From da7ee0fa6680fee7cc1d750252c6bb4ef00595cb Mon Sep 17 00:00:00 2001
From: Marek Paśnikowski <marek@marekpasnikowski.pl>
Date: Mon, 20 Apr 2026 17:11:36 +0200
Subject: move system modules to (deployment system) namespace

---
 deployment/system/aisaka.scm | 713 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 713 insertions(+)
 create mode 100644 deployment/system/aisaka.scm

(limited to 'deployment/system/aisaka.scm')

diff --git a/deployment/system/aisaka.scm b/deployment/system/aisaka.scm
new file mode 100644
index 0000000..192982a
--- /dev/null
+++ b/deployment/system/aisaka.scm
@@ -0,0 +1,713 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+(define-module (deployment system aisaka)
+  #:use-module (guix gexp)
+  #:use-module ((deployment keys)
+                #:prefix deployment:keys:)
+  #:use-module ((gnu bootloader)
+                #:prefix gnu:bootloader:)
+  #:use-module ((gnu bootloader grub)
+                #:prefix gnu:bootloader:grub:)
+  #:use-module ((gnu packages)
+                #:prefix gnu:packages:)
+  #:use-module ((gnu packages linux)
+                #:prefix gnu:packages:linux:)
+  #:use-module ((gnu packages tls)
+                #:prefix gnu:packages:tls:)
+  #:use-module ((gnu packages version-control)
+                #:prefix gnu:packages:version-control:)
+  #:use-module ((gnu services)
+                #:prefix gnu:services:)
+  #:use-module ((gnu services base)
+                #:prefix gnu:services:base:)
+  #:use-module ((gnu services certbot)
+                #:prefix gnu:services:certbot:)
+  #:use-module ((gnu services cgit)
+                #:prefix gnu:services:cgit:)
+  #:use-module ((gnu services dns)
+                #:prefix gnu:services:dns:)
+  #:use-module ((gnu services mail)
+                #:prefix gnu:services:mail:)
+  #:use-module ((gnu services networking)
+                #:prefix gnu:services:networking:)
+  #:use-module ((gnu services shepherd)
+                #:prefix gnu:services:shepherd:)
+  #:use-module ((gnu services version-control)
+                #:prefix gnu:services:version-control:)
+  #:use-module ((gnu services web)
+                #:prefix gnu:services:web:)
+  #:use-module ((gnu system)
+                #:prefix gnu:system:)
+  #:use-module ((gnu system accounts)
+                #:prefix gnu:system:accounts:)
+  #:use-module ((gnu system file-systems)
+                #:prefix gnu:system:file-systems:)
+  #:use-module ((gnu system keyboard)
+                #:prefix gnu:system:keyboard:)
+  #:use-module ((gnu system linux-initrd)
+                #:prefix gnu:system:linux-initrd:)
+  #:use-module ((gnu system locale)
+                #:prefix gnu:system:locale:)
+  #:use-module ((gnu packages matrix)
+                #:prefix gnu:packages:matrix:)
+  #:use-module ((gnu system nss)
+                #:prefix gnu:system:nss:)
+  #:use-module ((gnu system pam)
+                #:prefix gnu:system:pam:)
+  #:use-module ((gnu system shadow)
+                #:prefix gnu:system:shadow:)
+  #:use-module ((guix diagnostics)
+                #:prefix guix:diagnostics:)
+  #:use-module ((nongnu packages linux)
+                #:prefix nongnu:packages:linux:)
+  #:use-module ((nongnu system linux-initrd)
+                #:prefix nongnu:system:linux-initrd:)
+  #:use-module ((sovereign devices)
+                #:prefix sovereign:devices:)
+  #:use-module ((sovereign devices amd64)
+                #:prefix sovereign:devices:amd64:)
+  #:use-module ((sovereign packages jekyll)
+                #:prefix sovereign:packages:jekyll:)
+  #:use-module ((sovereign services)
+                #:prefix sovereign:services:)
+  #:use-module ((sovereign systems)
+                #:prefix sovereign:systems:)
+  #:use-module ((users id1000)
+                #:prefix users:id1000:)
+  #:use-module ((users vmail)
+                #:prefix users:vmail:))
+
+(define-public architecture "x86_64-linux")
+
+(define-public system-name "aisaka")
+
+(define ip-multimedia "81.190.248.246")
+
+(define ip-otvarta "95.171.119.109")
+
+(define spf-value
+  (string-append "\"v=spf1 ip4:"
+                 ip-otvarta
+                 " -all\""))
+
+(define ttl "3600")
+
+(gnu:services:dns:define-zone-entries
+ marekpasnikowski.pl-entries
+ ("@"               ttl "IN" "A"     ip-otvarta)
+ ("2"               ttl "IN" "A"     ip-otvarta)
+ ("ns1"             ttl "IN" "A"     ip-otvarta)
+ ("@"               ttl "IN" "NS"    "ns1.marekpasnikowski.pl.")
