diff options
| author | Marek Paśnikowski <marek@marekpasnikowski.pl> | 2026-04-23 11:06:28 +0200 |
|---|---|---|
| committer | Marek Paśnikowski <marek@marekpasnikowski.pl> | 2026-04-23 12:22:56 +0200 |
| commit | 211a17ae438703dfe1bee1db40c77b0e83798b74 (patch) | |
| tree | 7105ec0a810e432574381ffb058aa4a842480ad3 /deployment/system/aisaka.scm | |
| parent | c927286e18c12e0613fb9aac57cf4c13c9250ba1 (diff) | |
move nginx-related definitions to a new module
Diffstat (limited to 'deployment/system/aisaka.scm')
| -rw-r--r-- | deployment/system/aisaka.scm | 307 |
1 files changed, 2 insertions, 305 deletions
diff --git a/deployment/system/aisaka.scm b/deployment/system/aisaka.scm index a172bf3..8035789 100644 --- a/deployment/system/aisaka.scm +++ b/deployment/system/aisaka.scm @@ -15,16 +15,10 @@ #:prefix gnu:packages:linux:) #:use-module ((gnu packages tls) #:prefix gnu:packages:tls:) - #:use-module ((gnu packages version-control) - #:prefix gnu:packages:version-control:) #:use-module ((gnu services) #:prefix gnu:services:) #:use-module ((gnu services base) #:prefix gnu:services:base:) - #:use-module ((gnu services certbot) - #:prefix gnu:services:certbot:) - #:use-module ((gnu services cgit) - #:prefix gnu:services:cgit:) #:use-module ((gnu services mail) #:prefix gnu:services:mail:) #:use-module ((gnu services networking) @@ -47,14 +41,10 @@ #:prefix gnu:system:linux-initrd:) #:use-module ((gnu system locale) #:prefix gnu:system:locale:) - #:use-module ((gnu packages matrix) - #:prefix gnu:packages:matrix:) #:use-module ((gnu system nss) #:prefix gnu:system:nss:) #:use-module ((gnu system pam) #:prefix gnu:system:pam:) - #:use-module ((gnu system shadow) - #:prefix gnu:system:shadow:) #:use-module ((guix diagnostics) #:prefix guix:diagnostics:) #:use-module ((nongnu packages linux) @@ -84,7 +74,7 @@ (define dovecot-keys "/secrets/dovecot") -(define nginx-account +(define-public nginx-account (gnu:system:accounts:user-account (name "nginx") (group "nginx") @@ -95,299 +85,11 @@ (shell (file-append (gnu:packages:specification->package "shadow") "/sbin/nologin")))) -(define nginx-group +(define-public nginx-group (gnu:system:accounts:user-group (name "nginx") (system? #t))) -(define nginx-accounts - (let - ((accounts- (list nginx-group - nginx-account))) - (const accounts-))) - -(define nginx-extension-of-account - (gnu:services:service-extension - gnu:system:shadow:account-service-type - nginx-accounts)) - -(define (extend-account extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (account-service-type?- (eq? extension-target- - gnu:system:shadow:account-service-type))) - (if account-service-type?- - nginx-extension-of-account - extension))) - -(define nginx-service-type* - (let - ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type))) - (gnu:services:service-type - (inherit gnu:services:web:nginx-service-type) - (extensions (map extend-account - nginx-extensions-))))) - -(define cgit-repository-configuration - (gnu:services:cgit:repository-cgit-configuration - (hide? #t) - (path "/srv/git/marek/packages"))) - -(define git-http-configuration - (gnu:services:version-control:git-http-configuration - (git-root "/var/lib/gitolite/repositories") - (uri-path "/git"))) - -(define nginx-extension-of-cgit - (gnu:services:service-extension - nginx-service-type* - gnu:services:cgit:cgit-configuration-nginx-config)) - -(define (extend-cgit extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (nginx-service-type?- (eq? extension-target- - gnu:services:web:nginx-service-type))) - (if nginx-service-type?- - nginx-extension-of-cgit - extension))) - -(define cgit-type - (let - ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type))) - (gnu:services:service-type - (inherit gnu:services:cgit:cgit-service-type) - (extensions (map extend-cgit - cgit-extensions-))))) - -(define nginx-location-cgit - (gnu:services:web:nginx-location-configuration - (body (list "fastcgi_param HTTP_HOST $server_name ;" - "fastcgi_param PATH_INFO $uri ;" - "fastcgi_param QUERY_STRING $args ;" - "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;" - "fastcgi_pass 127.0.0.1:9000 ;")) - (uri "@cgit"))) - -(define nginx-location-proxy-guix - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:5232/ ;" - "proxy_set_header X-Script-Name \"\" ;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" - "proxy_set_header Host $http_host ;" - "proxy_pass_header Authorization ;")) - (uri "/"))) - -(define nginx-location-proxy-matrix - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:8008 ;" - "proxy_set_header X-Forwarded-For $remote_addr ;" - "proxy_set_header X-Forwarded-Proto $scheme ;" - "proxy_set_header Host $host:$server_port ;" - "client_max_body_size 1024M ;")) - (uri "~ ^(/_matrix|/_synapse/client)"))) - -(define nginx-location-proxy-radicale - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:8080/ ;" - "proxy_set_header X-Script-Name \"\" ;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" - "proxy_set_header Host $http_host ;" - "proxy_pass_header Authorization ;")) - (uri "/"))) - -(define nginx-location-proxy-auth - (gnu:services:web:nginx-location-configuration - (body (list "proxy_set_header Host $host;" - "proxy_set_header X-Real-IP $remote_addr;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" - "proxy_set_header