summaryrefslogtreecommitdiff
path: root/deployment/systems/aisaka.scm
diff options
context:
space:
mode:
authorMarek Paśnikowski <marek@marekpasnikowski.pl>2026-01-20 14:29:01 +0100
committerMarek Paśnikowski <marek@marekpasnikowski.pl>2026-01-20 14:29:01 +0100
commit1fe389d2147a3cc1a8a87f1ed39295735e5a0dee (patch)
treec70edf290f7cfb2f0a9aaddcd11c726ac872035d /deployment/systems/aisaka.scm
parent57f2d69c9657a7e6fcc4636a4919ac44bc84d58c (diff)
aisaka: modernize the coding styletest
Diffstat (limited to 'deployment/systems/aisaka.scm')
-rw-r--r--deployment/systems/aisaka.scm861
1 files changed, 438 insertions, 423 deletions
diff --git a/deployment/systems/aisaka.scm b/deployment/systems/aisaka.scm
index eaba797..6758e89 100644
--- a/deployment/systems/aisaka.scm
+++ b/deployment/systems/aisaka.scm
@@ -1,116 +1,157 @@
;;; SPDX-License-Identifier: GPL-3.0-or-later
-;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski <marek@marekpasnikowski.pl>
+;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
(define-module (deployment systems aisaka)
- #:use-module (guix gexp)
- #:use-module ((deployment keys) #:prefix deployment:keys:)
- #:use-module ((gnu bootloader) #:prefix gnu:bootloader:)
- #:use-module ((gnu bootloader grub) #:prefix gnu:bootloader:grub:)
- #:use-module ((gnu packages linux) #:prefix gnu:packages:linux:)
- #:use-module ((gnu packages tls) #:prefix gnu:packages:tls:)
- #:use-module ((gnu services) #:prefix gnu:services:)
- #:use-module ((gnu services base) #:prefix gnu:services:base:)
- #:use-module ((gnu services dns) #:prefix gnu:services:dns:)
- #:use-module ((gnu services networking) #:prefix gnu:services:networking:)
- #:use-module ((gnu services shepherd) #:prefix gnu:services:shepherd:)
- #:use-module ((gnu services version-control) #:prefix gnu:services:version-control:)
- #:use-module ((gnu services web) #:prefix gnu:services:web:)
- #:use-module ((gnu system) #:prefix gnu:system:)
- #:use-module ((gnu system file-systems) #:prefix gnu:system:file-systems:)
- #:use-module ((gnu system shadow) #:prefix gnu:system:shadow:)
- #:use-module ((nongnu packages linux) #:prefix nongnu:packages:linux:)
- #:use-module ((nongnu system linux-initrd) #:prefix nongnu:system:linux-initrd:)
- #:use-module ((sovereign devices) #:prefix sovereign:devices:)
- #:use-module ((sovereign devices amd64) #:prefix sovereign:devices:amd64:)
- #:use-module ((sovereign packages jekyll) #:prefix sovereign:packages:jekyll:)
- #:use-module ((sovereign systems) #:prefix sovereign:systems:)
- #:use-module ((users id1000) #:prefix users:id1000:)
- #:use-module ((users vmail) #:prefix users:vmail:))
+ #:use-module (guix gexp)
+ #:use-module ((deployment keys)
+ #:prefix deployment:keys:)
+ #:use-module ((gnu bootloader)
+ #:prefix gnu:bootloader:)
+ #:use-module ((gnu bootloader grub)
+ #:prefix gnu:bootloader:grub:)
+ #:use-module ((gnu packages)
+ #:prefix gnu:packages:)
+ #:use-module ((gnu packages linux)
+ #:prefix gnu:packages:linux:)
+ #:use-module ((gnu packages tls)
+ #:prefix gnu:packages:tls:)
+ #:use-module ((gnu packages version-control)
+ #:prefix gnu:packages:version-control:)
+ #:use-module ((gnu services)
+ #:prefix gnu:services:)
+ #:use-module ((gnu services base)
+ #:prefix gnu:services:base:)
+ #:use-module ((gnu services certbot)
+ #:prefix gnu:services:certbot:)
+ #:use-module ((gnu services cgit)
+ #:prefix gnu:services:cgit:)
+ #:use-module ((gnu services dns)
+ #:prefix gnu:services:dns:)
+ #:use-module ((gnu services mail)
+ #:prefix gnu:services:mail:)
+ #:use-module ((gnu services networking)
+ #:prefix gnu:services:networking:)
+ #:use-module ((gnu services shepherd)
+ #:prefix gnu:services:shepherd:)
+ #:use-module ((gnu services ssh)
