From da7ee0fa6680fee7cc1d750252c6bb4ef00595cb Mon Sep 17 00:00:00 2001 From: Marek Paśnikowski Date: Mon, 20 Apr 2026 17:11:36 +0200 Subject: move system modules to (deployment system) namespace --- deployment/machine/ssh.scm | 16 +- deployment/system.scm | 76 ++-- deployment/system/aisaka.scm | 713 +++++++++++++++++++++++++++++++++++++ deployment/system/akashi.scm | 125 +++++++ deployment/system/asakura.scm | 132 +++++++ deployment/system/cokolwiek.scm | 105 ++++++ deployment/system/git-ignore.conf | 48 +++ deployment/system/gitconfig | 10 + deployment/system/mcdowell.scm | 121 +++++++ deployment/system/rakan.scm | 247 +++++++++++++ deployment/systems/aisaka.scm | 713 ------------------------------------- deployment/systems/akashi.scm | 125 ------- deployment/systems/asakura.scm | 132 ------- deployment/systems/cokolwiek.scm | 105 ------ deployment/systems/git-ignore.conf | 48 --- deployment/systems/gitconfig | 10 - deployment/systems/mcdowell.scm | 121 ------- deployment/systems/rakan.scm | 247 ------------- 18 files changed, 1547 insertions(+), 1547 deletions(-) create mode 100644 deployment/system/aisaka.scm create mode 100644 deployment/system/akashi.scm create mode 100644 deployment/system/asakura.scm create mode 100644 deployment/system/cokolwiek.scm create mode 100644 deployment/system/git-ignore.conf create mode 100644 deployment/system/gitconfig create mode 100644 deployment/system/mcdowell.scm create mode 100644 deployment/system/rakan.scm delete mode 100644 deployment/systems/aisaka.scm delete mode 100644 deployment/systems/akashi.scm delete mode 100644 deployment/systems/asakura.scm delete mode 100644 deployment/systems/cokolwiek.scm delete mode 100644 deployment/systems/git-ignore.conf delete mode 100644 deployment/systems/gitconfig delete mode 100644 deployment/systems/mcdowell.scm delete mode 100644 deployment/systems/rakan.scm (limited to 'deployment') diff --git a/deployment/machine/ssh.scm b/deployment/machine/ssh.scm index edeeffd..d6294f0 100644 --- a/deployment/machine/ssh.scm +++ b/deployment/machine/ssh.scm @@ -1,8 +1,8 @@ (define-module (deployment machine ssh) - #:use-module ((deployment systems aisaka) - #:prefix deployment:systems:aisaka:) - #:use-module ((deployment systems akashi) - #:prefix deployment:systems:akashi:) + #:use-module ((deployment system aisaka) + #:prefix deployment:system:aisaka:) + #:use-module ((deployment system akashi) + #:prefix deployment:system:akashi:) #:use-module ((gnu machine ssh) #:prefix gnu:machine:ssh:)) @@ -12,8 +12,8 @@ (define-public aisaka-configuration (gnu:machine:ssh:machine-ssh-configuration - (host-name deployment:systems:aisaka:system-name) - (system deployment:systems:aisaka:architecture) + (host-name deployment:system:aisaka:system-name) + (system deployment:system:aisaka:architecture) (build-locally? #t) (authorize? #t) (allow-downgrades? #f) @@ -27,8 +27,8 @@ (define-public akashi-configuration (gnu:machine:ssh:machine-ssh-configuration - (host-name deployment:systems:akashi:system-name) - (system deployment:systems:akashi:architecture) + (host-name deployment:system:akashi:system-name) + (system deployment:system:akashi:architecture) (build-locally? #t) (authorize? #t) (allow-downgrades? #f) diff --git a/deployment/system.scm b/deployment/system.scm index 66cda59..bd09e44 100644 --- a/deployment/system.scm +++ b/deployment/system.scm @@ -3,18 +3,18 @@ #:prefix deployment:services:databases:) #:use-module ((deployment services matrix) #:prefix deployment:services:matrix:) - #:use-module ((deployment systems aisaka) - #:prefix deployment:systems:aisaka:) - #:use-module ((deployment systems akashi) - #:prefix deployment:systems:akashi:) - #:use-module ((deployment systems asakura) - #:prefix deployment:systems:asakura:) - #:use-module ((deployment systems cokolwiek) - #:prefix deployment:systems:cokolwiek:) - #:use-module ((deployment systems mcdowell) - #:prefix deployment:systems:mcdowell:) - #:use-module ((deployment systems rakan) - #:prefix deployment:systems:rakan:) + #:use-module ((deployment system aisaka) + #:prefix deployment:system:aisaka:) + #:use-module ((deployment system akashi) + #:prefix deployment:system:akashi:) + #:use-module ((deployment system asakura) + #:prefix deployment:system:asakura:) + #:use-module ((deployment system cokolwiek) + #:prefix deployment:system:cokolwiek:) + #:use-module ((deployment system mcdowell) + #:prefix deployment:system:mcdowell:) + #:use-module ((deployment system rakan) + #:prefix deployment:system:rakan:) #:use-module ((gnu packages tls) #:prefix gnu:packages:tls:) #:use-module ((gnu packages matrix) @@ -56,24 +56,24 @@ (kernel-loadable-modules (list)) (kernel-arguments gnu:system:%default-kernel-arguments) (hurd #f) - (bootloader deployment:systems:aisaka:system-bootloader) - (label (sovereign:systems:operating-system-label* deployment:systems:aisaka:system-name + (bootloader deployment:system:aisaka:system-bootloader) + (label (sovereign:systems:operating-system-label* deployment:system:aisaka:system-name gnu:system:this-operating-system)) - (keyboard-layout deployment:systems:aisaka:system-keyboard-layout) + (keyboard-layout deployment:system:aisaka:system-keyboard-layout) (initrd nongnu:system:linux-initrd:microcode-initrd) (initrd-modules gnu:system:linux-initrd:%base-initrd-modules) (firmware (list nongnu:packages:linux:linux-firmware)) - (host-name deployment:systems:aisaka:system-name) + (host-name deployment:system:aisaka:system-name) (hosts-file #f) (mapped-devices (list)) - (file-systems (cons* deployment:systems:aisaka:file-system-root - deployment:systems:aisaka:file-system-efi + (file-systems (cons* deployment:system:aisaka:file-system-root + deployment:system:aisaka:file-system-efi gnu:system:file-systems:%base-file-systems)) (swap-devices (list)) (users (cons* users:id1000:uid1000-account users:vmail:vmail-account gnu:system:shadow:%base-user-accounts)) - (groups (cons* deployment:systems:aisaka:vmail-group + (groups (cons* deployment:system:aisaka:vmail-group gnu:system:shadow:%base-groups)) (skeletons (gnu:system:shadow:default-skeletons)) (issue (@@ (gnu system) @@ -87,25 +87,25 @@ (locale-libcs gnu:system:locale:%default-locale-libcs) (name-service-switch gnu:system:nss:%default-nss) (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) - (services (cons* deployment:systems:aisaka:certbot - deployment:systems:aisaka:cgit + (services (cons* deployment:system:aisaka:certbot + deployment:system:aisaka:cgit users:id1000:dkim-service users:id1000:dovecot-service - deployment:systems:aisaka:etc - deployment:systems:aisaka:fcgiwrap - deployment:systems:aisaka:gitolite - deployment:systems:aisaka:guix-home-service - deployment:systems:aisaka:guix-publish-service - deployment:systems:aisaka:iproute2-networking - deployment:systems:aisaka:knot + deployment:system:aisaka:etc + deployment:system:aisaka:fcgiwrap + deployment:system:aisaka:gitolite + deployment:system:aisaka:guix-home-service + deployment:system:aisaka:guix-publish-service + deployment:system:aisaka:iproute2-networking + deployment:system:aisaka:knot deployment:services:matrix:matrix-service-aisaka - deployment:systems:aisaka:nginx - deployment:systems:aisaka:offload-rakan + deployment:system:aisaka:nginx + deployment:system:aisaka:offload-rakan deployment:services:databases:matrix-postgresql-service - deployment:systems:aisaka:radicale + deployment:system:aisaka:radicale users:id1000:smtp-service - deployment:systems:aisaka:static-networking - deployment:systems:aisaka:%sovereign-services*)) + deployment:system:aisaka:static-networking + deployment:system:aisaka:%sovereign-services*)) (pam-services (gnu:system:pam:base-pam-services)) (privileged-programs gnu:system:%default-privileged-programs) (setuid-programs gnu:system:%setuid-programs) @@ -113,12 +113,12 @@ (location (and=> (current-source-location) guix:diagnostics:source-properties->location)))) -(define-public akashi deployment:systems:akashi:system) +(define-public akashi deployment:system:akashi:system) -(define-public asakura deployment:systems:asakura:system) +(define-public asakura deployment:system:asakura:system) -(define-public cokolwiek deployment:systems:cokolwiek:system) +(define-public cokolwiek deployment:system:cokolwiek:system) -(define-public mcdowell deployment:systems:mcdowell:system) +(define-public mcdowell deployment:system:mcdowell:system) -(define-public rakan deployment:systems:rakan:system) +(define-public rakan deployment:system:rakan:system) diff --git a/deployment/system/aisaka.scm b/deployment/system/aisaka.scm