summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--deployment/services/web.scm313
-rw-r--r--deployment/system.scm8
-rw-r--r--deployment/system/aisaka.scm307
3 files changed, 320 insertions, 308 deletions
diff --git a/deployment/services/web.scm b/deployment/services/web.scm
new file mode 100644
index 0000000..a70dd44
--- /dev/null
+++ b/deployment/services/web.scm
@@ -0,0 +1,313 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment services web)
+ #:export (aisaka-certbot-service
+ aisaka-cgit-service
+ aisaka-nginx-service)
+ #:use-module (gnu services)
+ #:use-module (gnu services web)
+ #:use-module (guix gexp)
+ #:use-module ((deployment system aisaka)
+ #:prefix deployment:system:aisaka:)
+ #:use-module ((gnu packages matrix)
+ #:prefix gnu:packages:matrix:)
+ #:use-module ((gnu packages version-control)
+ #:prefix gnu:packages:version-control:)
+ #:use-module ((gnu services certbot)
+ #:prefix gnu:services:certbot:)
+ #:use-module ((gnu services cgit)
+ #:prefix gnu:services:cgit:)
+ #:use-module ((gnu services version-control)
+ #:prefix gnu:services:version-control:)
+ #:use-module ((gnu system shadow)
+ #:prefix gnu:system:shadow:))
+
+(define cgit-repository-configuration
+ (gnu:services:cgit:repository-cgit-configuration
+ (hide? #t)
+ (path "/srv/git/marek/packages")))
+
+(define git-http-configuration
+ (gnu:services:version-control:git-http-configuration
+ (git-root "/var/lib/gitolite/repositories")
+ (uri-path "/git")))
+
+(define nginx-accounts
+ (let
+ ((accounts- (list deployment:system:aisaka:nginx-group
+ deployment:system:aisaka:nginx-account)))
+ (const accounts-)))
+
+(define nginx-extension-of-account
+ (service-extension gnu:system:shadow:account-service-type
+ nginx-accounts))
+
+(define (extend-account extension)
+ (let*
+ ((extension-target- (service-extension-target extension))
+ (account-service-type?- (eq? extension-target-
+ gnu:system:shadow:account-service-type)))
+ (if account-service-type?-
+ nginx-extension-of-account
+ extension)))
+
+(define nginx-service-type*
+ (let
+ ((nginx-extensions- (service-type-extensions nginx-service-type)))
+ (service-type
+ (inherit nginx-service-type)
+ (extensions (map extend-account
+ nginx-extensions-)))))
+
+(define nginx-location-cgit
+ (nginx-location-configuration
+ (body (list "fastcgi_param HTTP_HOST $server_name ;"
+ "fastcgi_param PATH_INFO $uri ;"
+ "fastcgi_param QUERY_STRING $args ;"
+ "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;"
+ "fastcgi_pass 127.0.0.1:9000 ;"))
+ (uri "@cgit")))
+
+(define nginx-location-proxy-guix
+ (nginx-location-configuration
+ (body (list "proxy_pass http://localhost:5232/ ;"
+ "proxy_set_header X-Script-Name \"\" ;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+ "proxy_set_header Host $http_host ;"
+ "proxy_pass_header Authorization ;"))
+ (uri "/")))
+
+(define nginx-location-proxy-matrix
+ (nginx-location-configuration
+ (body (list "proxy_pass http://localhost:8008 ;"
+ "proxy_set_header X-Forwarded-For $remote_addr ;"
+ "proxy_set_header X-Forwarded-Proto $scheme ;"
+ "proxy_set_header Host $host:$server_port ;"
+ "client_max_body_size 1024M ;"))
+ (uri "~ ^(/_matrix|/_synapse/client)")))
+
+(define nginx-location-proxy-radicale
+ (nginx-location-configuration
+ (body (list "proxy_pass http://localhost:8080/ ;"
+ "proxy_set_header X-Script-Name \"\" ;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+ "proxy_set_header Host $http_host ;"
+ "proxy_pass_header Authorization ;"))
+ (uri "/")))
+
+(define nginx-location-proxy-auth
+ (nginx-location-configuration
+ (body (list "proxy_set_header Host $host;"
+ "proxy_set_header X-Real-IP $remote_addr;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_set_header X-Forwarded-Proto $scheme;"
+ "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+ (uri "/")))
+
+(define nginx-location-well-known
+ (nginx-location-configuration
+ (body (list "root /srv/www/marek/marekpasnikowski.pl ;"))
+ (uri "/.well-known")))
+
+(define nginx-location-well-known-matrix-client
+ (nginx-location-configuration
+ (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;"
+ "default_type application/json ;"
+ "add_header Access-Control-Allow-Origin * ;"))
+ (uri "/.well-known/matrix/client")))
+
+(define nginx-server-cgit
+ (let
+ ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration)))
+ (nginx-server-configuration
+ (locations (list git-http-
+ nginx-location-cgit
+ nginx-location-well-known))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root gnu:packages:version-control:cgit)
+ (server-name (list "git.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (try-files (list "$uri" "@cgit")))))
+
+(define nginx-server-guix
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-guix))
+ (listen (list "192.168.10.2:443 ssl"))
+ (server-name (list "guix.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-matrix
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-matrix))
+ (listen (list "192.168.10.2:443 ssl"
+ "192.168.10.2:8448 ssl default_server"))
+ (root (file-append gnu:packages:matrix:synapse
+ "/lib/python3.11/site-packages/synapse/static"))
+ (server-name (list "matrix.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "proxy_http_version 1.1 ;"))))
+
+(define nginx-server-portal
+ (nginx-server-configuration
+ (locations (list nginx-location-well-known
+ nginx-location-well-known-matrix-client))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list 'default
+ "marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-radicale
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-radicale
+ nginx-location-well-known))
+ (listen (list "192.168.10.2:443 ssl"))
+ (server-name (list "radicale.marekpasnikowski.pl"))))
+
+(define nginx-server-schron
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "schron.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-sejf
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/sejf")
+ (server-name (list "sejf.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-test
+ (nginx-server-configuration
+ (locations (list nginx-location-proxy-auth))
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/schron")
+ (server-name (list "test.marekpasnikowski.pl"))
+ (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+ (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+ (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+ "ssl_verify_client on;"))))
+
+(define nginx-server-www
+ (nginx-server-configuration
+ (listen (list "192.168.10.2:443 ssl"))
+ (root "/home/marek/Publiczne/www")
+ (server-name (list "www.marekpasnikowski.pl"))))
+
+(define nginx-configuration*
+ (nginx-configuration
+ (shepherd-requirement (list 'networking))
+ (server-blocks (list nginx-server-portal
+ nginx-server-www
+ nginx-server-guix
+ nginx-server-matrix
+ nginx-server-test
+ nginx-server-schron
+ nginx-server-sejf
+ nginx-server-radicale))))
+
+(define aisaka-nginx-service
+ (service nginx-service-type*
+ nginx-configuration*))
+
+(define nginx-extension-of-certbot
+ (service-extension nginx-service-type*
+ (@@ (gnu services certbot)
+ certbot-nginx-server-configurations)))
+
+(define (extend-certbot extension)
+ (let*
+ ((extension-target- (service-extension-target extension))
+ (nginx-service-type?- (eq? extension-target-
+ nginx-service-type)))
+ (if nginx-service-type?-
+ nginx-extension-of-certbot
+ extension)))
+
+(define certbot-type
+ (let
+ ((certbot-extensions- (service-type-extensions gnu:services:certbot:certbot-service-type)))
+ (service-type
+ (inherit gnu:services:certbot:certbot-service-type)
+ (extensions (map extend-certbot
+ certbot-extensions-)))))
+
+(define nginx-deploy-hook-file
+ #~(let
+ ((pid (call-with-input-file "/var/run/nginx/pid"
+ read)))
+ (kill pid
+ SIGHUP)))
+
+(define certificate-configuration
+ (gnu:services:certbot:certificate-configuration
+ (deploy-hook (program-file "nginx-deploy-hook"
+ nginx-deploy-hook-file))
+ (domains (list "marekpasnikowski.pl"
+ "git.marekpasnikowski.pl"
+ "guix.marekpasnikowski.pl"
+ "matrix.marekpasnikowski.pl"
+ "mx.marekpasnikowski.pl"
+ "radicale.marekpasnikowski.pl"
+ "schron.marekpasnikowski.pl"
+ "sejf.marekpasnikowski.pl"
+ "test.marekpasnikowski.pl"
+ "www.marekpasnikowski.pl"))))
+
+(define certbot-configuration
+ (gnu:services:certbot:certbot-configuration
+ (certificates (list certificate-configuration))
+ (email "marek@marekpasnikowski.pl")
+ (webroot "/srv/www/marek/marekpasnikowski.pl")))
+
+(define aisaka-certbot-service
+ (service certbot-type
+ certbot-configuration))
+
+(define nginx-extension-of-cgit
+ (service-extension nginx-service-type*