+ #:prefix gnu:services:ssh:)
+ #:use-module ((gnu services version-control)
+ #:prefix gnu:services:version-control:)
+ #:use-module ((gnu services web)
+ #:prefix gnu:services:web:)
+ #:use-module ((gnu system)
+ #:prefix gnu:system:)
+ #:use-module ((gnu system accounts)
+ #:prefix gnu:system:accounts:)
+ #:use-module ((gnu system file-systems)
+ #:prefix gnu:system:file-systems:)
+ #:use-module ((gnu system keyboard)
+ #:prefix gnu:system:keyboard:)
+ #:use-module ((gnu system shadow)
+ #:prefix gnu:system:shadow:)
+ #:use-module ((nongnu packages linux)
+ #:prefix nongnu:packages:linux:)
+ #:use-module ((nongnu system linux-initrd)
+ #:prefix nongnu:system:linux-initrd:)
+ #:use-module ((sovereign devices)
+ #:prefix sovereign:devices:)
+ #:use-module ((sovereign devices amd64)
+ #:prefix sovereign:devices:amd64:)
+ #:use-module ((sovereign packages jekyll)
+ #:prefix sovereign:packages:jekyll:)
+ #:use-module ((sovereign systems)
+ #:prefix sovereign:systems:)
+ #:use-module ((users id1000)
+ #:prefix users:id1000:)
+ #:use-module ((users vmail)
+ #:prefix users:vmail:))
(define ip-multimedia "81.190.248.246")
(define ip-otvarta "95.171.119.109")
(define spf-value
- (string-append "\"v=spf1 ip4:"
- ip-otvarta
- " -all\""))
+ (string-append "\"v=spf1 ip4:"
+ ip-otvarta
+ " -all\""))
(define ttl "3600")
(gnu:services:dns:define-zone-entries marekpasnikowski.pl-entries
- ("@" ttl "IN" "A" ip-multimedia)
- ("ns" ttl "IN" "A" ip-multimedia)
- ("@" ttl "IN" "NS" "ns.marekpasnikowski.pl.")
- ("ns1" ttl "IN" "A" ip-multimedia)
- ("@" ttl "IN" "NS" "ns1.marekpasnikowski.pl.")
- ("mx" ttl "IN" "A" ip-otvarta)
- ("@" ttl "IN" "MX" "10 mx1.forwardemail.net.")
- ("@" ttl "IN" "MX" "10 mx2.forwardemail.net.")
- ;("@" ttl "IN" "MX" "20 mx.marekpasnikowski.pl.")
- ("@" ttl "IN" "TXT" "\"forward-email-port=49152\"")
- ("@" ttl "IN" "TXT" "\"forward-email=marekpasnikowski.pl\"")
- ("@" ttl "IN" "TXT" spf-value)
- ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
- ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
- ("_dmarc" ttl "IN" "TXT" "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"")
- ("dkim._domainkey" ttl "IN" "TXT" "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"")
- ("git" ttl "IN" "A" ip-multimedia)
- ("radicale" ttl "IN" "A" ip-multimedia)
- ("schron" ttl "IN" "A" ip-multimedia)
- ("sejf" ttl "IN" "A" ip-multimedia)
- ("test" ttl "IN" "A" ip-multimedia)
- ("www" ttl "IN" "A" ip-multimedia))
+ ("@" ttl "IN" "A" ip-multimedia)
+ ("ns" ttl "IN" "A" ip-multimedia)
+ ("@" ttl "IN" "NS" "ns.marekpasnikowski.pl.")
+ ("ns1" ttl "IN" "A" ip-multimedia)
+ ("@" ttl "IN" "NS" "ns1.marekpasnikowski.pl.")
+ ("mx" ttl "IN" "A" ip-otvarta)
+ ("@" ttl "IN" "MX" "10 mx1.forwardemail.net.")
+ ("@" ttl "IN" "MX" "10 mx2.forwardemail.net.")
+ ;("@" ttl "IN" "MX" "20 mx.marekpasnikowski.pl.")
+ ("@" ttl "IN" "TXT" "\"forward-email-port=49152\"")
+ ("@" ttl "IN" "TXT" "\"forward-email=marekpasnikowski.pl\"")
+ ("@" ttl "IN" "TXT" spf-value)
+ ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
+ ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl")
+ ("_dmarc" ttl "IN" "TXT" "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"")
+ ("dkim._domainkey" ttl "IN" "TXT" "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"")
+ ("git" ttl "IN" "A" ip-multimedia)
+ ("radicale" ttl "IN" "A" ip-multimedia)
+ ("schron" ttl "IN" "A" ip-multimedia)
+ ("sejf" ttl "IN" "A" ip-multimedia)
+ ("test" ttl "IN" "A" ip-multimedia)
+ ("www" ttl "IN" "A" ip-multimedia))
(define marekpasnikowski.pl-zone
- (gnu:services:dns:zone-file
- (entries marekpasnikowski.pl-entries)
- (origin "marekpasnikowski.pl")
- (ns "ns.marekpasnikowski.pl.")