+ ("@"               ttl "IN" "A"     ip-multimedia)
+ ("1"               ttl "IN" "A"     ip-multimedia)
+ ("ns2"             ttl "IN" "A"     ip-multimedia)
+ ("@"               ttl "IN" "NS"    "ns2.marekpasnikowski.pl.")
+ ("@"               ttl "IN" "MX"    "10 marekpasnikowski.pl.")
+ ("@"               ttl "IN" "TXT"   spf-value)
+ ("_caldavs._tcp"   ttl "IN" "SRV"   "10 0 443 radicale.marekpasnikowski.pl")
+ ("_carddavs._tcp"  ttl "IN" "SRV"   "10 0 443 radicale.marekpasnikowski.pl")
+ ("_dmarc"          ttl "IN" "TXT"   "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"")
+ ("dkim._domainkey" ttl "IN" "TXT"   "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"")
+ ("git"             ttl "IN" "CNAME" "1")
+ ("guix"            ttl "IN" "CNAME" "1")
+ ("matrix"          ttl "IN" "CNAME" "1")
+ ("radicale"        ttl "IN" "CNAME" "1")
+ ("schron"          ttl "IN" "CNAME" "1")
+ ("sejf"            ttl "IN" "CNAME" "1")
+ ("test"            ttl "IN" "CNAME" "1")
+ ("www"             ttl "IN" "CNAME" "1"))
+
+(define marekpasnikowski.pl-zone
+  (gnu:services:dns:zone-file
+   (entries marekpasnikowski.pl-entries)
+   (origin  "marekpasnikowski.pl")
+   (ns      "ns1.marekpasnikowski.pl.")
+   (mail    "marek.marekpasnikowski.pl.")
+   (serial  2026042000)))
+
+(define master-zone
+  (gnu:services:dns:knot-zone-configuration
+   (domain "marekpasnikowski.pl")
+   (zone   marekpasnikowski.pl-zone)))
+
+(define knot-configuration
+  (gnu:services:dns:knot-configuration
+   (listen-v4 "0.0.0.0")
+   (zones     (list master-zone))))
+
+(define-public knot
+  (gnu:services:service
+   gnu:services:dns:knot-service-type
+   knot-configuration))
+
+(define radicale-keys "/secrets/radicale/keys")
+
+(define dovecot-keys "/secrets/dovecot")
+
+(define nginx-account
+  (gnu:system:accounts:user-account
+   (name                 "nginx")
+   (group                "nginx")
+   (supplementary-groups '("git"))
+   (system?              #t)
+   (comment              "nginx server user")
+   (home-directory       "/var/empty")
+   (shell                (file-append (gnu:packages:specification->package "shadow")
+                                      "/sbin/nologin"))))
+
+(define nginx-group
+  (gnu:system:accounts:user-group
+   (name    "nginx")
+   (system? #t)))
+
+(define nginx-accounts
+  (let
+      ((accounts- (list nginx-group
+                        nginx-account)))
+    (const accounts-)))
+
+(define nginx-extension-of-account
+  (gnu:services:service-extension
+   gnu:system:shadow:account-service-type
+   nginx-accounts))
+
+(define (extend-account extension)
+  (let*
+      ((extension-target-      (gnu:services:service-extension-target extension))
+       (account-service-type?- (eq? extension-target-
+                                    gnu:system:shadow:account-service-type)))
+    (if account-service-type?-
+        nginx-extension-of-account
+        extension)))
+
+(define nginx-service-type*
+  (let
+      ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type)))
+    (gnu:services:service-type
+     (inherit    gnu:services:web:nginx-service-type)
+     (extensions (map extend-account
+                      nginx-extensions-)))))
+
+(define cgit-repository-configuration
+  (gnu:services:cgit:repository-cgit-configuration
+   (hide? #t)
+   (path  "/srv/git/marek/packages")))
+
+(define git-http-configuration
+  (gnu:services:version-control:git-http-configuration
+   (git-root "/var/lib/gitolite/repositories")
+   (uri-path "/git")))
+
+(define nginx-extension-of-cgit
+  (gnu:services:service-extension
+   nginx-service-type*
+   gnu:services:cgit:cgit-configuration-nginx-config))
+
+(define (extend-cgit extension)
+  (let*
+      ((extension-target-    (gnu:services:service-extension-target extension))
+       (nginx-service-type?- (eq? extension-target-
+                                  gnu:services:web:nginx-service-type)))
+    (if nginx-service-type?-
+        nginx-extension-of-cgit
+        extension)))
+
+(define cgit-type
+  (let
+      ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type)))
+    (gnu:services:service-type
+     (inherit    gnu:services:cgit:cgit-service-type)
+     (extensions (map extend-cgit
+                      cgit-extensions-)))))
+
+(define nginx-location-cgit
+  (gnu:services:web:nginx-location-configuration
+   (body (list "fastcgi_param HTTP_HOST $server_name ;"