new file mode 100644 index 0000000..192982a --- /dev/null +++ b/deployment/system/aisaka.scm @@ -0,0 +1,713 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski + +(define-module (deployment system aisaka) + #:use-module (guix gexp) + #:use-module ((deployment keys) + #:prefix deployment:keys:) + #:use-module ((gnu bootloader) + #:prefix gnu:bootloader:) + #:use-module ((gnu bootloader grub) + #:prefix gnu:bootloader:grub:) + #:use-module ((gnu packages) + #:prefix gnu:packages:) + #:use-module ((gnu packages linux) + #:prefix gnu:packages:linux:) + #:use-module ((gnu packages tls) + #:prefix gnu:packages:tls:) + #:use-module ((gnu packages version-control) + #:prefix gnu:packages:version-control:) + #:use-module ((gnu services) + #:prefix gnu:services:) + #:use-module ((gnu services base) + #:prefix gnu:services:base:) + #:use-module ((gnu services certbot) + #:prefix gnu:services:certbot:) + #:use-module ((gnu services cgit) + #:prefix gnu:services:cgit:) + #:use-module ((gnu services dns) + #:prefix gnu:services:dns:) + #:use-module ((gnu services mail) + #:prefix gnu:services:mail:) + #:use-module ((gnu services networking) + #:prefix gnu:services:networking:) + #:use-module ((gnu services shepherd) + #:prefix gnu:services:shepherd:) + #:use-module ((gnu services version-control) + #:prefix gnu:services:version-control:) + #:use-module ((gnu services web) + #:prefix gnu:services:web:) + #:use-module ((gnu system) + #:prefix gnu:system:) + #:use-module ((gnu system accounts) + #:prefix gnu:system:accounts:) + #:use-module ((gnu system file-systems) + #:prefix gnu:system:file-systems:) + #:use-module ((gnu system keyboard) + #:prefix gnu:system:keyboard:) + #:use-module ((gnu system linux-initrd) + #:prefix gnu:system:linux-initrd:) + #:use-module ((gnu system locale) + #:prefix gnu:system:locale:) + #:use-module ((gnu packages matrix) + #:prefix gnu:packages:matrix:) + #:use-module ((gnu system nss) + #:prefix gnu:system:nss:) + #:use-module ((gnu system pam) + #:prefix gnu:system:pam:) + #:use-module ((gnu system shadow) + #:prefix gnu:system:shadow:) + #:use-module ((guix diagnostics) + #:prefix guix:diagnostics:) + #:use-module ((nongnu packages linux) + #:prefix nongnu:packages:linux:) + #:use-module ((nongnu system linux-initrd) + #:prefix nongnu:system:linux-initrd:) + #:use-module ((sovereign devices) + #:prefix sovereign:devices:) + #:use-module ((sovereign devices amd64) + #:prefix sovereign:devices:amd64:) + #:use-module ((sovereign packages jekyll) + #:prefix sovereign:packages:jekyll:) + #:use-module ((sovereign services) + #:prefix sovereign:services:) + #:use-module ((sovereign systems) + #:prefix sovereign:systems:) + #:use-module ((users id1000) + #:prefix users:id1000:) + #:use-module ((users vmail) + #:prefix users:vmail:)) + +(define-public architecture "x86_64-linux") + +(define-public system-name "aisaka") + +(define ip-multimedia "81.190.248.246") + +(define ip-otvarta "95.171.119.109") + +(define spf-value + (string-append "\"v=spf1 ip4:" + ip-otvarta + " -all\"")) + +(define ttl "3600") + +(gnu:services:dns:define-zone-entries + marekpasnikowski.pl-entries + ("@" ttl "IN" "A" ip-otvarta) + ("2" ttl "IN" "A" ip-otvarta) + ("ns1" ttl "IN" "A" ip-otvarta) + ("@" ttl "IN" "NS" "ns1.marekpasnikowski.pl.") + ("@" ttl "IN" "A" ip-multimedia) + ("1" ttl "IN" "A" ip-multimedia) + ("ns2" ttl "IN" "A" ip-multimedia) + ("@" ttl "IN" "NS" "ns2.marekpasnikowski.pl.") + ("@" ttl "IN" "MX" "10 marekpasnikowski.pl.") + ("@" ttl "IN" "TXT" spf-value) + ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") + ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") + ("_dmarc" ttl "IN" "TXT" "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"") + ("dkim._domainkey" ttl "IN" "TXT" "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"") + ("git" ttl "IN" "CNAME" "1") + ("guix" ttl "IN" "CNAME" "1") + ("matrix" ttl "IN" "CNAME" "1") + ("radicale" ttl "IN" "CNAME" "1") + ("schron" ttl "IN" "CNAME" "1") + ("sejf" ttl "IN" "CNAME" "1") + ("test" ttl "IN" "CNAME" "1") + ("www" ttl "IN" "CNAME" "1")) + +(define marekpasnikowski.pl-zone + (gnu:services:dns:zone-file + (entries marekpasnikowski.pl-entries) + (origin "marekpasnikowski.pl") + (ns "ns1.marekpasnikowski.pl.") + (mail "marek.marekpasnikowski.pl.") + (serial 2026042000))) + +(define master-zone + (gnu:services:dns:knot-zone-configuration + (domain "marekpasnikowski.pl") + (zone marekpasnikowski.pl-zone))) + +(define knot-configuration + (gnu:services:dns:knot-configuration + (listen-v4 "0.0.0.0") + (zones (list master-zone)))) + +(define-public knot + (gnu:services:service + gnu:services:dns:knot-service-type + knot-configuration)) + +(define radicale-keys "/secrets/radicale/keys") + +(define dovecot-keys "/secrets/dovecot") + +(define nginx-account + (gnu:system:accounts:user-account + (name "nginx") + (group "nginx") + (supplementary-groups '("git")) + (system? #t) + (comment "nginx server user") + (home-directory "/var/empty") + (shell (file-append (gnu:packages:specification->package "shadow") + "/sbin/nologin")))) + +(define nginx-group + (gnu:system:accounts:user-group + (name "nginx") + (system? #t))) + +(define nginx-accounts + (let + ((accounts- (list nginx-group + nginx-account))) + (const accounts-))) + +(define nginx-extension-of-account + (gnu:services:service-extension + gnu:system:shadow:account-service-type + nginx-accounts)) + +(define (extend-account extension) + (let* + ((extension-target- (gnu:services:service-extension-target extension)) + (account-service-type?- (eq? extension-target- + gnu:system:shadow:account-service-type))) + (if account-service-type?- + nginx-extension-of-account + extension))) + +(define nginx-service-type* + (let + ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type))) + (gnu:services:service-type + (inherit gnu:services:web:nginx-service-type) + (extensions (map extend-account + nginx-extensions-))))) + +(define cgit-repository-configuration + (gnu:services:cgit:repository-cgit-configuration + (hide? #t) + (path "/srv/git/marek/packages"))) + +(define git-http-configuration + (gnu:services:version-control:git-http-configuration + (git-root "/var/lib/gitolite/repositories") + (uri-path "/git"))) + +(define nginx-extension-of-cgit + (gnu:services:service-extension + nginx-service-type* + gnu:services:cgit:cgit-configuration-nginx-config)) + +(define (extend-cgit extension) + (let* + ((extension-target- (gnu:services:service-extension-target extension)) + (nginx-service-type?- (eq? extension-target- + gnu:services:web:nginx-service-type))) + (if nginx-service-type?- + nginx-extension-of-cgit + extension))) + +(define cgit-type + (let + ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type))) + (gnu:services:service-type + (inherit gnu:services:cgit:cgit-service-type) + (extensions (map extend-cgit + cgit-extensions-))))) + +(define nginx-location-cgit + (gnu:services:web:nginx-location-configuration + (body (list "fastcgi_param HTTP_HOST $server_name ;" + "fastcgi_param PATH_INFO $uri ;" + "fastcgi_param QUERY_STRING $args ;" + "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;" + "fastcgi_pass 127.0.0.1:9000 ;")) + (uri "@cgit"))) + +(define nginx-location-proxy-guix + (gnu:services:web:nginx-location-configuration + (body (list "proxy_pass http://localhost:5232/ ;" + "proxy_set_header X-Script-Name \"\" ;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" + "proxy_set_header Host $http_host ;" + "proxy_pass_header Authorization ;")) + (uri "/"))) + +(define nginx-location-proxy-matrix + (gnu:services:web:nginx-location-configuration + (body (list "proxy_pass http://localhost:8008 ;" + "proxy_set_header X-Forwarded-For $remote_addr ;" + "proxy_set_header X-Forwarded-Proto $scheme ;" + "proxy_set_header Host $host:$server_port ;" + "client_max_body_size 1024M ;")) + (uri "~ ^(/_matrix|/_synapse/client)"))) + +(define nginx-location-proxy-radicale + (gnu:services:web:nginx-location-configuration + (body (list "proxy_pass http://localhost:8080/ ;" + "proxy_set_header X-Script-Name \"\" ;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" + "proxy_set_header Host $http_host ;" + "proxy_pass_header Authorization ;")) + (uri "/"))) + +(define nginx-location-proxy-auth + (gnu:services:web:nginx-location-configuration + (body (list "proxy_set_header Host $host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + "proxy_set_header X-Forwarded-Proto $scheme;" + "if ($ssl_client_verify != SUCCESS) {return 403;}")) + (uri "/"))) + +(define nginx-location-well-known + (gnu:services:web:nginx-location-configuration + (body (list "root /srv/www/marek/marekpasnikowski.pl ;")) + (uri "/.well-known"))) + +(define nginx-location-well-known-matrix-client + (gnu:services:web:nginx-location-configuration + (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;" + "default_type application/json ;" + "add_header Access-Control-Allow-Origin * ;")) + (uri "/.well-known/matrix/client"))) + +(define nginx-server-cgit + (let + ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration))) + (gnu:services:web:nginx-server-configuration + (locations (list git-http- + nginx-location-cgit + nginx-location-well-known)) + (listen (list "192.168.10.2:443 ssl")) + (root gnu:packages:version-control:cgit) + (server-name (list "git.