- (mail "marek.marekpasnikowski.pl.")
- (serial 2026010903)))
+ (gnu:services:dns:zone-file
+ (entries marekpasnikowski.pl-entries)
+ (origin "marekpasnikowski.pl")
+ (ns "ns.marekpasnikowski.pl.")
+ (mail "marek.marekpasnikowski.pl.")
+ (serial 2026010903)))
(define master-zone
- (gnu:services:dns:knot-zone-configuration
- (domain "marekpasnikowski.pl")
- (zone marekpasnikowski.pl-zone)))
+ (gnu:services:dns:knot-zone-configuration
+ (domain "marekpasnikowski.pl")
+ (zone marekpasnikowski.pl-zone)))
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+(define knot
+ (gnu:services:service gnu:services:dns:knot-service-type
+ (gnu:services:dns:knot-configuration
+ (listen-v4 "192.168.10.2")
+ (zones (list master-zone)))))
(define radicale-keys "/secrets/radicale/keys")
+
(define dovecot-keys "/secrets/dovecot")
(define (nginx-accounts)
- (use-modules (gnu packages)
- (guix gexp))
- (list ((@ (gnu system accounts) user-group)
- (name "nginx")
- (system? #t))
- ((@ (gnu system accounts) user-account)
- (name "nginx")
- (group "nginx")
- (supplementary-groups '("git"))
- (system? #t)
- (comment "nginx server user")
- (home-directory "/var/empty")
- (shell (file-append (specification->package "shadow")
- "/sbin/nologin")))))
+ (list (gnu:system:accounts:user-group
+ (name "nginx")
+ (system? #t))
+ (gnu:system:accounts:user-account
+ (name "nginx")
+ (group "nginx")
+ (supplementary-groups '("git"))
+ (system? #t)
+ (comment "nginx server user")
+ (home-directory "/var/empty")
+ (shell (file-append (gnu:packages:specification->package "shadow")
+ "/sbin/nologin")))))
(define (nginx-service-type*)
(use-modules (gnu services)
- (gnu services web)
- (gnu system shadow))
- ((@ (gnu services) service-type)
- (inherit nginx-service-type)
+ (gnu services web))
+ (gnu:services:service-type
+ (inherit nginx-service-type)
(extensions (map (lambda (extension)
- (if (eq? ((@ (gnu services) service-extension-target)
+ (if (eq? (gnu:services:service-extension-target
extension)
- account-service-type)
- ((@ (gnu services) service-extension)
- account-service-type
+ gnu:system:shadow:account-service-type)
+ (gnu:services:service-extension
+ gnu:system:shadow:account-service-type
(const (nginx-accounts)))
extension))
- ((@ (gnu services) service-type-extensions)
+ (gnu:services:service-type-extensions
nginx-service-type)))))
(define nginx-service-type*
@@ -121,11 +162,10 @@
;;;???????????????????????????????????????????????????????????????????
-(define (certbot)
- (use-modules (gnu services certbot))
+(define certbot
((@ (gnu services) service)
((@ (gnu services) service-type)
- (inherit certbot-service-type)
+ (inherit gnu:services:certbot:certbot-service-type)
(extensions (map (lambda (extension)
(if (eq? ((@ (gnu services) service-extension-target)
extension)
@@ -136,7 +176,7 @@
certbot-nginx-server-configurations))
extension))
((@ (gnu services) service-type-extensions)
- certbot-service-type))))
+ gnu:services:certbot:certbot-service-type))))
((@ (gnu services certbot) certbot-configuration)
(certificates
(list
@@ -160,30 +200,27 @@
(email "marek@marekpasnikowski.pl")
(webroot "/srv/www/marek/marekpasnikowski.pl"))))
-(define (cgit-izumi)
- (use-modules (gnu packages version-control)
- (gnu services cgit)
- (gnu services version-control))
+(define cgit-izumi
((@ (gnu services) service)
((@ (gnu services) service-type)
- (inherit cgit-service-type)
+ (inherit gnu:services:cgit:cgit-service-type)
(extensions (map (lambda (extension)
(if (eq? ((@ (gnu services) service-extension-target)
extension)
nginx-service-type)
((@ (gnu services) service-extension)
nginx-service-type*
- cgit-configuration-nginx-config)
+ gnu:services:cgit:cgit-configuration-nginx-config)
extension))
((@ (gnu services) service-type-extensions)
- cgit-service-type))))
+ gnu:services:cgit:cgit-service-type))))
((@ (gnu services cgit) cgit-configuration)
(nginx
(list
((@ (gnu services web) nginx-server-configuration)
(locations
(list
- (git-http-nginx-location-configuration
+ (gnu:services:version-control:git-http-nginx-location-configuration
((@ (gnu services version-control) git-http-configuration)
(git-root "/var/lib/gitolite/repositories")
(uri-path "/git")))
@@ -200,7 +237,7 @@
(body (list "root /srv/www/marek/marekpasnikowski.pl/ ;"))
(uri "/.well-known"))))
(listen (list "192.168.10.2:443 ssl"))
- (root cgit)
+ (root gnu:packages:version-control:cgit)
(server-name (list "git.marekpasnikowski.pl"))
(ssl-certificate