+               "fastcgi_param PATH_INFO $uri ;"
+               "fastcgi_param QUERY_STRING $args ;"
+               "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;"
+               "fastcgi_pass 127.0.0.1:9000 ;"))
+   (uri  "@cgit")))
+
+(define nginx-location-proxy-guix
+  (gnu:services:web:nginx-location-configuration
+   (body (list "proxy_pass http://localhost:5232/ ;"
+               "proxy_set_header X-Script-Name \"\" ;"
+               "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+               "proxy_set_header Host $http_host ;"
+               "proxy_pass_header Authorization ;"))
+   (uri  "/")))
+
+(define nginx-location-proxy-matrix
+  (gnu:services:web:nginx-location-configuration
+   (body (list "proxy_pass http://localhost:8008 ;"
+               "proxy_set_header X-Forwarded-For $remote_addr ;"
+               "proxy_set_header X-Forwarded-Proto $scheme ;"
+               "proxy_set_header Host $host:$server_port ;"
+               "client_max_body_size 1024M ;"))
+   (uri  "~ ^(/_matrix|/_synapse/client)")))
+
+(define nginx-location-proxy-radicale
+  (gnu:services:web:nginx-location-configuration
+   (body (list "proxy_pass http://localhost:8080/ ;"
+               "proxy_set_header X-Script-Name \"\" ;"
+               "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
+               "proxy_set_header Host $http_host ;"
+               "proxy_pass_header Authorization ;"))
+   (uri  "/")))
+
+(define nginx-location-proxy-auth
+  (gnu:services:web:nginx-location-configuration
+   (body (list "proxy_set_header Host $host;"
+               "proxy_set_header X-Real-IP $remote_addr;"
+               "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+               "proxy_set_header X-Forwarded-Proto $scheme;"
+               "if ($ssl_client_verify != SUCCESS) {return 403;}"))
+   (uri  "/")))
+
+(define nginx-location-well-known
+  (gnu:services:web:nginx-location-configuration
+   (body (list "root /srv/www/marek/marekpasnikowski.pl ;"))
+   (uri  "/.well-known")))
+
+(define nginx-location-well-known-matrix-client
+  (gnu:services:web:nginx-location-configuration
+   (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;"
+               "default_type application/json ;"
+               "add_header Access-Control-Allow-Origin * ;"))
+   (uri  "/.well-known/matrix/client")))
+
+(define nginx-server-cgit
+  (let
+      ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration)))
+    (gnu:services:web:nginx-server-configuration
+     (locations           (list git-http-
+                                nginx-location-cgit
+                                nginx-location-well-known))
+     (listen              (list "192.168.10.2:443 ssl"))
+     (root                gnu:packages:version-control:cgit)
+     (server-name         (list "git.marekpasnikowski.pl"))
+     (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+     (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+     (try-files           (list "$uri" "@cgit")))))
+
+(define nginx-server-guix
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-guix))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (server-name         (list "guix.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-matrix
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-matrix))
+   (listen              (list "192.168.10.2:443 ssl"
+                              "192.168.10.2:8448 ssl default_server"))
+   (root                (file-append gnu:packages:matrix:synapse
+                                     "/lib/python3.11/site-packages/synapse/static"))
+   (server-name         (list "matrix.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+   (raw-content         (list "proxy_http_version 1.1 ;"))))
+
+(define nginx-server-portal
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-well-known
+                              nginx-location-well-known-matrix-client))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (root                "/home/marek/Publiczne/www")
+   (server-name         (list 'default
+                              "marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-radicale
+  (gnu:services:web:nginx-server-configuration
+   (locations   (list nginx-location-proxy-radicale
+                      nginx-location-well-known))
+   (listen      (list "192.168.10.2:443 ssl"))
+   (server-name (list "radicale.marekpasnikowski.pl"))))
+