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") + (try-files (list "$uri" "@cgit"))))) + +(define nginx-server-guix + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-guix)) + (listen (list "192.168.10.2:443 ssl")) + (server-name (list "guix.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) + +(define nginx-server-matrix + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-matrix)) + (listen (list "192.168.10.2:443 ssl" + "192.168.10.2:8448 ssl default_server")) + (root (file-append gnu:packages:matrix:synapse + "/lib/python3.11/site-packages/synapse/static")) + (server-name (list "matrix.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") + (raw-content (list "proxy_http_version 1.1 ;")))) + +(define nginx-server-portal + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-well-known + nginx-location-well-known-matrix-client)) + (listen (list "192.168.10.2:443 ssl")) + (root "/home/marek/Publiczne/www") + (server-name (list 'default + "marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) + +(define nginx-server-radicale + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-radicale + nginx-location-well-known)) + (listen (list "192.168.10.2:443 ssl")) + (server-name (list "radicale.marekpasnikowski.pl")))) + +(define nginx-server-schron + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-auth)) + (listen (list "192.168.10.2:443 ssl")) + (root "/home/marek/Publiczne/schron") + (server-name (list "schron.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") + (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" + "ssl_verify_client on;")))) + +(define nginx-server-sejf + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-auth)) + (listen (list "192.168.10.2:443 ssl")) + (root "/home/marek/Publiczne/sejf") + (server-name (list "sejf.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") + (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" + "ssl_verify_client on;")))) + +(define nginx-server-test + (gnu:services:web:nginx-server-configuration + (locations (list nginx-location-proxy-auth)) + (listen (list "192.168.10.2:443 ssl")) + (root "/home/marek/Publiczne/schron") + (server-name (list "test.marekpasnikowski.pl")) + (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") + (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") + (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" + "ssl_verify_client on;")))) + +(define nginx-server-www + (gnu:services:web:nginx-server-configuration + (listen (list "192.168.10.2:443 ssl")) + (root "/home/marek/Publiczne/www") + (server-name (list "www.marekpasnikowski.pl")))) + +(define cgit-configuration + (gnu:services:cgit:cgit-configuration + (nginx (list nginx-server-cgit)) + (repositories (list cgit-repository-configuration)) + (project-list (list "deployment.git" + "nonguix.git" + "sovereign.git")) + (repository-directory "/var/lib/gitolite/repositories"))) + +(define nginx-configuration* + (gnu:services:web:nginx-configuration + (shepherd-requirement (list 'networking)) + (server-blocks (list nginx-server-portal + nginx-server-www + nginx-server-guix + nginx-server-matrix + nginx-server-test + nginx-server-schron + nginx-server-sejf + nginx-server-radicale)))) + +(define nginx-deploy-hook-file + #~(let + ((pid (call-with-input-file "/var/run/nginx/pid" + read))) + (kill pid SIGHUP))) + +(define nginx-extension-of-certbot + (gnu:services:service-extension + nginx-service-type* + (@@ (gnu services certbot) certbot-nginx-server-configurations))) + +(define (extend-certbot extension) + (let* + ((extension-target- (gnu:services:service-extension-target extension)) + (nginx-service-type?- (eq? extension-target- + gnu:services:web:nginx-service-type))) + (if nginx-service-type?- + nginx-extension-of-certbot + extension))) + +(define certbot-type + (let + ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type))) + (gnu:services:service-type + (inherit gnu:services:certbot:certbot-service-type) + (extensions (map extend-certbot + certbot-extensions-))))) + +(define certificate-configuration + (gnu:services:certbot:certificate-configuration + (deploy-hook (program-file "nginx-deploy-hook" + nginx-deploy-hook-file)) + (domains (list "marekpasnikowski.pl" + "git.marekpasnikowski.pl" + "guix.marekpasnikowski.pl" + "matrix.marekpasnikowski.pl" + "mx.marekpasnikowski.pl" + "radicale.marekpasnikowski.pl" + "schron.marekpasnikowski.pl" + "sejf.marekpasnikowski.pl" + "test.marekpasnikowski.pl" + "www.marekpasnikowski.pl")))) + +(define certbot-configuration + (gnu:services:certbot:certbot-configuration + (certificates (list certificate-configuration)) + (email "marek@marekpasnikowski.pl") + (webroot "/srv/www/marek/marekpasnikowski.pl"))) + +(define-public certbot + (gnu:services:service + certbot-type + certbot-configuration)) + +(define-public cgit + (gnu:services:service + cgit-type + cgit-configuration)) + +(define-public etc + (let* + ((mailname-file- (plain-file "mailname" + "marekpasnikowski.pl\n")) + (mailname-link- (list "mailname" + mailname-file-)) + (etc-links- (list mailname-link-))) + (gnu:services:simple-service 'etc-files + gnu:services:etc-service-type + etc-links-))) + +(define fcgiwrap-configuration + (gnu:services:web:fcgiwrap-configuration + (user "git") + (group "git"))) + +(define-public fcgiwrap + (gnu:services:service + gnu:services:web:fcgiwrap-service-type + fcgiwrap-configuration)) + +(define-public file-system-efi + (gnu:system:file-systems:file-system + (device (gnu:system:file-systems:file-system-label "AISAKA")) + (mount-point "/boot") + (type "vfat") + (flags (list)) + (options #f) + (mount? #t) + (mount-may-fail? #t) + (needed-for-boot? #f) + (check? #t) + (skip-check-if-clean? #f) + (repair 'preen) + (create-mount-point? #f) + (dependencies (list)) + (shepherd-requirements (list)) + (location (current-source-location)))) + +(define-public file-system-root + (gnu:system:file-systems:file-system + (device (gnu:system:file-systems:file-system-label "aisaka-root")) + (mount-point "/") + (type "ext4") + (flags (list)) + (options #f) + (mount? #t) + (mount-may-fail? #f) + (needed-for-boot? #t) + (check? #t) + (skip-check-if-clean? #f) + (repair 'preen) + (create-mount-point? #f) + (dependencies (list)) + (shepherd-requirements (list)) + (location (current-source-location)))) + +(define gitolite-rc-file + (gnu:services:version-control:gitolite-rc-file + (umask #o0027))) + +(define gitolite-configuration + (gnu:services:version-control:gitolite-configuration + (rc-file gitolite-rc-file) + (admin-pubkey #f))) + +(define-public gitolite + (gnu:services:service + gnu:services:version-control:gitolite-service-type + gitolite-configuration)) + +(define-public system-keyboard-layout + (gnu:system:keyboard:keyboard-layout "pl")) + +(define-public nginx + (gnu:services:service + nginx-service-type* + nginx-configuration*)) + +(define rakan-machine + #~(build-machine + (name "rakan") + (systems (list "x86_64-linux" + "i686-linux")) + (user "marek") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan") + (private-key "/home/marek/.ssh/id_ed25519"))) + +(define guix-offload-rakan + (gnu:services:base:guix-extension + (authorized-keys (list deployment:keys:akashi-guix + deployment:keys:rakan-guix)) + (build-machines (list rakan-machine)))) + +(define-public offload-rakan + (gnu:services:simple-service 'offload-rakan + gnu:services:base:guix-service-type + guix-offload-rakan)) + +(define radicale-auth-configuration + (gnu:services:mail:radicale-auth-configuration + (type 'htpasswd) + (htpasswd-filename radicale-keys) + (htpasswd-encryption 'plain))) + +(define radicale-storage-configuration + (gnu:services:mail:radicale-storage-configuration + (filesystem-folder "/data/radicale/collections"))) + +(define radicale-configuration + (gnu:services:mail:radicale-configuration + (auth radicale-auth-configuration) + (storage radicale-storage-configuration))) + +(define-public radicale + (gnu:services:service + gnu:services:mail:radicale-service-type + radicale-configuration)) + +(define enp1s0-address-4 + (gnu:services:base:network-address + (device "enp1s0") + (value "192.168.10.2/24") + (ipv6? #f))) + +(define enp2s0-address-4 + (gnu:services:base:network-address + (device "enp2s0") + (value "192.168.1.2/24") + (ipv6? #f))) + +(define enp1s0-route-4-default + (gnu:services:base:network-route + (destination "default") + (source #f) + (device #f) + (ipv6? #f) + (gateway "192.168.10.1"))) + +(define network-hardware + (gnu:services:base:static-networking + (addresses (list enp1s0-address-4 + enp2s0-address-4)) + (links (list)) + (routes (list enp1s0-route-4-default)) + (name-servers (list "192.168.10.1" + "192.168.1.1")) + (provision (list 'network-hardware)) + (requirement (list)))) + +(define static-networking-configuration + (list network-hardware)) + +(define-public static-networking + (gnu:services:service + gnu:services:networking:static-networking-service-type + static-networking-configuration)) + +(define ip-command + (file-append gnu:packages:linux:iproute + "/sbin/ip")) + +(define network-enp2s0-route-default + (let + ((route-default- #~(list #$ip-command + "route" + "add" + "default" + "via" + "192.168.1.1" + "table" + "1"))) + (gnu:services:shepherd:shepherd-service + (provision (list 'network-enp2s0-route-default)) + (requirement (list 'network-enp2s0-table)) + (one-shot? #t) + (respawn? #f) + (start #~(make-forkexec-constructor #$route-default-)) + (stop #~(const #f)) + (actions (list)) + (auto-start? #t) + (documentation "Sets up a default route for traffic from enp2s0.") + (modules gnu:services:shepherd:%default-modules)))) + +(define network-enp2s0-table + (let + ((table- #~(list #$ip-command + "rule" + "add" + "from" + "192.168.1.2" + "table" + "1" + "prio" + "1"))) + (gnu:services:shepherd:shepherd-service + (provision (list 'network-enp2s0-table)) + (requirement (list 'network-hardware)) + (one-shot? #t) + (respawn? #f) + (start #~(make-forkexec-constructor #$table-)) + (stop #~(const #f)) + (actions (list)) + (auto-start? #t) + (documentation "Defines a table of rules number 1 for routes through enp2s0.") + (modules gnu:services:shepherd:%default-modules)))) + +(define networking + (gnu:services:shepherd:shepherd-service + (provision (list 'networking)) + (requirement (list 'network-enp2s0-table + 'network-enp2s0-route-default)) + (one-shot? #t) + (respawn? #f) + (start #~(const #t)) + (stop #~(const #f)) + (actions (list)) + (auto-start? #t) + (documentation "Defines a graph root of one-shot services to invoke various ip commands.") + (modules gnu:services:shepherd:%default-modules))) + +(define-public iproute2-networking + (let + ((extensions- (list network-enp2s0-table + network-enp2s0-route-default + networking))) + (gnu:services:simple-service 'networking + gnu:services:shepherd:shepherd-root-service-type + extensions-))) + +(define swap-device-izumi-1-label + (gnu:system:file-systems:file-system-label "izumi-swap-f")) + +(define-public %sovereign-services* + (gnu:services:modify-services sovereign:systems:%sovereign-services + (gnu:services:delete gnu:services:networking:network-manager-service-type))) + +(define-public system-bootloader + (gnu:bootloader:bootloader-configuration + (bootloader gnu:bootloader:grub:grub-efi-bootloader) + (targets (list "/boot")) + (keyboard-layout sovereign:devices:pl-keyboard-layout))) + +(define-public vmail-group + (gnu:system:accounts:user-group + (name "vmail") + (system? #t))) + +(define named-home-environments + (list users:id1000:named-home-environment)) + +(define guix-publish-configuration + (gnu:services:base:guix-publish-configuration + (host "192.168.10.2") + (port 8080) + (advertise? #t))) + +(define-public guix-home-service + (sovereign:systems:guix-home-service named-home-environments)) + +(define-public guix-publish-service + (sovereign:services:guix-publish-service guix-publish-configuration)) diff --git a/deployment/system/akashi.scm b/deployment/system/akashi.scm new file mode 100644 index 0000000..3b58940 --- /dev/null +++ b/deployment/system/akashi.scm @@ -0,0 +1,125 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski + +(define-module (deployment system akashi) + #:use-module (guix gexp) + #:use-module (users id1000) + #:use-module ((deployment keys) + #:prefix deployment:keys:) + #:use-module ((gnu packages linux) + #:prefix gnu:packages:linux:) + #:use-module ((gnu services) + #:prefix gnu:services:) + #:use-module ((gnu services base) + #:prefix gnu:services:base:) + #:use-module ((gnu services guix) + #:prefix gnu:services:guix:) + #:use-module ((gnu system) + #:prefix gnu:system:) + #:use-module ((gnu system file-systems) + #:prefix gnu:system:file-systems:) + #:use-module ((gnu system keyboard) + #:prefix gnu:system:keyboard:) + #:use-module ((gnu system linux-initrd) + #:prefix gnu:system:linux-initrd:) + #:use-module ((gnu system locale) + #:prefix gnu:system:locale:) + #:use-module ((gnu system nss) + #:prefix gnu:system:nss:) + #:use-module ((gnu system pam) + #:prefix gnu:system:pam:) + #:use-module ((gnu system shadow) + #:prefix gnu:system:shadow:) + #:use-module ((guix diagnostics) + #:prefix guix:diagnostics:) + #:use-module ((machines thinkpad-x200) + #:prefix machines:thinkpad-x200:) + #:use-module ((sovereign systems) + #:prefix sovereign:systems:)) + +(define-public architecture "x86_64-linux") + +(define-public system-name "akashi") + +(define root-partition + ((@ (gnu system file-systems) file-system) + (mount-point "/") + (device ((@ (gnu system file-systems) file-system-label) "akashi-root")) + (type "ext4"))) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +(define system-keyboard-layout + (gnu:system:keyboard:keyboard-layout "pl")) + +(define offload-hub + #~(build-machine + (name "www.marekpasnikowski.pl") + (systems (list "x86_64-linux" + "i686-linux")) + (user "marek") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0Eh0q54myeSEironEP9DEKl+ownYuH7oSgAVuLIDNt root@aisaka") + (port 23) + (private-key "/home/marek/.ssh/id_ed25519"))) + +(define guix-offload-targets + (gnu:services:base:guix-extension + (authorized-keys (list deployment:keys:aisaka-guix)) + (build-machines (list offload-hub)))) + +(define offload-extension + (gnu:services:simple-service 'offload-extension + gnu:services:base:guix-service-type + guix-offload-targets)) + +(define home-environments + `((,uid1000-name ,uid1000-home-environment))) + +(define guix-home + (gnu:services:service gnu:services:guix:guix-home-service-type + home-environments)) + +(define-public system + (gnu:system:operating-system + (kernel gnu:packages:linux:linux-libre) + (kernel-loadable-modules (list)) + (kernel-arguments (cons* "thinkpad_acpi.fan_control=1" + "thinkpad_acpi.fan='level 7'" + gnu:system:%default-kernel-arguments)) + (hurd #f) + (bootloader (machines:thinkpad-x200:bootloader-configuration* system-keyboard-layout)) + (label (sovereign:systems:operating-system-label* system-name + gnu:system:this-operating-system)) + (keyboard-layout system-keyboard-layout) + (initrd gnu:system:linux-initrd:base-initrd) + (initrd-modules gnu:system:linux-initrd:%base-initrd-modules) + (firmware (list)) + (host-name system-name) + (hosts-file #f) + (mapped-devices (list)) + (file-systems (cons* root-partition + gnu:system:file-systems:%base-file-systems)) + (swap-devices (machines:thinkpad-x200:swap-devices* system-name)) + (users (list uid1000-account)) + (groups gnu:system:shadow:%base-groups) + (skeletons (gnu:system:shadow:default-skeletons)) + (issue (@@ (gnu system) + %default-issue)) + (packages gnu:system:%base-packages) + (timezone "Europe/Warsaw") + (locale sovereign:systems:pl-locale) + (locale-definitions sovereign:systems:%sovereign-locale-definitions) + (locale-libcs gnu:system:locale:%default-locale-libcs) + (name-service-switch gnu:system:nss:%default-nss) + (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) + (services (cons* guix-home + offload-extension + sovereign:systems:%sovereign-services)) + (pam-services (gnu:system:pam:base-pam-services)) + (privileged-programs gnu:system:%default-privileged-programs) + (setuid-programs gnu:system:%setuid-programs) + (sudoers-file sovereign:systems:%sovereign-sudoers-specification) + (location (and=> (current-source-location) + guix:diagnostics:source-properties->location)))) + +(define-public operating-system* system) diff --git a/deployment/system/asakura.scm b/deployment/system/asakura.scm new file mode 100644 index 0000000..b56d77e --- /dev/null +++ b/deployment/system/asakura.scm @@ -0,0 +1,132 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski + +(define-module (deployment system asakura) + #:use-module ((gnu system) #:prefix gnu:system:) + #:use-module ((gnu system file-systems) #:prefix gnu:system:file-systems:) + #:use-module ((gnu system uuid) #:prefix gnu:system:uuid:) + #:use-module ((nongnu packages linux) #:prefix nongnu:packages:linux:) + #:use-module ((nongnu system linux-initrd) #:prefix nongnu:system:linux-initrd:) + #:use-module ((sovereign devices amd64) #:prefix sovereign:devices:amd64:) + #:use-module ((sovereign packages protonmail) #:prefix sovereign:packages:protonmail:) + #:use-module ((sovereign systems) #:prefix sovereign:systems:) + #:use-module ((users id1000) #:prefix users:id1000:)) + +(define efi-filesystem-uuid + (gnu:system:uuid:uuid + "B4FB-CBD9" + 'fat32)) + +(define host-name + "asakura") + +(define (label number) + (gnu:system:file-systems:file-system-label + (string-append host-name + "-swap" + number))) + +(define root-filesystem-uuid + (gnu:system:uuid:uuid + "615a98cd-a632-4ee5-a6f4-e5ebcaa6fb8c")) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +(define efi-partition + (gnu:system:file-systems:file-system + (mount-point "/boot") + (device efi-filesystem-uuid) + (type "vfat"))) + +(define keyboard-layout + ((@ (gnu system keyboard) keyboard-layout) + "pl")) + +(define (libvirt-service) + (use-modules (gnu services virtualization)) + ((@ (gnu services) service) + libvirt-service-type)) + +(define (virtlog-service) + (use-modules (gnu services virtualization)) + ((@ (gnu services) service) + virtlog-service-type)) + +(define root-partition + (gnu:system:file-systems:file-system + (mount-point "/") + (device root-filesystem-uuid) + (type "ext4"))) + +(define (swap-label number) + (let ((target-label (label number))) + (gnu:system:file-systems:swap-space + (target target-label)))) + +(define (system-packages-service) + (use-modules (gnu packages gnupg) + (gnu packages kde-pim) + (gnu services)) + (simple-service 'system-packages + profile-service-type + (list kgpg + pinentry-qt + pinentry-tty))) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +(define (bootloader) + (use-modules (gnu bootloader grub)) + ((@ (gnu bootloader) bootloader-configuration) + (bootloader grub-efi-bootloader) + (targets (list "/boot")) + (keyboard-layout keyboard-layout))) + +(define (file-systems) + (append gnu:system:file-systems:%base-file-systems + (list root-partition + efi-partition))) + +(define services + (let* + ( (l-guix-homes (list users:id1000:named-home-environment)) + (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes))) + (append sovereign:systems:%sovereign-services + (list sovereign:packages:protonmail:nogui-profile + l-guix-home-service + (system-packages-service))))) + +(define swap-device-1 + (swap-label "-1")) + +(define swap-device-2 + (swap-label "-2")) + +(define (users) + (use-modules (gnu system accounts)) + (append (@ (gnu system shadow) %base-user-accounts) + (list users:id1000:uid1000-account))) + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +(define-public system + (gnu:system:operating-system + (kernel nongnu:packages:linux:linux) + (bootloader (bootloader)) + (label (sovereign:systems:operating-system-label* host-name + gnu:system:this-operating-system)) + (keyboard-layout keyboard-layout) + (initrd nongnu:system:linux-initrd:microcode-initrd) + (firmware (list nongnu:packages:linux:linux-firmware)) + (host-name host-name) + (file-systems (file-systems)) + (swap-devices (list swap-device-1 + swap-device-2)) + (users (users)) + (timezone "Europe/Warsaw") + (locale sovereign:systems:pl-locale) + (locale-definitions sovereign:systems:%sovereign-locale-definitions) + (services services) + (sudoers-file sovereign:systems:%sovereign-sudoers-specification))) + +(define-public operating-system* system) diff --git a/deployment/system/cokolwiek.scm b/deployment/system/cokolwiek.scm new file mode 100644 index 0000000..e917851 --- /dev/null +++ b/deployment/system/cokolwiek.scm @@ -0,0 +1,105 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski + +(define-module (deployment system cokolwiek) + #:use-module ( (gnu packages package-management) + #:prefix gnu:packages:package-management:) + #:use-module ( (gnu services) + #:prefix gnu:services:) + #:use-module ( (gnu services base) + #:prefix gnu:services:base:) + #:use-module ( (gnu services guix) + #:prefix gnu:services:guix:) + #:use-module ( (gnu system) + #:prefix gnu:system:) + #:use-module ( (gnu system file-systems) + #:prefix gnu:system:file-systems:) + #:use-module ( (gnu system linux-initrd) + #:prefix gnu:system:linux-initrd:) + #:use-module ( (gnu system shadow) + #:prefix gnu:system:shadow:) + #:use-module ( (nongnu packages linux) + #:prefix nongnu:packages:linux:) + #:use-module ( (nongnu system linux-initrd) + #:prefix nongnu:system:linux-initrd:) + #:use-module ( (sovereign channels) + #:prefix sovereign:channels:) + #:use-module ( (sovereign devices) + #:prefix sovereign:devices:) + #:use-module ( (sovereign devices amd64) + #:prefix sovereign:devices:amd64:) + #:use-module ( (sovereign packages protonmail) + #:prefix sovereign:packages:protonmail:) + #:use-module ( (sovereign systems) + #:prefix sovereign:systems:) + #:use-module ( (users id1000) + #:prefix users:id1000:) + #:use-module ( (users id1001) + #:prefix users:id1001:)) + +(define system-name + "cokolwiek") + +(define file-system-efi + (let* + ( (l-system-name (string-upcase system-name)) + (l-device (sovereign:devices:file-system-label l-system-name))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/efi) + (device l-device)))) + +(define file-system-root + (let + ( (l-device (sovereign:devices:file-system-label system-name + "root"))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/root) + (device l-device)))) + +(define swap + (let + ( (l-target (sovereign:devices:file-system-label system-name + "swap"))) + (gnu:system:file-systems:swap-space + (inherit sovereign:devices:swap/no-trim) + (target l-target)))) + +(define-public system + (let* + ( (l-guix-homes (list users:id1000:named-home-environment + users:id1001:named-home-environment)) + (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes)) + (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) + (l-file-systems (cons* file-system-root + file-system-efi + gnu:system:file-systems:%base-file-systems)) + (l-firmware (list nongnu:packages:linux:linux-firmware)) + (l-initrd-modules (cons* "mei_me" + gnu:system:linux-initrd:%base-initrd-modules)) + (l-services (cons* l-guix-home-service + sovereign:packages:protonmail:nogui-profile + sovereign:systems:%sovereign-services)) + (l-swap-devices (list swap)) + (l-users (cons* users:id1000:uid1000-account + users:id1001:user-account + gnu:system:shadow:%base-user-accounts))) + (gnu:system:operating-system + (kernel nongnu:packages:linux:linux) + (bootloader l-bootloader) + (label (sovereign:systems:operating-system-label* system-name + gnu:system:this-operating-system)) + (keyboard-layout sovereign:devices:pl-keyboard-layout) + (initrd nongnu:system:linux-initrd:microcode-initrd) + (initrd-modules l-initrd-modules) + (firmware l-firmware) + (host-name system-name) + (file-systems l-file-systems) + (swap-devices l-swap-devices) + (users l-users) + (timezone "Europe/Warsaw") + (locale sovereign:systems:pl-locale) + (locale-definitions sovereign:systems:%sovereign-locale-definitions) + (services l-services) + (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))) + +(define-public operating-system* system) diff --git a/deployment/system/git-ignore.conf b/deployment/system/git-ignore.conf new file mode 100644 index 0000000..98e588f --- /dev/null +++ b/deployment/system/git-ignore.conf @@ -0,0 +1,48 @@ +# -*- mode: gitignore; -*- +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* + +# Org-mode +.org-id-locations +*_archive + +# flymake-mode +*_flymake.