"/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
@@ -217,385 +254,363 @@
"sovereign.git"))
(repository-directory "/var/lib/gitolite/repositories"))))
-(define (etc-mailname)
- (gnu:services:simple-service 'etc-files
- etc-service-type
- (list `("mailname" ,(plain-file "mailname"
- "marekpasnikowski.pl\n")))))
+(define etc-mailname
+ (gnu:services:simple-service 'etc-files
+ etc-service-type
+ (list `("mailname" ,(plain-file "mailname"
+ "marekpasnikowski.pl\n")))))
-(define (fcgiwrap)
- ((@ (gnu services) service)
- fcgiwrap-service-type
- ((@ (gnu services web) fcgiwrap-configuration)
- (user "git")
- (group "git"))))
+(define fcgiwrap
+ (gnu:services:service
+ fcgiwrap-service-type
+ (gnu:services:web:fcgiwrap-configuration
+ (user "git")
+ (group "git"))))
(define file-system-efi
- (gnu:system:file-systems:file-system
- (device (gnu:system:file-systems:file-system-label "AISAKA"))
- (mount-point "/boot")
- (type "vfat")
- (flags (list))
- (options #f)
- (mount? #t)
- (mount-may-fail? #t)
- (needed-for-boot? #f)
- (check? #t)
- (skip-check-if-clean? #f)
- (repair 'preen)
- (create-mount-point? #f)
- (dependencies (list))
- (shepherd-requirements (list))
- (location (current-source-location))))
+ (gnu:system:file-systems:file-system
+ (device (gnu:system:file-systems:file-system-label "AISAKA"))
+ (mount-point "/boot")
+ (type "vfat")
+ (flags (list))
+ (options #f)
+ (mount? #t)
+ (mount-may-fail? #t)
+ (needed-for-boot? #f)
+ (check? #t)
+ (skip-check-if-clean? #f)
+ (repair 'preen)
+ (create-mount-point? #f)
+ (dependencies (list))
+ (shepherd-requirements (list))
+ (location (current-source-location))))
(define file-system-root
- (gnu:system:file-systems:file-system
- (device (gnu:system:file-systems:file-system-label "aisaka-root"))
- (mount-point "/")
- (type "ext4")
- (flags (list))
- (options #f)
- (mount? #t)
- (mount-may-fail? #f)
- (needed-for-boot? #t)
- (check? #t)
- (skip-check-if-clean? #f)
- (repair 'preen)
- (create-mount-point? #f)
- (dependencies (list))
- (shepherd-requirements (list))
- (location (current-source-location))))
+ (gnu:system:file-systems:file-system
+ (device (gnu:system:file-systems:file-system-label "aisaka-root"))
+ (mount-point "/")
+ (type "ext4")
+ (flags (list))
+ (options #f)
+ (mount? #t)
+ (mount-may-fail? #f)
+ (needed-for-boot? #t)
+ (check? #t)
+ (skip-check-if-clean? #f)
+ (repair 'preen)
+ (create-mount-point? #f)
+ (dependencies (list))
+ (shepherd-requirements (list))
+ (location (current-source-location))))
-(define (gitolite)
- ((@ (gnu services) service)
- gnu:services:version-control:gitolite-service-type
- ((@ (gnu services version-control) gitolite-configuration)
- (rc-file ((@ (gnu services version-control) gitolite-rc-file)
- (umask #o0027)))
- (admin-pubkey #f))))
+(define gitolite
+ (gnu:services:service
+ gnu:services:version-control:gitolite-service-type
+ (gnu:services:version-control:gitolite-configuration
+ (rc-file (gnu:services:version-control:gitolite-rc-file
+ (umask #o0027)))
+ (admin-pubkey #f))))
(define system-keyboard-layout
- ((@ (gnu system keyboard) keyboard-layout)
- "pl"))
+ (gnu:system:keyboard:keyboard-layout "pl"))
-(define (nginx-izumi)
- ((@ (gnu services) service)
- nginx-service-type*
- ((@ (gnu services web) nginx-configuration)
- (shepherd-requirement (list 'networking))
- (server-blocks
- (list
- ;; Portal
- ((@ (gnu services web) nginx-server-configuration)
- (locations
- (list
- ((@ (gnu services web) nginx-location-configuration)
- (uri "/.well-known" )
- (body
- (list "root /srv/www/marek/marekpasnikowski.pl ;")))))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/www")
- (server-name (list "marekpasnikowski.pl"))
- (ssl-certificate
- "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key
- "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))
- ;; WWW
- (gnu:services:web:nginx-server-configuration
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/www")
- (server-name (list "www.marekpasnikowski.pl")))
- ;; Test
- (gnu:services:web:nginx-server-configuration
- (locations (list (gnu:services:web:nginx-location-configuration
- (body (list "proxy_set_header Host $host;"
- "proxy_set_header X-Real-IP $remote_addr;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_set_header X-Forwarded-Proto $scheme;"
- "if ($ssl_client_verify != SUCCESS) {return 403;}"))
- (uri "/"))))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/schron")
- (server-name (list "test.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;")))