+(define nginx-server-schron
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-auth))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (root                "/home/marek/Publiczne/schron")
+   (server-name         (list "schron.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+   (raw-content         (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+                              "ssl_verify_client on;"))))
+
+(define nginx-server-sejf
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-auth))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (root                "/home/marek/Publiczne/sejf")
+   (server-name         (list "sejf.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+   (raw-content         (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+                              "ssl_verify_client on;"))))
+
+(define nginx-server-test
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-auth))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (root                "/home/marek/Publiczne/schron")
+   (server-name         (list "test.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")
+   (raw-content         (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;"
+                              "ssl_verify_client on;"))))
+
+(define nginx-server-www
+  (gnu:services:web:nginx-server-configuration
+   (listen      (list "192.168.10.2:443 ssl"))
+   (root        "/home/marek/Publiczne/www")
+   (server-name (list "www.marekpasnikowski.pl"))))
+
+(define cgit-configuration
+  (gnu:services:cgit:cgit-configuration
+   (nginx                (list nginx-server-cgit))
+   (repositories         (list cgit-repository-configuration))
+   (project-list         (list "deployment.git"
+                               "nonguix.git"
+                               "sovereign.git"))
+   (repository-directory "/var/lib/gitolite/repositories")))
+
+(define nginx-configuration*
+  (gnu:services:web:nginx-configuration
+   (shepherd-requirement (list 'networking))
+   (server-blocks        (list nginx-server-portal
+                               nginx-server-www
+                               nginx-server-guix
+                               nginx-server-matrix
+                               nginx-server-test
+                               nginx-server-schron
+                               nginx-server-sejf
+                               nginx-server-radicale))))
+
+(define nginx-deploy-hook-file
+  #~(let
+        ((pid (call-with-input-file "/var/run/nginx/pid"
+                read)))
+      (kill pid SIGHUP)))
+
+(define nginx-extension-of-certbot
+  (gnu:services:service-extension
+   nginx-service-type*
+   (@@ (gnu services certbot) certbot-nginx-server-configurations)))
+
+(define (extend-certbot extension)
+  (let*
+      ((extension-target-    (gnu:services:service-extension-target extension))
+       (nginx-service-type?- (eq? extension-target-
+                                  gnu:services:web:nginx-service-type)))
+    (if nginx-service-type?-
+        nginx-extension-of-certbot
+        extension)))
+
+(define certbot-type
+  (let
+      ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type)))
+    (gnu:services:service-type
+     (inherit    gnu:services:certbot:certbot-service-type)
+     (extensions (map extend-certbot
+                      certbot-extensions-)))))
+
+(define certificate-configuration
+  (gnu:services:certbot:certificate-configuration
+   (deploy-hook (program-file "nginx-deploy-hook"
+                              nginx-deploy-hook-file))
+   (domains     (list "marekpasnikowski.pl"
+                      "git.marekpasnikowski.pl"
+                      "guix.marekpasnikowski.pl"
+                      "matrix.marekpasnikowski.pl"
+                      "mx.marekpasnikowski.pl"
+                      "radicale.marekpasnikowski.pl"
+                      "schron.marekpasnikowski.pl"
+                      "sejf.marekpasnikowski.pl"
+                      "test.marekpasnikowski.pl"
+                      "www.marekpasnikowski.pl"))))
+
+(define certbot-configuration
+  (gnu:services:certbot:certbot-configuration
+   (certificates (list certificate-configuration))
+   (email        "marek@marekpasnikowski.pl")
+   (webroot      "/srv/www/marek/marekpasnikowski.pl")))
+
+(define-public certbot
+  (gnu:services:service
+   certbot-type
+   certbot-configuration))
+
+(define-public cgit
+  (gnu:services:service
