From 950b851bfa6a59ea6f59fceefbb2d5e019507824 Mon Sep 17 00:00:00 2001 From: Marek Paśnikowski Date: Fri, 10 May 2024 10:40:51 +0200 Subject: izumi system-configuration: implement and use nginx service with git group: cgit and gitolite cooperation --- systems/izumi/home-configuration.scm | 6 +---- systems/izumi/izumi.org | 47 ++++++++++++++++++++++++++-------- systems/izumi/system-configuration.scm | 41 +++++++++++++++++++++++++---- 3 files changed, 74 insertions(+), 20 deletions(-) diff --git a/systems/izumi/home-configuration.scm b/systems/izumi/home-configuration.scm index 8f380ce..6b5f47a 100644 --- a/systems/izumi/home-configuration.scm +++ b/systems/izumi/home-configuration.scm @@ -158,11 +158,7 @@ "sudo guix system delete-generations 7d ; " "sudo guix system reconfigure " configuration-prefix - "system-configuration.scm " - and - "sudo chmod 751 /var/lib/gitolite " - and - "echo 'WARNING: Upstream the correct permission bits to gitolite.'")) + "system-configuration.scm ")) (update-system (string-append pull-guix diff --git a/systems/izumi/izumi.org b/systems/izumi/izumi.org index f61d79e..3d894a1 100644 --- a/systems/izumi/izumi.org +++ b/systems/izumi/izumi.org @@ -29,6 +29,28 @@ ( use-service-modules base certbot cgit desktop mail shepherd ssh version-control web xorg ) + (define nginx-accounts + (list (user-group (name "nginx") + (system? #t)) + (user-account (name "nginx") + (group "nginx") + (supplementary-groups '("git")) + (system? #t) + (comment "nginx server user") + (home-directory "/var/empty") + (shell (file-append (specification->package "shadow") + "/sbin/nologin"))))) + + (define nginx-service-type* + (service-type (inherit nginx-service-type) + (extensions (map (lambda (extension) + (if (eq? (service-extension-target extension) + account-service-type) + (service-extension account-service-type + (const nginx-accounts)) + extension)) + (service-type-extensions nginx-service-type))))) + (define hosts-izumi (local-file "system-files/hosts")) @@ -546,7 +568,15 @@ #:interface "enp1s0" #:domain "marekpasnikowski.pl" ) ( list - ( service certbot-service-type + (service (service-type (inherit certbot-service-type) + (extensions (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations)) + extension)) + (service-type-extensions certbot-service-type)))) ( certbot-configuration ( certificates ( list @@ -569,7 +599,7 @@ (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) nginx-service-type) - (service-extension nginx-service-type + (service-extension nginx-service-type* cgit-configuration-nginx-config) extension)) (service-type-extensions cgit-service-type)))) @@ -609,14 +639,15 @@ ( hide? #t ) ( path "/srv/git/marek/packages" ) ) ) ) ( repository-directory "/var/lib/gitolite/repositories" ) ) ) - ( service fcgiwrap-service-type ) + (service fcgiwrap-service-type + (fcgiwrap-configuration (group "git"))) ( service gitolite-service-type ( gitolite-configuration - ( rc-file ( gitolite-rc-file ( umask #o0022 ) ) ) + ( rc-file ( gitolite-rc-file ( umask #o0027 ) ) ) ( admin-pubkey ( plain-file "gitolite-admin.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4THTYnHCc/ihCJNKJtGTNu1zCnLndbMHnxnrxzJk+N marek@izumi\n") ) ) ) ( service gnome-desktop-service-type ) - ( service nginx-service-type + (service nginx-service-type* ( nginx-configuration ( server-blocks ( list @@ -851,11 +882,7 @@ "sudo guix system delete-generations 7d ; " "sudo guix system reconfigure " configuration-prefix - "system-configuration.scm " - and - "sudo chmod 751 /var/lib/gitolite " - and - "echo 'WARNING: Upstream the correct permission bits to gitolite.'")) + "system-configuration.scm ")) (update-system (string-append pull-guix diff --git a/systems/izumi/system-configuration.scm b/systems/izumi/system-configuration.scm index ec8bc29..ad99c80 100644 --- a/systems/izumi/system-configuration.scm +++ b/systems/izumi/system-configuration.scm @@ -19,6 +19,28 @@ ( use-service-modules base certbot cgit desktop mail shepherd ssh version-control web xorg ) +(define nginx-accounts + (list (user-group (name "nginx") + (system? #t)) + (user-account (name "nginx") + (group "nginx") + (supplementary-groups '("git")) + (system? #t) + (comment "nginx server user") + (home-directory "/var/empty") + (shell (file-append (specification->package "shadow") + "/sbin/nologin"))))) + +(define nginx-service-type* + (service-type (inherit nginx-service-type) + (extensions (map (lambda (extension) + (if (eq? (service-extension-target extension) + account-service-type) + (service-extension account-service-type + (const nginx-accounts)) + extension)) + (service-type-extensions nginx-service-type))))) + (define hosts-izumi (local-file "system-files/hosts")) @@ -536,7 +558,15 @@ #:interface "enp1s0" #:domain "marekpasnikowski.pl" ) ( list - ( service certbot-service-type + (service (service-type (inherit certbot-service-type) + (extensions (map (lambda (extension) + (if (eq? (service-extension-target extension) + nginx-service-type) + (service-extension nginx-service-type* + (@@ (gnu services certbot) + certbot-nginx-server-configurations)) + extension)) + (service-type-extensions certbot-service-type)))) ( certbot-configuration ( certificates ( list @@ -559,7 +589,7 @@ (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) nginx-service-type) - (service-extension nginx-service-type + (service-extension nginx-service-type* cgit-configuration-nginx-config) extension)) (service-type-extensions cgit-service-type)))) @@ -599,14 +629,15 @@ ( hide? #t ) ( path "/srv/git/marek/packages" ) ) ) ) ( repository-directory "/var/lib/gitolite/repositories" ) ) ) - ( service fcgiwrap-service-type ) + (service fcgiwrap-service-type + (fcgiwrap-configuration (group "git"))) ( service gitolite-service-type ( gitolite-configuration - ( rc-file ( gitolite-rc-file ( umask #o0022 ) ) ) + ( rc-file ( gitolite-rc-file ( umask #o0027 ) ) ) ( admin-pubkey ( plain-file "gitolite-admin.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4THTYnHCc/ihCJNKJtGTNu1zCnLndbMHnxnrxzJk+N marek@izumi\n") ) ) ) ( service gnome-desktop-service-type ) - ( service nginx-service-type + (service nginx-service-type* ( nginx-configuration ( server-blocks ( list -- cgit v1.2.3