- ;; Schron
- (gnu:services:web:nginx-server-configuration
- (locations (list (gnu:services:web:nginx-location-configuration
- (body (list "proxy_set_header Host $host;"
- "proxy_set_header X-Real-IP $remote_addr;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_set_header X-Forwarded-Proto $scheme;"
- "if ($ssl_client_verify != SUCCESS) {return 403;}"))
- (uri "/"))))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/schron")
- (server-name (list "schron.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;")))
- ;; Sejf
- (gnu:services:web:nginx-server-configuration
- (locations (list (gnu:services:web:nginx-location-configuration
- (body (list "proxy_set_header Host $host;"
- "proxy_set_header X-Real-IP $remote_addr;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_set_header X-Forwarded-Proto $scheme;"
- "if ($ssl_client_verify != SUCCESS) {return 403;}"))
- (uri "/"))))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/sejf")
- (server-name (list "sejf.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;")))
- ;; Radicale
- ((@ (gnu services web) nginx-server-configuration)
- (locations
- (list
- ((@ (gnu services web) nginx-location-configuration)
- (body
- (list
- "proxy_pass http://localhost:5232/ ;"
- "proxy_set_header X-Script-Name \"\" ;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
- "proxy_set_header Host $http_host ;"
- "proxy_pass_header Authorization ;"))
- (uri "/"))
- ((@ (gnu services web) nginx-location-configuration)
- (body
- (list "root /srv/www/marek/marekpasnikowski.pl ;"))
- (uri "/.well-known"))))
- (listen (list "192.168.10.2:443 ssl"))
- (server-name (list "radicale.marekpasnikowski.pl"))))))))
+(define nginx-izumi
+ (gnu:services:service
+ nginx-service-type*
+ (gnu:services:web:nginx-configuration
+ (shepherd-requirement (list 'networking))
+ (server-blocks (list (gnu:services:web:nginx-server-configuration
+ (locations
+ (list (gnu:services:web:nginx-location-configuration
+ (uri "/.well-known" )
+ (body (list "root /srv/www/marek/marekpasnikowski.pl ;")))))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list "marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))
+ ;; WWW
+ (gnu:services:web:nginx-server-configuration
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list "www.marekpasnikowski.pl")))
+ ;; Test
+ (gnu:services:web:nginx-server-configuration
+ (locations (list (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_set_header Host $host;"
+ "proxy_set_header X-Real-IP $remote_addr;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_set_header X-Forwarded-Proto $scheme;"
+ "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+ (uri "/"))))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "test.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;")))
+ ;; Schron
+ (gnu:services:web:nginx-server-configuration
+ (locations (list (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_set_header Host $host;"
+ "proxy_set_header X-Real-IP $remote_addr;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_set_header X-Forwarded-Proto $scheme;"
+ "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+ (uri "/"))))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "schron.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;")))
+ ;; Sejf
+ (gnu:services:web:nginx-server-configuration
+ (locations (list (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_set_header Host $host;"
+ "proxy_set_header X-Real-IP $remote_addr;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_set_header X-Forwarded-Proto $scheme;"
+ "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+ (uri "/"))))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/sejf")
+ (server-name (list "sejf.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;")))
+ ;; Radicale
+ (gnu:services:web:nginx-server-configuration
+ (locations (list (gnu:services:web:nginx-location-configuration
+ (body (list "proxy_pass http://localhost:5232/ ;"
+ "proxy_set_header X-Script-Name \"\" ;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+ "proxy_set_header Host $http_host ;"
+ "proxy_pass_header Authorization ;"))
+ (uri "/"))
+ (gnu:services:web:nginx-location-configuration
+ (body (list "root /srv/www/marek/marekpasnikowski.pl ;"))
+ (uri "/.well-known"))))
+ (listen (list "192.168.10.2:443 ssl"))
+ (server-name (list "radicale.marekpasnikowski.pl"))))))))
(define rakan-machine
- #~(build-machine
- (name "rakan")
- (systems (list "x86_64-linux"