* + +# eshell files +/eshell/history +/eshell/lastdir + +# elpa packages +/elpa/ + +# reftex files +*.rel + +# AUCTeX auto folder +/auto/ + +# cask packages +.cask/ +dist/ + +# Flycheck +flycheck_*.el + +# server auth directory +/server/ + +# projectiles files +.projectile + +# directory configuration +.dir-locals.el + +# network security +/network-security.data diff --git a/deployment/system/gitconfig b/deployment/system/gitconfig new file mode 100644 index 0000000..300f906 --- /dev/null +++ b/deployment/system/gitconfig @@ -0,0 +1,10 @@ +[commit] + gpgsign = true + +[user] + email = marek@marekpasnikowski.pl + name = Marek Paśnikowski + signingkey = 6D81B1207711899F + +[push] + autoSetupRemote = true diff --git a/deployment/system/mcdowell.scm b/deployment/system/mcdowell.scm new file mode 100644 index 0000000..b38aea8 --- /dev/null +++ b/deployment/system/mcdowell.scm @@ -0,0 +1,121 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski + +(define-module (deployment system mcdowell) + #:use-module ( (deployment keys) + #:prefix deployment:keys:) + #:use-module ( (gnu packages package-management) + #:prefix gnu:packages:package-management:) + #:use-module ( (gnu services) + #:prefix gnu:services:) + #:use-module ( (gnu services base) + #:prefix gnu:services:base:) + #:use-module ( (gnu services guix) + #:prefix gnu:services:guix:) + #:use-module ( (gnu system) + #:prefix gnu:system:) + #:use-module ( (gnu system file-systems) + #:prefix gnu:system:file-systems:) + #:use-module ( (gnu system linux-initrd) + #:prefix gnu:system:linux-initrd:) + #:use-module ( (gnu system shadow) + #:prefix gnu:system:shadow:) + #:use-module ( (nongnu packages linux) + #:prefix nongnu:packages:linux:) + #:use-module ( (nongnu system linux-initrd) + #:prefix nongnu:system:linux-initrd:) + #:use-module ( (sovereign channels) + #:prefix sovereign:channels:) + #:use-module ( (sovereign devices) + #:prefix sovereign:devices:) + #:use-module ( (sovereign devices amd64) + #:prefix sovereign:devices:amd64:) + #:use-module ( (sovereign packages protonmail) + #:prefix sovereign:packages:protonmail:) + #:use-module ( (sovereign systems) + #:prefix sovereign:systems:) + #:use-module ( (users id1000) + #:prefix users:id1000:) + #:use-module (guix gexp)) + +(define system-name + "mcdowell") + +(define file-system-efi + (let* + ( (l-system-name (string-upcase system-name)) + (l-device (sovereign:devices:file-system-label l-system-name))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/efi) + (device l-device)))) + +(define file-system-root + (let + ( (l-device (sovereign:devices:file-system-label system-name + "root"))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/root) + (device l-device)))) + +(define swap + (let + ( (l-target (sovereign:devices:file-system-label system-name + "swap"))) + (gnu:system:file-systems:swap-space + (inherit sovereign:devices:swap/no-trim) + (target l-target)))) + +(define rakan-machine + #~(build-machine + (name "rakan") + (systems (list "x86_64-linux" + "i686-linux")) + (user "marek") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@mcdowell") + (private-key "/home/marek/.ssh/id_ed25519"))) + +(define guix-offload-rakan + (gnu:services:base:guix-extension + (authorized-keys (list deployment:keys:rakan-guix)) + (build-machines (list rakan-machine)))) + +(define-public system + (let* + ( (l-guix-homes (list users:id1000:named-home-environment)) + (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes)) + (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) + (l-file-systems (cons* file-system-root + file-system-efi + gnu:system:file-systems:%base-file-systems)) + (l-firmware (list nongnu:packages:linux:linux-firmware)) + (l-initrd-modules (cons* "mei_me" + gnu:system:linux-initrd:%base-initrd-modules)) + (l-services (cons* l-guix-home-service + sovereign:packages:protonmail:nogui-profile + (gnu:services:simple-service 'offload-rakan + gnu:services:base:guix-service-type + guix-offload-rakan) + sovereign:systems:%sovereign-services)) + (l-swap-devices (list swap)) + (l-users (cons* users:id1000:uid1000-account + gnu:system:shadow:%base-user-accounts))) + (gnu:system:operating-system + (kernel nongnu:packages:linux:linux) + (bootloader l-bootloader) + (label (sovereign:systems:operating-system-label* system-name + gnu:system:this-operating-system)) + (keyboard-layout sovereign:devices:pl-keyboard-layout) + (initrd nongnu:system:linux-initrd:microcode-initrd) + (initrd-modules l-initrd-modules) + (firmware l-firmware) + (host-name system-name) + (file-systems l-file-systems) + (swap-devices l-swap-devices) + (users l-users) + (timezone "Europe/Warsaw") + (locale sovereign:systems:pl-locale) + (locale-definitions sovereign:systems:%sovereign-locale-definitions) + (services l-services) + (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))) + +(define-public operating-system* system) diff --git a/deployment/system/rakan.scm b/deployment/system/rakan.scm new file mode 100644 index 0000000..9e9d77c --- /dev/null +++ b/deployment/system/rakan.scm @@ -0,0 +1,247 @@ +;;; SPDX-License-Identifier: GPL-3.0-or-later +;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski + +(define-module (deployment system rakan) + #:use-module (guix gexp) + #:use-module ( (deployment keys) + #:prefix deployment:keys:) + #:use-module ( (deployment services databases) + #:prefix deployment:services:databases:) + #:use-module ( (deployment services matrix) + #:prefix deployment:services:matrix:) + #:use-module ( (gnu home) + #:prefix gnu:home:) + #:use-module ( (gnu home services) + #:prefix gnu:home:services:) + #:use-module ( (gnu packages mail) + #:prefix gnu:packages:mail:) + #:use-module ( (gnu services) + #:prefix gnu:services:) + #:use-module ( (gnu services base) + #:prefix gnu:services:base:) + #:use-module ( (gnu services guix) + #:prefix gnu:services:guix:) + #:use-module ( (gnu services samba) + #:prefix gnu:services:samba:) + #:use-module ( (gnu system) + #:prefix gnu:system:) + #:use-module ( (gnu system file-systems) + #:prefix gnu:system:file-systems:) + #:use-module ( (gnu system linux-initrd) + #:prefix gnu:system:linux-initrd:) + #:use-module ( (gnu system locale) + #:prefix gnu:system:locale:) + #:use-module ( (gnu system nss) + #:prefix gnu:system:nss:) + #:use-module ( (gnu system pam) + #:prefix gnu:system:pam:) + #:use-module ( (gnu system shadow) + #:prefix gnu:system:shadow:) + #:use-module ( (guix diagnostics) + #:prefix guix:diagnostics:) + #:use-module ( (nongnu packages linux) + #:prefix nongnu:packages:linux:) + #:use-module ( (nongnu system linux-initrd) + #:prefix nongnu:system:linux-initrd:) + #:use-module ( (gnu home-services mail) + #:prefix rde/gnu:home-services:mail:) + #:use-module ( (sovereign devices) + #:prefix sovereign:devices:) + #:use-module ( (sovereign devices amd64) + #:prefix sovereign:devices:amd64:) + #:use-module ( (sovereign packages emacs) + #:prefix sovereign:packages:emacs:) + #:use-module ( (sovereign packages protonmail) + #:prefix sovereign:packages:protonmail:) + #:use-module ( (sovereign services) + #:prefix sovereign:services:) + #:use-module ( (sovereign systems) + #:prefix sovereign:systems:) + #:use-module ( (users id1000) + #:prefix users:id1000:)) + +(define system-name + "rakan") + +(define file-system-efi + (let* + ( (l-system-name (string-upcase system-name)) + (l-device (sovereign:devices:file-system-label l-system-name))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/efi) + (device l-device)))) + +(define file-system-root + (let + ( (l-device (sovereign:devices:file-system-label system-name + "root"))) + (gnu:system:file-systems:file-system + (inherit sovereign:devices:file-system/root) + (device l-device)))) + +(define swap + (let + ( (l-target (sovereign:devices:file-system-label system-name + "swap"))) + (gnu:system:file-systems:swap-space + (inherit sovereign:devices:swap/no-trim) + (target l-target)))) + +(define guix-offload-authorizations + (gnu:services:base:guix-extension + (authorized-keys (list deployment:keys:aisaka-guix)))) + +(define (l2md-maildir name) + (string-append "~/Publiczne/l2md/" + name)) + +(define l2md-repo-guile-user + (rde/gnu:home-services:mail:l2md-repo + (name "guile-user") + (urls "https://yhetil.org/guile-user/0") + (maildir (l2md-maildir name)) + (pipe "") + (initial-import 0) + (sync-enabled? #t))) + +(define l2md-repo-guix-devel + (rde/gnu:home-services:mail:l2md-repo + (name "guix-devel") + (urls "https://yhetil.org/guix-devel/0") + (maildir (l2md-maildir name)) + (pipe "") + (initial-import 0) + (sync-enabled? #t))) + +(define l2md-repo-guix-user + (rde/gnu:home-services:mail:l2md-repo + (name "guix-user") + (urls "https://yhetil.org/guix-user/0") + (maildir (l2md-maildir name)) + (pipe "") + (initial-import 0) + (sync-enabled? #t))) + +(define l2md-configuration + (rde/gnu:home-services:mail:home-l2md-configuration + (l2md gnu:packages:mail:l2md) + (autostart? #t) + (period 180) + (oneshot 0) + (maildir "") + (pipe "") + (base "~/Publiczne/l2md") + (repos (list l2md-repo-guile-user + l2md-repo-guix-devel + l2md-repo-guix-user)))) + +(define home-l2md + (gnu:services:service + rde/gnu:home-services:mail:home-l2md-service-type + l2md-configuration)) + +(define samba-configuration + (gnu:services:samba:samba-configuration + (enable-smbd? #t) + (config-file (mixed-text-file "smb.conf" + "[global]\n" + "map to guest = Bad User\n" + "logging = syslog@1\n" + "\n" + "[public]\n" + "browsable = yes\n" + "path = /tmp\n" + "read only = no\n" + "guest ok = yes\n" + "guest only = yes\n")))) + +(define samba-service + (gnu:services:service + gnu:services:samba:samba-service-type + samba-configuration)) + +(define named-home-environment-1000 + (let + ( (named-home-environment- users:id1000:named-home-environment)) + (let + ( (home-environment- (car (cdr named-home-environment-))) + (name- (car named-home-environment-))) + (let* + ( (services- (gnu:home:home-environment-user-services home-environment-)) + (packages- (gnu:home:home-environment-packages home-environment-)) + (home-environment-* (gnu:home:home-environment + (inherit home-environment-) + (packages packages-) + (services (cons* home-l2md + services-))))) + (list name- + home-environment-*))))) + +(define guix-homes + (list named-home-environment-1000)) + +(define guix-home-service + (sovereign:systems:guix-home-service guix-homes)) + +(define offload-auth + (gnu:services:simple-service 'offload-authorizations + gnu:services:base:guix-service-type + guix-offload-authorizations)) + +(define guix-publish-configuration + (gnu:services:base:guix-publish-configuration + (host "0.0.0.0") + (port 8080) + (advertise? #t))) + +(define-public guix-publish-service + (sovereign:services:guix-publish-service guix-publish-configuration)) + +(define-public system + (gnu:system:operating-system + (kernel nongnu:packages:linux:linux) + (kernel-loadable-modules (list)) + (kernel-arguments gnu:system:%default-kernel-arguments) + (hurd #f) + (bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) + (label (sovereign:systems:operating-system-label* system-name + gnu:system:this-operating-system)) + (keyboard-layout sovereign:devices:pl-keyboard-layout) + (initrd nongnu:system:linux-initrd:microcode-initrd) + (initrd-modules (cons* "mei_me" + gnu:system:linux-initrd:%base-initrd-modules)) + (firmware (list nongnu:packages:linux:linux-firmware)) + (host-name system-name) + (hosts-file #f) + (mapped-devices (list)) + (file-systems (cons* file-system-root + file-system-efi + gnu:system:file-systems:%base-file-systems)) + (swap-devices (list swap)) + (users (cons* users:id1000:uid1000-account + gnu:system:shadow:%base-user-accounts)) + (groups gnu:system:shadow:%base-groups) + (skeletons (gnu:system:shadow:default-skeletons)) + (issue (@@ (gnu system) %default-issue)) + (packages gnu:system:%base-packages) + (timezone "Europe/Warsaw") + (locale sovereign:systems:pl-locale) + (locale-definitions sovereign:systems:%sovereign-locale-definitions) + (locale-libcs gnu:system:locale:%default-locale-libcs) + (name-service-switch gnu:system:nss:%default-nss) + (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) + (services (cons* guix-home-service + guix-publish-service + deployment:services:databases:matrix-postgresql-service + deployment:services:matrix:matrix-service-rakan + sovereign:packages:protonmail:nogui-profile + offload-auth + samba-service + sovereign:systems:%sovereign-services)) + (pam-services (gnu:system:pam:base-pam-services)) + (privileged-programs gnu:system:%default-privileged-programs) + (sudoers-file sovereign:systems:%sovereign-sudoers-specification) + (location (and=> (current-source-location) + guix:diagnostics:source-properties->location)))) + +(define-public operating-system* system) diff --git a/deployment/systems/aisaka.scm b/deployment/systems/aisaka.scm deleted file mode 100644 index da3816c..0000000 --- a/deployment/systems/aisaka.scm +++ /dev/null @@ -1,713 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2026 Marek Paśnikowski - -(define-module (deployment systems aisaka) - #:use-module (guix gexp) - #:use-module ((deployment keys) - #:prefix deployment:keys:) - #:use-module ((gnu bootloader) - #:prefix gnu:bootloader:) - #:use-module ((gnu bootloader grub) - #:prefix gnu:bootloader:grub:) - #:use-module ((gnu packages) - #:prefix gnu:packages:) - #:use-module ((gnu packages linux) - #:prefix gnu:packages:linux:) - #:use-module ((gnu packages tls) - #:prefix gnu:packages:tls:) - #:use-module ((gnu packages version-control) - #:prefix gnu:packages:version-control:) - #:use-module ((gnu services) - #:prefix gnu:services:) - #:use-module ((gnu services base) - #:prefix gnu:services:base:) - #:use-module ((gnu services certbot) - #:prefix gnu:services:certbot:) - #:use-module ((gnu services cgit) - #:prefix gnu:services:cgit:) - #:use-module ((gnu services dns) - #:prefix gnu:services:dns:) - #:use-module ((gnu services mail) - #:prefix gnu:services:mail:) - #:use-module ((gnu services networking) - #:prefix gnu:services:networking:) - #:use-module ((gnu services shepherd) - #:prefix gnu:services:shepherd:) - #:use-module ((gnu services version-control) - #:prefix gnu:services:version-control:) - #:use-module ((gnu services web) - #:prefix gnu:services:web:) - #:use-module ((gnu system) - #:prefix gnu:system:) - #:use-module ((gnu system accounts) - #:prefix gnu:system:accounts:) - #:use-module ((gnu system file-systems) - #:prefix gnu:system:file-systems:) - #:use-module ((gnu system keyboard) - #:prefix gnu:system:keyboard:) - #:use-module ((gnu system linux-initrd) - #:prefix gnu:system:linux-initrd:) - #:use-module ((gnu system locale) - #:prefix gnu:system:locale:) - #:use-module ((gnu packages matrix) - #:prefix gnu:packages:matrix:) - #:use-module ((gnu system nss) - #:prefix gnu:system:nss:) - #:use-module ((gnu system pam) - #:prefix gnu:system:pam:) - #:use-module ((gnu system shadow) - #:prefix gnu:system:shadow:) - #:use-module ((guix diagnostics) - #:prefix guix:diagnostics:) - #:use-module ((nongnu packages linux) - #:prefix nongnu:packages:linux:) - #:use-module ((nongnu system linux-initrd) - #:prefix nongnu:system:linux-initrd:) - #:use-module ((sovereign devices) - #:prefix sovereign:devices:) - #:use-module ((sovereign devices amd64) - #:prefix sovereign:devices:amd64:) - #:use-module ((sovereign packages jekyll) - #:prefix sovereign:packages:jekyll:) - #:use-module ((sovereign services) - #:prefix sovereign:services:) - #:use-module ((sovereign systems) - #:prefix sovereign:systems:) - #:use-module ((users id1000) - #:prefix users:id1000:) - #:use-module ((users vmail) - #:prefix users:vmail:)) - -(define-public architecture "x86_64-linux") - -(define-public system-name "aisaka") - -(define ip-multimedia "81.190.248.246") - -(define ip-otvarta "95.171.119.109") - -(define spf-value - (string-append "\"v=spf1 ip4:" - ip-otvarta - " -all\"")) - -(define ttl "3600") - -(gnu:services:dns:define-zone-entries - marekpasnikowski.pl-entries - ("@" ttl "IN" "A" ip-otvarta) - ("2" ttl "IN" "A" ip-otvarta) - ("ns1" ttl "IN" "A" ip-otvarta) - ("@" ttl "IN" "NS" "ns1.marekpasnikowski.pl.") - ("@" ttl "IN" "A" ip-multimedia) - ("1" ttl "IN" "A" ip-multimedia) - ("ns2" ttl "IN" "A" ip-multimedia) - ("@" ttl "IN" "NS" "ns2.marekpasnikowski.pl.") - ("@" ttl "IN" "MX" "10 marekpasnikowski.pl.") - ("@" ttl "IN" "TXT" spf-value) - ("_caldavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") - ("_carddavs._tcp" ttl "IN" "SRV" "10 0 443 radicale.marekpasnikowski.pl") - ("_dmarc" ttl "IN" "TXT" "\"v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:abuse@marekpasnikowski.pl; ruf=mailto:abuse@marekpasnikowski.pl\"") - ("dkim._domainkey" ttl "IN" "TXT" "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"") - ("git" ttl "IN" "CNAME" "1") - ("guix" ttl "IN" "CNAME" "1") - ("matrix" ttl "IN" "CNAME" "1") - ("radicale" ttl "IN" "CNAME" "1") - ("schron" ttl "IN" "CNAME" "1") - ("sejf" ttl "IN" "CNAME" "1") - ("test" ttl "IN" "CNAME" "1") - ("www" ttl "IN" "CNAME" "1")) - -(define marekpasnikowski.pl-zone - (gnu:services:dns:zone-file - (entries marekpasnikowski.pl-entries) - (origin "marekpasnikowski.pl") - (ns "ns1.marekpasnikowski.pl.") - (mail "marek.marekpasnikowski.pl.") - (serial 2026042000))) - -(define master-zone - (gnu:services:dns:knot-zone-configuration - (domain "marekpasnikowski.pl") - (zone marekpasnikowski.pl-zone))) - -(define knot-configuration - (gnu:services:dns:knot-configuration - (listen-v4 "0.0.0.0") - (zones (list master-zone)))) - -(define-public knot - (gnu:services:service - gnu:services:dns:knot-service-type - knot-configuration)) - -(define radicale-keys "/secrets/radicale/keys") - -(define dovecot-keys "/secrets/dovecot") - -(define nginx-account - (gnu:system:accounts:user-account - (name "nginx") - (group "nginx") - (supplementary-groups '("git")) - (system? #t) - (comment "nginx server user") - (home-directory "/var/empty") - (shell (file-append (gnu:packages:specification->package "shadow") - "/sbin/nologin")))) - -(define nginx-group - (gnu:system:accounts:user-group - (name "nginx") - (system? #t))) - -(define nginx-accounts - (let - ((accounts- (list nginx-group - nginx-account))) - (const accounts-))) - -(define nginx-extension-of-account - (gnu:services:service-extension - gnu:system:shadow:account-service-type - nginx-accounts)) - -(define (extend-account extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (account-service-type?