+ gnu:services:cgit:cgit-configuration-nginx-config))
+
+(define (extend-cgit extension)
+ (let*
+ ((extension-target- (service-extension-target extension))
+ (nginx-service-type?- (eq? extension-target-
+ nginx-service-type)))
+ (if nginx-service-type?-
+ nginx-extension-of-cgit
+ extension)))
+
+(define cgit-type
+ (let
+ ((cgit-extensions- (service-type-extensions gnu:services:cgit:cgit-service-type)))
+ (service-type
+ (inherit gnu:services:cgit:cgit-service-type)
+ (extensions (map extend-cgit
+ cgit-extensions-)))))
+
+(define cgit-configuration
+ (gnu:services:cgit:cgit-configuration
+ (nginx (list nginx-server-cgit))
+ (repositories (list cgit-repository-configuration))
+ (project-list (list "deployment.git"
+ "nonguix.git"
+ "sovereign.git"))
+ (repository-directory "/var/lib/gitolite/repositories")))
+
+(define-public aisaka-cgit-service
+ (service cgit-type
+ cgit-configuration))
diff --git a/deployment/system.scm b/deployment/system.scm
index 4d124d6..2d54e16 100644
--- a/deployment/system.scm
+++ b/deployment/system.scm
@@ -1,6 +1,8 @@
(define-module (deployment system)
#:use-module ((deployment services databases)
#:prefix deployment:services:databases:)
+ #:use-module ((deployment services web)
+ #:prefix deployment:services:web:)
#:use-module ((deployment services dns)
#:prefix deployment:services:dns:)
#:use-module ((deployment services matrix)
@@ -89,8 +91,8 @@
(locale-libcs gnu:system:locale:%default-locale-libcs)
(name-service-switch gnu:system:nss:%default-nss)
(essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system))
- (services (cons* deployment:system:aisaka:certbot
- deployment:system:aisaka:cgit
+ (services (cons* deployment:services:web:aisaka-certbot-service
+ deployment:services:web:aisaka-cgit-service
users:id1000:dkim-service
users:id1000:dovecot-service
deployment:system:aisaka:etc
@@ -101,7 +103,7 @@
deployment:system:aisaka:iproute2-networking
deployment:services:dns:aisaka-knot-service
deployment:services:matrix:matrix-service-aisaka
- deployment:system:aisaka:nginx
+ deployment:services:web:aisaka-nginx-service
deployment:system:aisaka:offload-rakan
deployment:services:databases:matrix-postgresql-service
deployment:system:aisaka:radicale
diff --git a/deployment/system/aisaka.scm b/deployment/system/aisaka.scm
index a172bf3..8035789 100644
--- a/deployment/system/aisaka.scm
+++ b/deployment/system/aisaka.scm
@@ -15,16 +15,10 @@
#:prefix gnu:packages:linux:)
#:use-module ((gnu packages tls)
#:prefix gnu:packages:tls:)
- #:use-module ((gnu packages version-control)
- #:prefix gnu:packages:version-control:)
#:use-module ((gnu services)
#:prefix gnu:services:)
#:use-module ((gnu services base)
#:prefix gnu:services:base:)
- #:use-module ((gnu services certbot)
- #:prefix gnu:services:certbot:)
- #:use-module ((gnu services cgit)
- #:prefix gnu:services:cgit:)
#:use-module ((gnu services mail)
#:prefix gnu:services:mail:)
#:use-module ((gnu services networking)
@@ -47,14 +41,10 @@
#:prefix gnu:system:linux-initrd:)
#:use-module ((gnu system locale)
#:prefix gnu:system:locale:)
- #:use-module ((gnu packages matrix)
- #:prefix gnu:packages:matrix:)
#:use-module ((gnu system nss)
#:prefix gnu:system:nss:)
#:use-module ((gnu system pam)
#:prefix gnu:system:pam:)
- #:use-module ((gnu system shadow)
- #:prefix gnu:system:shadow:)
#:use-module ((guix diagnostics)
#:prefix guix:diagnostics:)
#:use-module ((nongnu packages linux)
@@ -84,7 +74,7 @@
(define dovecot-keys "/secrets/dovecot")
-(define nginx-account
+(define-public nginx-account
(gnu:system:accounts:user-account
(name "nginx")
(group "nginx")
@@ -95,299 +85,11 @@
(shell (file-append (gnu:packages:specification->package "shadow")
"/sbin/nologin"))))
-(define nginx-group
+(define-public nginx-group
(gnu:system:accounts:user-group
(name "nginx")
(system? #t)))
-(define nginx-accounts
- (let
- ((accounts- (list nginx-group
- nginx-account)))
- (const accounts-)))
-
-(define nginx-extension-of-account
- (gnu:services:service-extension
- gnu:system:shadow:account-service-type
- nginx-accounts))
-
-(define (extend-account extension)
- (let*
- ((extension-target- (gnu:services:service-extension-target extension))
- (account-service-type?- (eq? extension-target-
- gnu:system:shadow:account-service-type)))
- (if account-service-type?-
- nginx-extension-of-account
