpd)
  12. ;; ((gnu services mail)
  13. ;; #:hide (opensmtpd-configuration
  14. ;; opensmtpd-configuration?
  15. ;; opensmtpd-service-type
  16. ;; %default-opensmtpd-config-file))
  17. )
  18. (use-service-modules admin ; unattended-upgrades
  19. certbot
  20. ;; mail
  21. mcron
  22. messaging
  23. networking
  24. ssh
  25. vpn ;;wireguard
  26. web)
  27. (use-package-modules admin
  28. certs
  29. package-management
  30. ssh
  31. tls)
  32. (define %nginx-deploy-hook
  33. (program-file
  34. "nginx-deploy-hook"
  35. #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
  36. (kill pid SIGHUP))))
  37. (define %user "joshua")
  38. (operating-system
  39. (host-name "locke-lamora")
  40. (timezone "America/Chicago")
  41. (locale "en_US.UTF-8")
  42. ;; This goofy code will generate the grub.cfg
  43. ;; without installing the grub bootloader on disk.
  44. (bootloader (bootloader-configuration
  45. (bootloader
  46. (bootloader
  47. (inherit grub-bootloader)
  48. (installer #~(const #t))))))
  49. (file-systems (cons (file-system
  50. (device "/dev/sda")
  51. (mount-point "/")
  52. (type "ext4"))
  53. %base-file-systems))
  54. (swap-devices (list "/dev/sdb"))
  55. (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
  56. %base-initrd-modules))
  57. (users (cons* (user-account
  58. (name "joshua")
  59. (group "users")
  60. ;; Adding the account to the "wheel" group
  61. ;; makes it a sudoer.
  62. (supplementary-groups '("wheel"))
  63. (home-directory "/home/joshua"))
  64. ;; (user-account
  65. ;; (name "vmail")
  66. ;; (group "vmail")
  67. ;; (home-directory "vmail")
  68. ;; (system? #t)
  69. ;; (comment "User that dovecot users to deliver emails
  70. ;; to /home/vmail/gnucode.me/joshua"))
  71. %base-user-accounts))
  72. ;; (groups (cons* (user-group
  73. ;; (name "vmail")
  74. ;; (system? #t))
  75. ;; %base-groups))
  76. ;; I can read 'man 5 suoders' for tips about the syntax of suoders file.
  77. ;; the very end of the file has some examples.
  78. (sudoers-file
  79. (plain-file "sudoers"
  80. (string-append (plain-file-content %sudoers-specification)
  81. (format #f "~a ALL = NOPASSWD: ALL~%"
  82. "joshua"))))
  83. (packages (cons* nss-certs ;for HTTPS access
  84. openssh-sans-x
  85. %base-packages))
  86. (services (cons*
  87. (service dhcp-client-service-type)
  88. (service certbot-service-type
  89. (certbot-configuration
  90. (email "jbranso@dismail.de")
  91. (webroot "/srv/www")
  92. (certificates
  93. (list
  94. (certificate-configuration
  95. (name "gnucode.me")
  96. (domains '("gnucode.me" "www.gnucode.me"
  97. "imap.gnucode.me"
  98. "smtp.gnucode.me"))
  99. (deploy-hook %nginx-deploy-hook))
  100. (certificate-configuration
  101. (name "gnu-hurd.com")
  102. (domains '("gnu-hurd.com" "www.gnu-hurd.com"))
  103. (deploy-hook %nginx-deploy-hook))
  104. (certificate-configuration
  105. (name "propernaming.org")
  106. (domains '("propernaming.org" "www.propernaming.org"))
  107. (deploy-hook %nginx-deploy-hook))
  108. ))))
  109. (dovecot-service #:config
  110. (dovecot-configuration
  111. (mail-location "maildir:/home/%n/Maildir")
  112. (protocols
  113. (list
  114. (protocol-configuration
  115. (name "imap")
  116. (mail-max-userip-connections 3))
  117. ;;(protocol-configuration name "lmtp")
  118. ))
  119. ;; I am hoping to set up LMTP, that way I can set up Sieve filtering.
  120. ;; https://doc.dovecot.org/configuration_manual/sieve/configuration/
  121. ;; https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server
  122. ;; (services
  123. ;; (list
  124. ;; (service-configuration
  125. ;; (kind "imap"))))
  126. ;; someone tries to login via joshua@gnucode.me
  127. ;; this strips away that login username to "joshua"
  128. ;; when I set up virtual users, I'll need to delete this!
  129. ;; https://wiki.dovecot.org/DomainLost
  130. ;; auth_username_format = %Ln
  131. ;; lowercases the username but also
  132. ;; drops the domain. Use
  133. ;; auth_username_format = %Lu instead.
  134. ;; (auth-username-format "%Ln")
  135. ;; for now just use the defaults...