+   cgit-type
+   cgit-configuration))
+
+(define-public etc
+  (let*
+      ((mailname-file- (plain-file "mailname"
+                                   "marekpasnikowski.pl\n"))
+       (mailname-link- (list "mailname"
+                             mailname-file-))
+       (etc-links-     (list mailname-link-)))
+    (gnu:services:simple-service 'etc-files
+                                 gnu:services:etc-service-type
+                                 etc-links-)))
+
+(define fcgiwrap-configuration
+  (gnu:services:web:fcgiwrap-configuration
+   (user  "git")
+   (group "git")))
+
+(define-public fcgiwrap
+  (gnu:services:service
+   gnu:services:web:fcgiwrap-service-type
+   fcgiwrap-configuration))
+
+(define-public file-system-efi
+  (gnu:system:file-systems:file-system
+   (device                (gnu:system:file-systems:file-system-label "AISAKA"))
+   (mount-point           "/boot")
+   (type                  "vfat")
+   (flags                 (list))
+   (options               #f)
+   (mount?                #t)
+   (mount-may-fail?       #t)
+   (needed-for-boot?      #f)
+   (check?                #t)
+   (skip-check-if-clean?  #f)
+   (repair                'preen)
+   (create-mount-point?   #f)
+   (dependencies          (list))
+   (shepherd-requirements (list))
+   (location              (current-source-location))))
+
+(define-public file-system-root
+  (gnu:system:file-systems:file-system
+   (device                (gnu:system:file-systems:file-system-label "aisaka-root"))
+   (mount-point           "/")
+   (type                  "ext4")
+   (flags                 (list))
+   (options               #f)
+   (mount?                #t)
+   (mount-may-fail?       #f)
+   (needed-for-boot?      #t)
+   (check?                #t)
+   (skip-check-if-clean?  #f)
+   (repair                'preen)
+   (create-mount-point?   #f)
+   (dependencies          (list))
+   (shepherd-requirements (list))
+   (location              (current-source-location))))
+
+(define gitolite-rc-file
+  (gnu:services:version-control:gitolite-rc-file
+   (umask #o0027)))
+
+(define gitolite-configuration
+  (gnu:services:version-control:gitolite-configuration
+   (rc-file      gitolite-rc-file)
+   (admin-pubkey #f)))
+
+(define-public gitolite
+  (gnu:services:service
+   gnu:services:version-control:gitolite-service-type
+   gitolite-configuration))
+
+(define-public system-keyboard-layout
+  (gnu:system:keyboard:keyboard-layout "pl"))
+
+(define-public nginx
+  (gnu:services:service
+   nginx-service-type*
+   nginx-configuration*))
+
+(define rakan-machine
+  #~(build-machine
+     (name        "rakan")
+     (systems     (list "x86_64-linux"
+                        "i686-linux"))
+     (user        "marek")
+     (host-key    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan")
+     (private-key "/home/marek/.ssh/id_ed25519")))
+
+(define guix-offload-rakan
+  (gnu:services:base:guix-extension
+   (authorized-keys (list deployment:keys:akashi-guix
+                          deployment:keys:rakan-guix))
+   (build-machines  (list rakan-machine))))
+
+(define-public offload-rakan
+  (gnu:services:simple-service 'offload-rakan
+                               gnu:services:base:guix-service-type
+                               guix-offload-rakan))
+
+(define radicale-auth-configuration
+  (gnu:services:mail:radicale-auth-configuration
+   (type                'htpasswd)
+   (htpasswd-filename   radicale-keys)
+   (htpasswd-encryption 'plain)))
+
+(define radicale-storage-configuration
+  (gnu:services:mail:radicale-storage-configuration
+   (filesystem-folder "/data/radicale/collections")))
+
+(define radicale-configuration
+  (gnu:services:mail:radicale-configuration
+   (auth    radicale-auth-configuration)
+   (storage radicale-storage-configuration)))
+
+(define-public radicale
+  (gnu:services:service
+   gnu:services:mail:radicale-service-type
+   radicale-configuration))
+
+(define enp1s0-address-4
+  (gnu:services:base:network-address
+   (device "enp1s0")
+   (value  "192.168.10.2/24")
+   (ipv6?  #f)))
+
+(define enp2s0-address-4
+  (gnu:services:base:network-address
+   (device "enp2s0")
+   (value  "192.168.1.2/24")
+   (ipv6?  #f)))
+
+(define enp1s0-route-4-default
+  (gnu:services:base:network-route
+   (destination "default")
+   (source      #f)
+   (device      #f)
+   (ipv6?       #f)
+   (gateway     "192.168.10.1")))
+