- extension)))
-
-(define nginx-service-type*
- (let
- ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type)))
- (gnu:services:service-type
- (inherit gnu:services:web:nginx-service-type)
- (extensions (map extend-account
- nginx-extensions-)))))
-
-(define cgit-repository-configuration
- (gnu:services:cgit:repository-cgit-configuration
- (hide? #t)
- (path "/srv/git/marek/packages")))
-
-(define git-http-configuration
- (gnu:services:version-control:git-http-configuration
- (git-root "/var/lib/gitolite/repositories")
- (uri-path "/git")))
-
-(define nginx-extension-of-cgit
- (gnu:services:service-extension
- nginx-service-type*
- gnu:services:cgit:cgit-configuration-nginx-config))
-
-(define (extend-cgit extension)
- (let*
- ((extension-target- (gnu:services:service-extension-target extension))
- (nginx-service-type?- (eq? extension-target-
- gnu:services:web:nginx-service-type)))
- (if nginx-service-type?-
- nginx-extension-of-cgit
- extension)))
-
-(define cgit-type
- (let
- ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type)))
- (gnu:services:service-type
- (inherit gnu:services:cgit:cgit-service-type)
- (extensions (map extend-cgit
- cgit-extensions-)))))
-
-(define nginx-location-cgit
- (gnu:services:web:nginx-location-configuration
- (body (list "fastcgi_param HTTP_HOST $server_name ;"
- "fastcgi_param PATH_INFO $uri ;"
- "fastcgi_param QUERY_STRING $args ;"
- "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;"
- "fastcgi_pass 127.0.0.1:9000 ;"))
- (uri "@cgit")))
-
-(define nginx-location-proxy-guix
- (gnu:services:web:nginx-location-configuration
- (body (list "proxy_pass http://localhost:5232/ ;"
- "proxy_set_header X-Script-Name \"\" ;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
- "proxy_set_header Host $http_host ;"
- "proxy_pass_header Authorization ;"))
- (uri "/")))
-
-(define nginx-location-proxy-matrix
- (gnu:services:web:nginx-location-configuration
- (body (list "proxy_pass http://localhost:8008 ;"
- "proxy_set_header X-Forwarded-For $remote_addr ;"
- "proxy_set_header X-Forwarded-Proto $scheme ;"
- "proxy_set_header Host $host:$server_port ;"
- "client_max_body_size 1024M ;"))
- (uri "~ ^(/_matrix|/_synapse/client)")))
-
-(define nginx-location-proxy-radicale
- (gnu:services:web:nginx-location-configuration
- (body (list "proxy_pass http://localhost:8080/ ;"
- "proxy_set_header X-Script-Name \"\" ;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
- "proxy_set_header Host $http_host ;"
- "proxy_pass_header Authorization ;"))
- (uri "/")))
-
-(define nginx-location-proxy-auth
- (gnu:services:web:nginx-location-configuration
- (body (list "proxy_set_header Host $host;"
- "proxy_set_header X-Real-IP $remote_addr;"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
- "proxy_set_header X-Forwarded-Proto $scheme;"
- "if ($ssl_client_verify != SUCCESS) {return 403;}"))
- (uri "/")))
-
-(define nginx-location-well-known
- (gnu:services:web:nginx-location-configuration
- (body (list "root /srv/www/marek/marekpasnikowski.pl ;"))
- (uri "/.well-known")))
-
-(define nginx-location-well-known-matrix-client
- (gnu:services:web:nginx-location-configuration
- (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;"
- "default_type application/json ;"
- "add_header Access-Control-Allow-Origin * ;"))
- (uri "/.well-known/matrix/client")))
-
-(define nginx-server-cgit
- (let
- ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration)))
- (gnu:services:web:nginx-server-configuration
- (locations (list git-http-
- nginx-location-cgit
- nginx-location-well-known))
- (listen (list "192.168.10.2:443 ssl"))
- (root gnu:packages:version-control:cgit)
- (server-name (list "git.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (try-files (list "$uri" "@cgit")))))
-
-(define nginx-server-guix
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-guix))
- (listen (list "192.168.10.2:443 ssl"))
- (server-name (list "guix.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
-
-(define nginx-server-matrix
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-matrix))
- (listen (list "192.168.10.2:443 ssl"
- "192.168.10.2:8448 ssl default_server"))
- (root (file-append gnu:packages:matrix:synapse
- "/lib/python3.11/site-packages/synapse/static"))