- "i686-linux"))
- (user "marek")
- (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan")
- (private-key "/home/marek/.ssh/id_ed25519")))
+ #~(build-machine
+ (name "rakan")
+ (systems (list "x86_64-linux"
+ "i686-linux"))
+ (user "marek")
+ (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan")
+ (private-key "/home/marek/.ssh/id_ed25519")))
(define guix-offload-rakan
- (gnu:services:base:guix-extension
- (authorized-keys (list deployment:keys:akashi-guix
- deployment:keys:rakan-guix))
- (build-machines (list rakan-machine))))
+ (gnu:services:base:guix-extension
+ (authorized-keys (list deployment:keys:akashi-guix
+ deployment:keys:rakan-guix))
+ (build-machines (list rakan-machine))))
(define offload-rakan
- (gnu:services:simple-service 'offload-rakan
- gnu:services:base:guix-service-type
- guix-offload-rakan))
+ (gnu:services:simple-service 'offload-rakan
+ gnu:services:base:guix-service-type
+ guix-offload-rakan))
-(define (openssh)
- (use-modules (gnu services ssh))
- ((@ (gnu services) service)
- openssh-service-type))
+(define openssh
+ (gnu:services:service
+ gnu:services:ssh:openssh-service-type))
-(define (radicale)
- (use-modules (gnu services mail))
- ((@ (gnu services) service)
- radicale-service-type
- ((@ (gnu services mail) radicale-configuration)
- (auth ((@ (gnu services mail) radicale-auth-configuration)
- (type 'htpasswd)
- (htpasswd-filename radicale-keys)
- (htpasswd-encryption 'plain)))
- (storage ((@ (gnu services mail) radicale-storage-configuration)
- (filesystem-folder "/data/radicale/collections"))))))
+(define radicale-auth-configuration
+ (gnu:services:mail:radicale-auth-configuration
+ (type 'htpasswd)
+ (htpasswd-filename radicale-keys)
+ (htpasswd-encryption 'plain)))
+
+(define radicale-storage-configuration
+ (gnu:services:mail:radicale-storage-configuration
+ (filesystem-folder "/data/radicale/collections")))
+
+(define radicale-configuration
+ (gnu:services:mail:radicale-configuration
+ (auth radicale-auth-configuration)
+ (storage radicale-storage-configuration)))
+
+(define radicale
+ (gnu:services:service
+ gnu:services:mail:radicale-service-type
+ radicale-configuration))
(define enp1s0-address-4
- (gnu:services:base:network-address
- (device "enp1s0")
- (value "192.168.10.2/24")
- (ipv6? #f)))
+ (gnu:services:base:network-address
+ (device "enp1s0")
+ (value "192.168.10.2/24")
+ (ipv6? #f)))
(define enp2s0-address-4
- (gnu:services:base:network-address
- (device "enp2s0")
- (value "192.168.1.2/24")
- (ipv6? #f)))
+ (gnu:services:base:network-address
+ (device "enp2s0")
+ (value "192.168.1.2/24")
+ (ipv6? #f)))
(define enp1s0-route-4-default
- (gnu:services:base:network-route
- (destination "default")
- (source #f)
- (device #f)
- (ipv6? #f)
- (gateway "192.168.10.1")))
+ (gnu:services:base:network-route
+ (destination "default")
+ (source #f)
+ (device #f)
+ (ipv6? #f)
+ (gateway "192.168.10.1")))
(define network-hardware
- (gnu:services:base:static-networking
- (addresses (list enp1s0-address-4
- enp2s0-address-4))
- (links (list))
- (routes (list enp1s0-route-4-default))
- (name-servers (list "192.168.10.1"
- "192.168.1.1"))
- (provision (list 'network-hardware))
- (requirement (list))))
+ (gnu:services:base:static-networking
+ (addresses (list enp1s0-address-4
+ enp2s0-address-4))
+ (links (list))
+ (routes (list enp1s0-route-4-default))
+ (name-servers (list "192.168.10.1"
+ "192.168.1.1"))
+ (provision (list 'network-hardware))
+ (requirement (list))))
(define static-networking-configuration
- (list network-hardware))
+ (list network-hardware))
(define static-networking
- (gnu:services:service
- gnu:services:networking:static-networking-service-type
- static-networking-configuration))
+ (gnu:services:service
+ gnu:services:networking:static-networking-service-type
+ static-networking-configuration))
(define ip-command
- (file-append gnu:packages:linux:iproute
- "/sbin/ip"))
+ (file-append gnu:packages:linux:iproute
+ "/sbin/ip"))
(define network-enp2s0-route-default
- (let
- ( (route-default- #~(list #$ip-command
- "route"
- "add"
- "default"
- "via"
- "192.168.1.1"
- "table"
- "1")))
- (gnu:services:shepherd:shepherd-service
- (provision (list 'network-enp2s0-route-default))
- (requirement (list 'network-enp2s0-table))
- (one-shot? #t)
- (respawn? #f)
- (start #~(make-forkexec-constructor #$route-default-))
- (stop #~(const #f))
- (actions (list))
- (auto-start? #t)
- (documentation "Sets up a default route for traffic from enp2s0.")