X-Forwarded-Proto $scheme;" - "if ($ssl_client_verify != SUCCESS) {return 403;}")) - (uri "/"))) - -(define nginx-location-well-known - (gnu:services:web:nginx-location-configuration - (body (list "root /srv/www/marek/marekpasnikowski.pl ;")) - (uri "/.well-known"))) - -(define nginx-location-well-known-matrix-client - (gnu:services:web:nginx-location-configuration - (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;" - "default_type application/json ;" - "add_header Access-Control-Allow-Origin * ;")) - (uri "/.well-known/matrix/client"))) - -(define nginx-server-cgit - (let - ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration))) - (gnu:services:web:nginx-server-configuration - (locations (list git-http- - nginx-location-cgit - nginx-location-well-known)) - (listen (list "192.168.10.2:443 ssl")) - (root gnu:packages:version-control:cgit) - (server-name (list "git.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (try-files (list "$uri" "@cgit"))))) - -(define nginx-server-guix - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-guix)) - (listen (list "192.168.10.2:443 ssl")) - (server-name (list "guix.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) - -(define nginx-server-matrix - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-matrix)) - (listen (list "192.168.10.2:443 ssl" - "192.168.10.2:8448 ssl default_server")) - (root (file-append gnu:packages:matrix:synapse - "/lib/python3.11/site-packages/synapse/static")) - (server-name (list "matrix.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "proxy_http_version 1.1 ;")))) - -(define nginx-server-portal - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-well-known - nginx-location-well-known-matrix-client)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/www") - (server-name (list 'default - "marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) - -(define nginx-server-radicale - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-radicale - nginx-location-well-known)) - (listen (list "192.168.10.2:443 ssl")) - (server-name (list "radicale.marekpasnikowski.pl")))) - -(define nginx-server-schron - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "schron.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-sejf - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/sejf") - (server-name (list "sejf.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-test - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "test.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-www - (gnu:services:web:nginx-server-configuration - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/www") - (server-name (list "www.marekpasnikowski.pl")))) - -(define cgit-configuration - (gnu:services:cgit:cgit-configuration - (nginx (list nginx-server-cgit)) - (repositories (list cgit-repository-configuration)) - (project-list (list "deployment.git" - "nonguix.git" - "sovereign.git")) - (repository-directory "/var/lib/gitolite/repositories"))) - -(define nginx-configuration* - (gnu:services:web:nginx-configuration - (shepherd-requirement (list 'networking)) - (server-blocks (list nginx-server-portal - nginx-server-www - nginx-server-guix - nginx-server-matrix - nginx-server-test - nginx-server-schron - nginx-server-sejf - nginx-server-radicale)))) - -(define nginx-deploy-hook-file - #~(let - ((pid (call-with-input-file "/var/run/nginx/pid" - read))) - (kill pid SIGHUP))) - -(define nginx-extension-of-certbot - (gnu:services:service-extension - nginx-service-type* - (@@ (gnu services certbot) certbot-nginx-server-configurations))) - -(define (extend-certbot extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (nginx-service-type?- (eq? extension-target- - gnu:services:web:nginx-service-type))) - (if nginx-service-type?- - nginx-extension-of-certbot - extension))) - -(define certbot-type - (let - ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type))) - (gnu:services:service-type - (inherit gnu:services:certbot:certbot-service-type) - (extensions (map extend-certbot - certbot-extensions-))))) - -(define certificate-configuration - (gnu:services:certbot:certificate-configuration - (deploy-hook (program-file "nginx-deploy-hook" - nginx-deploy-hook-file)) - (domains (list "marekpasnikowski.pl" - "git.marekpasnikowski.pl" - "guix.marekpasnikowski.pl" - "matrix.marekpasnikowski.pl" - "mx.marekpasnikowski.pl" - "radicale.marekpasnikowski.pl" - "schron.marekpasnikowski.pl" - "sejf.marekpasnikowski.pl" - "test.marekpasnikowski.pl" - "www.marekpasnikowski.pl")))) - -(define certbot-configuration - (gnu:services:certbot:certbot-configuration - (certificates (list certificate-configuration)) - (email "marek@marekpasnikowski.pl") - (webroot "/srv/www/marek/marekpasnikowski.pl"))) - -(define-public certbot - (gnu:services:service - certbot-type - certbot-configuration)) - -(define-public cgit - (gnu:services:service - cgit-type - cgit-configuration)) - (define-public etc (let* ((mailname-file- (plain-file "mailname" @@ -462,11 +164,6 @@ (define-public system-keyboard-layout (gnu:system:keyboard:keyboard-layout "pl")) -(define-public nginx - (gnu:services:service - nginx-service-type* - nginx-configuration*)) - (define rakan-machine #~(build-machine (name "rakan") |