- (server-name (list "matrix.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "proxy_http_version 1.1 ;"))))
-
-(define nginx-server-portal
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-well-known
- nginx-location-well-known-matrix-client))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/www")
- (server-name (list 'default
- "marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
-
-(define nginx-server-radicale
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-radicale
- nginx-location-well-known))
- (listen (list "192.168.10.2:443 ssl"))
- (server-name (list "radicale.marekpasnikowski.pl"))))
-
-(define nginx-server-schron
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-auth))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/schron")
- (server-name (list "schron.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;"))))
-
-(define nginx-server-sejf
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-auth))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/sejf")
- (server-name (list "sejf.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;"))))
-
-(define nginx-server-test
- (gnu:services:web:nginx-server-configuration
- (locations (list nginx-location-proxy-auth))
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/schron")
- (server-name (list "test.marekpasnikowski.pl"))
- (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
- (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
- "ssl_verify_client on;"))))
-
-(define nginx-server-www
- (gnu:services:web:nginx-server-configuration
- (listen (list "192.168.10.2:443 ssl"))
- (root "/home/marek/Publiczne/www")
- (server-name (list "www.marekpasnikowski.pl"))))
-
-(define cgit-configuration
- (gnu:services:cgit:cgit-configuration
- (nginx (list nginx-server-cgit))
- (repositories (list cgit-repository-configuration))
- (project-list (list "deployment.git"
- "nonguix.git"
- "sovereign.git"))
- (repository-directory "/var/lib/gitolite/repositories")))
-
-(define nginx-configuration*
- (gnu:services:web:nginx-configuration
- (shepherd-requirement (list 'networking))
- (server-blocks (list nginx-server-portal
- nginx-server-www
- nginx-server-guix
- nginx-server-matrix
- nginx-server-test
- nginx-server-schron
- nginx-server-sejf
- nginx-server-radicale))))
-
-(define nginx-deploy-hook-file
- #~(let
- ((pid (call-with-input-file "/var/run/nginx/pid"
- read)))
- (kill pid SIGHUP)))
-
-(define nginx-extension-of-certbot
- (gnu:services:service-extension
- nginx-service-type*
- (@@ (gnu services certbot) certbot-nginx-server-configurations)))
-
-(define (extend-certbot extension)
- (let*
- ((extension-target- (gnu:services:service-extension-target extension))
- (nginx-service-type?- (eq? extension-target-
- gnu:services:web:nginx-service-type)))
- (if nginx-service-type?-
- nginx-extension-of-certbot
- extension)))
-
-(define certbot-type
- (let
- ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type)))
- (gnu:services:service-type
- (inherit gnu:services:certbot:certbot-service-type)
- (extensions (map extend-certbot
- certbot-extensions-)))))
-
-(define certificate-configuration
- (gnu:services:certbot:certificate-configuration
- (deploy-hook (program-file "nginx-deploy-hook"
- nginx-deploy-hook-file))
- (domains (list "marekpasnikowski.pl"
- "git.marekpasnikowski.pl"
- "guix.marekpasnikowski.pl"
- "matrix.marekpasnikowski.pl"
- "mx.marekpasnikowski.pl"
- "radicale.marekpasnikowski.pl"
- "schron.marekpasnikowski.pl"
- "sejf.marekpasnikowski.pl"
- "test.marekpasnikowski.pl"
- "www.marekpasnikowski.pl"))))
-
-(define certbot-configuration
- (gnu:services:certbot:certbot-configuration
- (certificates (list certificate-configuration))
- (email "marek@marekpasnikowski.pl")
- (webroot "/srv/www/marek/marekpasnikowski.pl")))
-
-(define-public certbot
- (gnu:services:service
- certbot-type
- certbot-configuration))
-
-(define-public cgit
- (gnu:services:service
- cgit-type
- cgit-configuration))
-
(define-public etc
(let*
((mailname-file- (plain-file "mailname"
@@ -462,11 +164,6 @@
(define-public system-keyboard-layout
(gnu:system:keyboard:keyboard-layout "pl"))
-(define-public nginx
- (gnu:services:service
- nginx-service-type*
- nginx-configuration*))
-
(define rakan-machine
#~(build-machine
(name "rakan")
generated by cgit v1.3 (git 2.53.0) at 2026-04-26 01:38:16 +0000