- (modules gnu:services:shepherd:%default-modules))))
+ (let
+ ((route-default- #~(list #$ip-command
+ "route"
+ "add"
+ "default"
+ "via"
+ "192.168.1.1"
+ "table"
+ "1")))
+ (gnu:services:shepherd:shepherd-service
+ (provision (list 'network-enp2s0-route-default))
+ (requirement (list 'network-enp2s0-table))
+ (one-shot? #t)
+ (respawn? #f)
+ (start #~(make-forkexec-constructor #$route-default-))
+ (stop #~(const #f))
+ (actions (list))
+ (auto-start? #t)
+ (documentation "Sets up a default route for traffic from enp2s0.")
+ (modules gnu:services:shepherd:%default-modules))))
(define network-enp2s0-table
- (let
- ( (table- #~(list #$ip-command
- "rule"
- "add"
- "from"
- "192.168.1.2"
- "table"
- "1"
- "prio"
- "1")))
- (gnu:services:shepherd:shepherd-service
- (provision (list 'network-enp2s0-table))
- (requirement (list 'network-hardware))
- (one-shot? #t)
- (respawn? #f)
- (start #~(make-forkexec-constructor #$table-))
- (stop #~(const #f))
- (actions (list))
- (auto-start? #t)
- (documentation "Defines a table of rules number 1 for routes through enp2s0.")
- (modules gnu:services:shepherd:%default-modules))))
-
-(define networking
+ (let
+ ((table- #~(list #$ip-command
+ "rule"
+ "add"
+ "from"
+ "192.168.1.2"
+ "table"
+ "1"
+ "prio"
+ "1")))
(gnu:services:shepherd:shepherd-service
- (provision (list 'networking))
- (requirement (list 'network-enp2s0-table
- 'network-enp2s0-route-default))
+ (provision (list 'network-enp2s0-table))
+ (requirement (list 'network-hardware))
(one-shot? #t)
(respawn? #f)
- (start #~(const #t))
+ (start #~(make-forkexec-constructor #$table-))
(stop #~(const #f))
(actions (list))
(auto-start? #t)
- (documentation "Defines a graph root of one-shot services to invoke various ip commands.")
- (modules gnu:services:shepherd:%default-modules)))
+ (documentation "Defines a table of rules number 1 for routes through enp2s0.")
+ (modules gnu:services:shepherd:%default-modules))))
+
+(define networking
+ (gnu:services:shepherd:shepherd-service
+ (provision (list 'networking))
+ (requirement (list 'network-enp2s0-table
+ 'network-enp2s0-route-default))
+ (one-shot? #t)
+ (respawn? #f)
+ (start #~(const #t))
+ (stop #~(const #f))
+ (actions (list))
+ (auto-start? #t)
+ (documentation "Defines a graph root of one-shot services to invoke various ip commands.")