  136. ;; (services
  137. ;; (list
  138. ;; (service-configuration
  139. ;; (kind "imap")
  140. ;; (client-limit 2))
  141. ;; (service-configuration
  142. ;; (kind "imap-login")
  143. ;; (clint-limit 2))
  144. ;; (service-configuration
  145. ;; (kind "auth")
  146. ;; (client-limit 2))
  147. ;; (service-configuration
  148. ;; (kind "auth-worker")
  149. ;; (client-limit 2))
  150. ;; (service-configuration
  151. ;; (kind "dict")
  152. ;; (client-limit 2)))
  153. ;; )
  154. ;; perhaps I DO NOT need to use letsencrypt certs...
  155. ;; because guix creates these certs for me by default in
  156. ;; /etc/dovecot/
  157. ;; I guess that I do need/want these certs. Otherwise dovecot
  158. ;; tries to connect to my server insecurely.
  159. ;; which means that I probably need to change my user joshua password
  160. ;; since I have been sending it insecurely!
  161. (ssl-cert "</etc/letsencrypt/live/gnucode.me/fullchain.pem")
  162. (ssl-key "</etc/letsencrypt/live/gnucode.me/privkey.pem")
  163. ))
  164. (service endlessh-service-type)
  165. ;;(service gnucode -form-service-type)
  166. (service mcron-service-type
  167. (mcron-configuration
  168. (jobs (list
  169. ;; run endlessh every 5 minutes
  170. #~(job "*/1 0 * * *"
  171. (string-append #$endlessh "/bin/endlessh -p 22")
  172. #:user "root")))))
  173. (let ([default-listen (list "80" "443 ssl http2"
  174. "[::]:80"
  175. "[::]:443 ssl http2")]
  176. [default-raw-content (list "add_header Strict-Transport-Security max-age=1800;")]
  177. [srv-root-dir "/srv/www/html/"]
  178. [letsencrypt-dir "/etc/letsencrypt/live/"]
  179. [letsencrypt-acme-challenge (nginx-location-configuration ;; for certbot
  180. (uri "/.well-known")
  181. (body (list "root /srv/www;")))])
  182. ;; make a pubnix nginx-servec-configuration
  183. ;; I can use this-operating-system ...read more about it in the manual.
  184. ;; then I can do something like: for all users, make gnucode.me/~<user>/ serve
  185. ;; their html files.
  186. (service nginx-service-type
  187. (nginx-configuration
  188. (server-blocks
  189. (list
  190. (nginx-server-configuration
  191. ;; perhaps make a macro for the next 6 lines:
  192. ;; (letsencrypt-certs "gnucode.me")
  193. ;; local.gnucode.me
  194. (server-name '("gnucode.me"))
  195. (listen default-listen)
  196. (root (string-append srv-root-dir "gnucode.me/site/"))
  197. (ssl-certificate (string-append letsencrypt-dir "gnucode.me/fullchain.pem"))
  198. (ssl-certificate-key (string-append letsencrypt-dir "gnucode.me/privkey.pem"))
  199. ;; tell browsers my site supports HTTPS, and tell them that it will
  200. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  201. (raw-content default-raw-content)
  202. (locations
  203. (list
  204. letsencrypt-acme-challenge ;; for certbot
  205. (nginx-location-configuration
  206. (uri "/form/")
  207. (body '("proxy_pass http://127.0.0.1:8081;")))
  208. %secret-nginx-location
  209. )))
  210. (nginx-server-configuration
  211. (server-name '("gnu-hurd.com"))
  212. (listen default-listen)
  213. (root (string-append srv-root-dir "gnu-hurd.com/"))
  214. (ssl-certificate (string-append letsencrypt-dir "gnu-hurd.com/fullchain.pem"))
  215. (ssl-certificate-key (string-append letsencrypt-dir "gnu-hurd.com/privkey.pem"))
  216. ;; tell browsers my site supports HTTPS, and tell them that it will
  217. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  218. (raw-content default-raw-content)
  219. (locations
  220. (list
  221. letsencrypt-acme-challenge ;; for certbot
  222. )))
  223. (nginx-server-configuration
  224. (server-name '("propernaming.org"))
  225. (listen default-listen)
  226. (root (string-append srv-root-dir "propernaming.org/site/"))
  227. (ssl-certificate (string-append letsencrypt-dir "propernaming.org/fullchain.pem"))
  228. (ssl-certificate-key (string-append letsencrypt-dir "propernaming.org/privkey.pem"))
  229. ;; tell browsers my site supports HTTPS, and tell them that it will
  230. ;; at least work for 1/2 hour. Gradually, I will increase this number.
  231. (raw-content default-raw-content)
  232. (locations
  233. (list
  234. letsencrypt-acme-challenge ;; for certbot
  235. )))
  236. )))))
  237. (service openssh-service-type
  238. (openssh-configuration
  239. (openssh openssh-sans-x)
  240. (password-authentication? #f)
  241. (port-number 63355)
  242. (authorized-keys
  243. `(
  244. ;; ("joshua" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  245. ;; ("root" ,(local-file "/home/joshua/linode-guix-system-configuration/ssh-keys/joshua_id_rsa.pub"))
  246. ;; local file is simpler. I can get rid of (use-module (secret ssh-keys))
  247. ("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  248. ("root" ,(plain-file "id_rsa.pub" %joshua-ssh-key))
  249. ))))
  250. ;; I've created the prosody admin user, and I imported the cert...
