diff options
| -rw-r--r-- | deployment/services/certbot.scm | 65 | ||||
| -rw-r--r-- | deployment/services/dns.scm | 7 | ||||
| -rw-r--r-- | deployment/services/web.scm | 95 | ||||
| -rw-r--r-- | deployment/system.scm | 8 |
4 files changed, 73 insertions, 102 deletions
diff --git a/deployment/services/certbot.scm b/deployment/services/certbot.scm new file mode 100644 index 0000000..4850118 --- /dev/null +++ b/deployment/services/certbot.scm @@ -0,0 +1,65 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl> + +(define-module (deployment services certbot) + #:export (aisaka-certbot-service) + #:use-module (gnu services) + #:use-module (gnu services certbot) + #:use-module (guix gexp) + #:use-module ((deployment services web) + #:prefix deployment:services:web:) + #:use-module ((gnu services web) + #:prefix gnu:services:web:)) + +(define nginx-extension-of-certbot + (service-extension deployment:services:web:nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations))) + +(define (extend-certbot extension) + (let* + ((extension-target- (service-extension-target extension)) + (nginx-service-type?- (eq? extension-target- + gnu:services:web:nginx-service-type))) + (if nginx-service-type?- + nginx-extension-of-certbot + extension))) + +(define certbot-type + (let + ((certbot-extensions- (service-type-extensions certbot-service-type))) + (service-type + (inherit certbot-service-type) + (extensions (map extend-certbot + certbot-extensions-))))) + +(define nginx-deploy-hook-file + #~(let + ((pid (call-with-input-file "/var/run/nginx/pid" + read))) + (kill pid + SIGHUP))) + +(define aisaka-certificate-configuration + (certificate-configuration + (deploy-hook (program-file "nginx-deploy-hook" + nginx-deploy-hook-file)) + (domains (list "marekpasnikowski.pl" + "git.marekpasnikowski.pl" + "guix.marekpasnikowski.pl" + "matrix.marekpasnikowski.pl" + "mx.marekpasnikowski.pl" + "radicale.marekpasnikowski.pl" + "www.marekpasnikowski.pl")))) + +(define aisaka-certbot-configuration + (certbot-configuration + (certificates (list aisaka-certificate-configuration)) + (email "marek@marekpasnikowski.pl") + (webroot "/srv/www/marek/marekpasnikowski.pl"))) + +(define aisaka-certbot-service + (service certbot-type + aisaka-certbot-configuration)) + +;;; EOF diff --git a/deployment/services/dns.scm b/deployment/services/dns.scm index cc9aabd..a35098e 100644 --- a/deployment/services/dns.scm +++ b/deployment/services/dns.scm @@ -26,7 +26,7 @@ ("2" ttl "IN" "A" ip-multimedia) ("ns2" ttl "IN" "A" ip-multimedia) ("@" ttl "IN" "NS" "ns2.marekpasnikowski.pl.") - ("1" ttl "IN" "MX" "10 marekpasnikowski.pl.") + ("@" ttl "IN" "MX" "10 1.marekpasnikowski.pl.") ("@" ttl "IN" "TXT" spf-value) ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") @@ -36,9 +36,6 @@ ("guix" ttl "IN" "CNAME" "2") ("matrix" ttl "IN" "CNAME" "2") ("radicale" ttl "IN" "CNAME" "2") - ("schron" ttl "IN" "CNAME" "2") - ("sejf" ttl "IN" "CNAME" "2") - ("test" ttl "IN" "CNAME" "2") ("www" ttl "IN" "CNAME" "2")) (define marekpasnikowski.pl-zone @@ -47,7 +44,7 @@ (origin "marekpasnikowski.pl") (ns "ns1.marekpasnikowski.pl.") (mail "marek.marekpasnikowski.pl.") - (serial 2026042301))) + (serial 2026042801))) (define aisaka-master-zone (knot-zone-configuration diff --git a/deployment/services/web.scm b/deployment/services/web.scm index fe03e90..f06131f 100644 --- a/deployment/services/web.scm +++ b/deployment/services/web.scm @@ -2,8 +2,7 @@ ;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl> (define-module (deployment services web) - #:export (aisaka-certbot-service - aisaka-nginx-service + #:export (aisaka-nginx-service nginx-location-well-known nginx-service-type*) #:use-module (gnu services) @@ -11,8 +10,6 @@ #:use-module (guix gexp) #:use-module ((gnu packages matrix) #:prefix gnu:packages:matrix:) - #:use-module ((gnu services certbot) - #:prefix gnu:services:certbot:) #:use-module ((gnu system shadow) #:prefix gnu:system:shadow:) #:use-module ((sovereign system accounts) @@ -131,39 +128,6 @@ (listen (list "192.168.10.2:443 ssl")) (server-name (list "radicale.marekpasnikowski.pl")))) -(define nginx-server-schron - (nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "schron.