+(define network-hardware
+  (gnu:services:base:static-networking
+   (addresses    (list enp1s0-address-4
+                       enp2s0-address-4))
+   (links        (list))
+   (routes       (list enp1s0-route-4-default))
+   (name-servers (list "192.168.10.1"
+                       "192.168.1.1"))
+   (provision    (list 'network-hardware))
+   (requirement  (list))))
+
+(define static-networking-configuration
+  (list network-hardware))
+
+(define-public static-networking
+  (gnu:services:service
+   gnu:services:networking:static-networking-service-type
+   static-networking-configuration))
+
+(define ip-command
+  (file-append gnu:packages:linux:iproute
+               "/sbin/ip"))
+
+(define network-enp2s0-route-default
+  (let
+      ((route-default- #~(list #$ip-command
+                               "route"
+                               "add"
+                               "default"
+                               "via"
+                               "192.168.1.1"
+                               "table"
+                               "1")))
+    (gnu:services:shepherd:shepherd-service
+     (provision     (list 'network-enp2s0-route-default))
+     (requirement   (list 'network-enp2s0-table))
+     (one-shot?     #t)
+     (respawn?      #f)
+     (start         #~(make-forkexec-constructor #$route-default-))
+     (stop          #~(const #f))
+     (actions       (list))
+     (auto-start?   #t)
+     (documentation "Sets up a default route for traffic from enp2s0.")
+     (modules       gnu:services:shepherd:%default-modules))))
+
+(define network-enp2s0-table
+  (let
+      ((table- #~(list #$ip-command
+                       "rule"
+                       "add"
+                       "from"
+                       "192.168.1.2"
+                       "table"
+                       "1"
+                       "prio"
+                       "1")))
+    (gnu:services:shepherd:shepherd-service
+     (provision     (list 'network-enp2s0-table))
+     (requirement   (list 'network-hardware))
+     (one-shot?     #t)
+     (respawn?      #f)
+     (start         #~(make-forkexec-constructor #$table-))
+     (stop          #~(const #f))
+     (actions       (list))
+     (auto-start?   #t)
+     (documentation "Defines a table of rules number 1 for routes through enp2s0.")
+     (modules       gnu:services:shepherd:%default-modules))))
+
+(define networking
+  (gnu:services:shepherd:shepherd-service
+   (provision     (list 'networking))
+   (requirement   (list 'network-enp2s0-table
+                        'network-enp2s0-route-default))
+   (one-shot?     #t)
+   (respawn?      #f)
+   (start         #~(const #t))
+   (stop          #~(const #f))
+   (actions       (list))
+   (auto-start?   #t)
+   (documentation "Defines a graph root of one-shot services to invoke various ip commands.")
+   (modules       gnu:services:shepherd:%default-modules)))
+
+(define-public iproute2-networking
+  (let
+      ((extensions- (list network-enp2s0-table
+                          network-enp2s0-route-default
+                          networking)))
+    (gnu:services:simple-service 'networking
+                                 gnu:services:shepherd:shepherd-root-service-type
+                                 extensions-)))
+
+(define swap-device-izumi-1-label
+  (gnu:system:file-systems:file-system-label "izumi-swap-f"))
+
+(define-public %sovereign-services*
+  (gnu:services:modify-services sovereign:systems:%sovereign-services
+                                (gnu:services:delete gnu:services:networking:network-manager-service-type)))
+
+(define-public system-bootloader
+  (gnu:bootloader:bootloader-configuration
+   (bootloader      gnu:bootloader:grub:grub-efi-bootloader)
+   (targets         (list "/boot"))
+   (keyboard-layout sovereign:devices:pl-keyboard-layout)))
+
+(define-public vmail-group
+  (gnu:system:accounts:user-group
+   (name "vmail")
+   (system? #t)))
+
+(define named-home-environments
+  (list users:id1000:named-home-environment))
+
+(define guix-publish-configuration
+  (gnu:services:base:guix-publish-configuration
+   (host       "192.168.10.2")
+   (port       8080)
+   (advertise? #t)))
+
+(define-public guix-home-service
+  (sovereign:systems:guix-home-service named-home-environments))
+
+(define-public guix-publish-service
+  (sovereign:services:guix-publish-service guix-publish-configuration))
-- 
cgit v1.3