+ (modules gnu:services:shepherd:%default-modules)))
(define iproute2-networking
+ (let
+ ((extensions- (list network-enp2s0-table
+ network-enp2s0-route-default
+ networking)))
(gnu:services:simple-service 'networking
gnu:services:shepherd:shepherd-root-service-type
- (list network-enp2s0-table
- network-enp2s0-route-default
- networking)))
+ extensions-)))
(define swap-device-izumi-1-label
- ((@ (gnu system file-systems) file-system-label)
- "izumi-swap-f"))
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ (gnu:system:file-systems:file-system-label "izumi-swap-f"))
(define %sovereign-services*
- (gnu:services:modify-services sovereign:systems:%sovereign-services
- (delete gnu:services:networking:network-manager-service-type)))
+ (gnu:services:modify-services sovereign:systems:%sovereign-services
+ (delete gnu:services:networking:network-manager-service-type)))
(define system-bootloader
- (gnu:bootloader:bootloader-configuration
- (bootloader gnu:bootloader:grub:grub-efi-bootloader)
- (targets (list "/boot"))
- (keyboard-layout sovereign:devices:pl-keyboard-layout)))
-
-(define system-file-systems
- (list file-system-root
- file-system-efi))
-
-(define system-groups
- (list ((@ (gnu system accounts) user-group)
- (name "vmail")
- (system? #t))))
-
-(define system-services
- (list users:id1000:dkim-service
- users:id1000:dovecot-service
- users:id1000:smtp-service
- (gnu:services:service gnu:services:dns:knot-service-type
- (gnu:services:dns:knot-configuration
- (listen-v4 "192.168.10.2")
- (zones (list master-zone))))
- (certbot)
- (cgit-izumi)
- (etc-mailname)
- (fcgiwrap)
- (gitolite)
- (sovereign:systems:guix-home-service (list users:id1000:name/home-environment))
- (nginx-izumi)
- offload-rakan
- (openssh)
- (radicale)
- static-networking
- iproute2-networking))
-
-(define system-users
- (list users:id1000:uid1000-account
- users:vmail:vmail-account))
+ (gnu:bootloader:bootloader-configuration
+ (bootloader gnu:bootloader:grub:grub-efi-bootloader)
+ (targets (list "/boot"))
+ (keyboard-layout sovereign:devices:pl-keyboard-layout)))
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+(define vmail-group
+ (gnu:system:accounts:user-group
+ (name "vmail")
+ (system? #t)))
(define-public system
- (gnu:system:operating-system
- (bootloader system-bootloader)
- (label (sovereign:systems:operating-system-label* system-name
- gnu:system:this-operating-system))
- (kernel nongnu:packages:linux:linux)
- (keyboard-layout system-keyboard-layout)
- (initrd nongnu:system:linux-initrd:microcode-initrd)
- (firmware (list nongnu:packages:linux:linux-firmware))
- (host-name system-name)
- (file-systems (append system-file-systems
- gnu:system:file-systems:%base-file-systems))
- (users (append system-users
- gnu:system:shadow:%base-user-accounts))
- (groups (append system-groups
- gnu:system:shadow:%base-groups))
- (packages (append gnu:system:%base-packages
- (list sovereign:packages:jekyll:custom-jekyll
- gnu:packages:tls:openssl)))
- (timezone "Europe/Warsaw")
- (locale sovereign:systems:pl-locale)
- (locale-definitions sovereign:systems:%sovereign-locale-definitions)
- (services (append system-services
- %sovereign-services*))
- (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))
+ (gnu:system:operating-system
+ (bootloader system-bootloader)
+ (label (sovereign:systems:operating-system-label* system-name
+ gnu:system:this-operating-system))
+ (kernel nongnu:packages:linux:linux)
+ (keyboard-layout system-keyboard-layout)
+ (initrd nongnu:system:linux-initrd:microcode-initrd)
+ (firmware (list nongnu:packages:linux:linux-firmware))
+ (host-name system-name)
+ (file-systems (cons* file-system-root
+ file-system-efi
+ gnu:system:file-systems:%base-file-systems))
+ (users (cons* users:id1000:uid1000-account
+ users:vmail:vmail-account
+ gnu:system:shadow:%base-user-accounts))
+ (groups (cons* vmail-group
+ gnu:system:shadow:%base-groups))
+ (packages (append gnu:system:%base-packages
+ (list sovereign:packages:jekyll:custom-jekyll
+ gnu:packages:tls:openssl)))
+ (timezone "Europe/Warsaw")
+ (locale sovereign:systems:pl-locale)
+ (locale-definitions sovereign:systems:%sovereign-locale-definitions)
+ (services (cons* users:id1000:dkim-service
+ users:id1000:dovecot-service
+ users:id1000:smtp-service
+ knot
+ certbot
+ cgit-izumi
+ etc-mailname
+ fcgiwrap
+ gitolite
+ (sovereign:systems:guix-home-service (list users:id1000:name/home-environment))
+ nginx-izumi
+ offload-rakan
+ openssh
+ radicale
+ static-networking
+ iproute2-networking
+ %sovereign-services*))
+ (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))
-(define-public operating-system*
- system)
+(define-public operating-system* system)
generated by cgit v1.2.3 (git 2.52.0) at 2026-01-20 19:27:58 +0000