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-sejf - (nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/sejf") - (server-name (list "sejf.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-test - (nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "test.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - (define nginx-server-www (nginx-server-configuration (listen (list "192.168.10.2:443 ssl")) @@ -177,67 +141,10 @@ nginx-server-www nginx-server-guix nginx-server-matrix - nginx-server-test - nginx-server-schron - nginx-server-sejf nginx-server-radicale)))) (define aisaka-nginx-service (service nginx-service-type* nginx-configuration*)) -(define nginx-extension-of-certbot - (service-extension nginx-service-type* - (@@ (gnu services certbot) - certbot-nginx-server-configurations))) - -(define (extend-certbot extension) - (let* - ((extension-target- (service-extension-target extension)) - (nginx-service-type?- (eq? extension-target- - nginx-service-type))) - (if nginx-service-type?- - nginx-extension-of-certbot - extension))) - -(define certbot-type - (let - ((certbot-extensions- (service-type-extensions gnu:services:certbot:certbot-service-type))) - (service-type - (inherit gnu:services:certbot:certbot-service-type) - (extensions (map extend-certbot - certbot-extensions-))))) - -(define nginx-deploy-hook-file - #~(let - ((pid (call-with-input-file "/var/run/nginx/pid" - read))) - (kill pid - SIGHUP))) - -(define certificate-configuration - (gnu:services:certbot:certificate-configuration - (deploy-hook (program-file "nginx-deploy-hook" - nginx-deploy-hook-file)) - (domains (list "marekpasnikowski.pl" - "git.marekpasnikowski.pl" - "guix.marekpasnikowski.pl" - "matrix.marekpasnikowski.pl" - "mx.marekpasnikowski.pl" - "radicale.marekpasnikowski.pl" - "schron.marekpasnikowski.pl" - "sejf.marekpasnikowski.pl" - "test.marekpasnikowski.pl" - "www.marekpasnikowski.pl")))) - -(define certbot-configuration - (gnu:services:certbot:certbot-configuration - (certificates (list certificate-configuration)) - (email "marek@marekpasnikowski.pl") - (webroot "/srv/www/marek/marekpasnikowski.pl"))) - -(define aisaka-certbot-service - (service certbot-type - certbot-configuration)) - ;;; EOF diff --git a/deployment/system.scm b/deployment/system.scm index bf5b143..2ed8d4f 100644 --- a/deployment/system.scm +++ b/deployment/system.scm @@ -1,12 +1,14 @@ (define-module (deployment system) + #:use-module ((deployment services certbot) + #:prefix deployment:services:certbot:) #:use-module ((deployment services cgit) #:prefix deployment:services:cgit:) #:use-module ((deployment services databases) #:prefix deployment:services:databases:) - #:use-module ((deployment services web) - #:prefix deployment:services:web:) #:use-module ((deployment services dns) #:prefix deployment:services:dns:) + #:use-module ((deployment services web) + #:prefix deployment:services:web:) #:use-module ((deployment services matrix) #:prefix deployment:services:matrix:) #:use-module ((deployment system aisaka) @@ -93,7 +95,7 @@ (locale-libcs gnu:system:locale:%default-locale-libcs) (name-service-switch gnu:system:nss:%default-nss) (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) - (services (cons* deployment:services:web:aisaka-certbot-service + (services (cons* deployment:services:certbot:aisaka-certbot-service deployment:services:cgit:aisaka-cgit-service users:id1000:dkim-service users:id1000:dovecot-service |