  251. ;; but pidgin tells me that I the XMPP server at gnucode.me does not support encryption.
  252. (service prosody-service-type
  253. (prosody-configuration
  254. ;;(certificates "/etc/")
  255. (admins '("jbranso@gnucode.me"))
  256. (virtualhosts
  257. (list
  258. (virtualhost-configuration
  259. (domain "gnucode.me"))))))
  260. (service mail-aliases-service-type
  261. '(("webmaster" "root")
  262. ("postmaster" "root")
  263. ("abuse" "root")))
  264. ;; I can test send an email from my ssh machine via:
  265. ;; cat test-email.txt | msmtp -- jbranso@dismail.de
  266. (service opensmtpd-service-type
  267. (opensmtpd-configuration
  268. (config-file %smtpd.conf)))
  269. ;; (service opensmtpd-service-type
  270. ;; (opensmtpd-configuration
  271. ;; (pkis (list
  272. ;; (opensmtpd-pki
  273. ;; (domain "smtp.gnucode.me")
  274. ;; (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
  275. ;; (key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))))
  276. ;; (tables (list
  277. ;; (opensmtpd-table
  278. ;; (name "aliases")
  279. ;; (values
  280. ;; (list
  281. ;; (cons "webmaster" "root")
  282. ;; (cons "postmaster" "root")
  283. ;; (cons "abuse" "root"))))
  284. ;; (opensmtpd-table
  285. ;; (name "creds")
  286. ;; (values
  287. ;; (list
  288. ;; (cons "joshua"
  289. ;; "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))
  290. ;; (opensmtpd-table
  291. ;; (name "vdoms")
  292. ;; (values (list "gnucode.me"
  293. ;; "gnu-hurd.com")))
  294. ;; (opensmtpd-table
  295. ;; (name "vusers")
  296. ;; (values (list (cons "joshua@gnucode.me" "joshua")
  297. ;; (cons "jbranso@gnucode.me" "joshua")
  298. ;; (cons "postmaster@gnucode.me" "joshua"))))))
  299. ;; (listen-ons
  300. ;; (list
  301. ;; ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
  302. ;; ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
  303. ;; ;; this listens for email from the outside world
  304. ;; (opensmtpd-listen-on
  305. ;; (interface "eth0")
  306. ;; (port 25)
  307. ;; (secure-connection "tls")
  308. ;; (pki "smtp.gnucode.me"))
  309. ;; ;; this lets local users logged into the system via ssh send email
  310. ;; (opensmtpd-listen-on
  311. ;; (interface "lo")
  312. ;; (port 25)
  313. ;; (secure-connection "tls")
  314. ;; (pki "smtp.gnucode.me"))
  315. ;; (opensmtpd-listen-on
  316. ;; (interface "eth0")
  317. ;; (port 465)
  318. ;; (secure-connection "smtps")
  319. ;; (pki "smtp.gnucode.me")
  320. ;; (auth "creds")
  321. ;; (filter "dkimsign"))
  322. ;; (opensmtpd-listen-on
  323. ;; (interface "eth0")
  324. ;; (port 587)
  325. ;; (secure-connection "tls-require")
  326. ;; (pki "smtp.gnucode.me")
  327. ;; (auth "creds")
  328. ;; (filter "dkimsign"))))
  329. ;; (actions
  330. ;; (list
  331. ;; (opensmtpd-action
  332. ;; (name "receive")
  333. ;; (method
  334. ;; (opensmtpd-local-delivery-configuration
  335. ;; (method (opensmtpd-maildir-configuration
  336. ;; (pathname "/home/%{rcpt.user}/Maildir")
  337. ;; (junk #t)))
  338. ;; (virtual "vusers"))))
  339. ;; (opensmtpd-action
  340. ;; (name "send")
  341. ;; (method (opensmtpd-relay-configuration)))))
  342. ;; (matches (list
  343. ;; (opensmtpd-match
  344. ;; (name "send")
  345. ;; (for "for any")
  346. ;; (from "from any")
  347. ;; (auth #t))
  348. ;; (opensmtpd-match
  349. ;; (name "receive")
  350. ;; (from "from any")
  351. ;; (for "for domain <vdoms>"))
  352. ;; (opensmtpd-match
  353. ;; (name "receive")
  354. ;; (for "for local"))))))
  355. (service unattended-upgrade-service-type)
  356. ;; (service wireguard-service-type
  357. ;; (wireguard-configuration
  358. ;; (private-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/server.private.key")
  359. ;; (peers
  360. ;; (list
  361. ;; (wireguard-peer
  362. ;; (name "my servers peer for my laptop")
  363. ;; (public-key "/home/joshua/linode-guix-system-configuration/wireguard-keys/laptop.pub"))))))
  364. %base-services)))