- (eq? extension-target- - gnu:system:shadow:account-service-type))) - (if account-service-type?- - nginx-extension-of-account - extension))) - -(define nginx-service-type* - (let - ((nginx-extensions- (gnu:services:service-type-extensions gnu:services:web:nginx-service-type))) - (gnu:services:service-type - (inherit gnu:services:web:nginx-service-type) - (extensions (map extend-account - nginx-extensions-))))) - -(define cgit-repository-configuration - (gnu:services:cgit:repository-cgit-configuration - (hide? #t) - (path "/srv/git/marek/packages"))) - -(define git-http-configuration - (gnu:services:version-control:git-http-configuration - (git-root "/var/lib/gitolite/repositories") - (uri-path "/git"))) - -(define nginx-extension-of-cgit - (gnu:services:service-extension - nginx-service-type* - gnu:services:cgit:cgit-configuration-nginx-config)) - -(define (extend-cgit extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (nginx-service-type?- (eq? extension-target- - gnu:services:web:nginx-service-type))) - (if nginx-service-type?- - nginx-extension-of-cgit - extension))) - -(define cgit-type - (let - ((cgit-extensions- (gnu:services:service-type-extensions gnu:services:cgit:cgit-service-type))) - (gnu:services:service-type - (inherit gnu:services:cgit:cgit-service-type) - (extensions (map extend-cgit - cgit-extensions-))))) - -(define nginx-location-cgit - (gnu:services:web:nginx-location-configuration - (body (list "fastcgi_param HTTP_HOST $server_name ;" - "fastcgi_param PATH_INFO $uri ;" - "fastcgi_param QUERY_STRING $args ;" - "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;" - "fastcgi_pass 127.0.0.1:9000 ;")) - (uri "@cgit"))) - -(define nginx-location-proxy-guix - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:5232/ ;" - "proxy_set_header X-Script-Name \"\" ;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" - "proxy_set_header Host $http_host ;" - "proxy_pass_header Authorization ;")) - (uri "/"))) - -(define nginx-location-proxy-matrix - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:8008 ;" - "proxy_set_header X-Forwarded-For $remote_addr ;" - "proxy_set_header X-Forwarded-Proto $scheme ;" - "proxy_set_header Host $host:$server_port ;" - "client_max_body_size 1024M ;")) - (uri "~ ^(/_matrix|/_synapse/client)"))) - -(define nginx-location-proxy-radicale - (gnu:services:web:nginx-location-configuration - (body (list "proxy_pass http://localhost:8080/ ;" - "proxy_set_header X-Script-Name \"\" ;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" - "proxy_set_header Host $http_host ;" - "proxy_pass_header Authorization ;")) - (uri "/"))) - -(define nginx-location-proxy-auth - (gnu:services:web:nginx-location-configuration - (body (list "proxy_set_header Host $host;" - "proxy_set_header X-Real-IP $remote_addr;" - "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" - "proxy_set_header X-Forwarded-Proto $scheme;" - "if ($ssl_client_verify != SUCCESS) {return 403;}")) - (uri "/"))) - -(define nginx-location-well-known - (gnu:services:web:nginx-location-configuration - (body (list "root /srv/www/marek/marekpasnikowski.pl ;")) - (uri "/.well-known"))) - -(define nginx-location-well-known-matrix-client - (gnu:services:web:nginx-location-configuration - (body (list "return 200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.marekpasnikowski.pl\"}}' ;" - "default_type application/json ;" - "add_header Access-Control-Allow-Origin * ;")) - (uri "/.well-known/matrix/client"))) - -(define nginx-server-cgit - (let - ((git-http- (gnu:services:version-control:git-http-nginx-location-configuration git-http-configuration))) - (gnu:services:web:nginx-server-configuration - (locations (list git-http- - nginx-location-cgit - nginx-location-well-known)) - (listen (list "192.168.10.2:443 ssl")) - (root gnu:packages:version-control:cgit) - (server-name (list "git.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (try-files (list "$uri" "@cgit"))))) - -(define nginx-server-guix - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-guix)) - (listen (list "192.168.10.2:443 ssl")) - (server-name (list "guix.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) - -(define nginx-server-matrix - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-matrix)) - (listen (list "192.168.10.2:443 ssl" - "192.168.10.2:8448 ssl default_server")) - (root (file-append gnu:packages:matrix:synapse - "/lib/python3.11/site-packages/synapse/static")) - (server-name (list "matrix.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "proxy_http_version 1.1 ;")))) - -(define nginx-server-portal - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-well-known - nginx-location-well-known-matrix-client)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/www") - (server-name (list 'default - "marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem"))) - -(define nginx-server-radicale - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-radicale - nginx-location-well-known)) - (listen (list "192.168.10.2:443 ssl")) - (server-name (list "radicale.marekpasnikowski.pl")))) - -(define nginx-server-schron - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "schron.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-sejf - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/sejf") - (server-name (list "sejf.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-test - (gnu:services:web:nginx-server-configuration - (locations (list nginx-location-proxy-auth)) - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/schron") - (server-name (list "test.marekpasnikowski.pl")) - (ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem") - (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem") - (raw-content (list "ssl_client_certificate /secrets/ca/intermediate/certs/ca-chain.cert.pem;" - "ssl_verify_client on;")))) - -(define nginx-server-www - (gnu:services:web:nginx-server-configuration - (listen (list "192.168.10.2:443 ssl")) - (root "/home/marek/Publiczne/www") - (server-name (list "www.marekpasnikowski.pl")))) - -(define cgit-configuration - (gnu:services:cgit:cgit-configuration - (nginx (list nginx-server-cgit)) - (repositories (list cgit-repository-configuration)) - (project-list (list "deployment.git" - "nonguix.git" - "sovereign.git")) - (repository-directory "/var/lib/gitolite/repositories"))) - -(define nginx-configuration* - (gnu:services:web:nginx-configuration - (shepherd-requirement (list 'networking)) - (server-blocks (list nginx-server-portal - nginx-server-www - nginx-server-guix - nginx-server-matrix - nginx-server-test - nginx-server-schron - nginx-server-sejf - nginx-server-radicale)))) - -(define nginx-deploy-hook-file - #~(let - ((pid (call-with-input-file "/var/run/nginx/pid" - read))) - (kill pid SIGHUP))) - -(define nginx-extension-of-certbot - (gnu:services:service-extension - nginx-service-type* - (@@ (gnu services certbot) certbot-nginx-server-configurations))) - -(define (extend-certbot extension) - (let* - ((extension-target- (gnu:services:service-extension-target extension)) - (nginx-service-type?- (eq? extension-target- - gnu:services:web:nginx-service-type))) - (if nginx-service-type?- - nginx-extension-of-certbot - extension))) - -(define certbot-type - (let - ((certbot-extensions- (gnu:services:service-type-extensions gnu:services:certbot:certbot-service-type))) - (gnu:services:service-type - (inherit gnu:services:certbot:certbot-service-type) - (extensions (map extend-certbot - certbot-extensions-))))) - -(define certificate-configuration - (gnu:services:certbot:certificate-configuration - (deploy-hook (program-file "nginx-deploy-hook" - nginx-deploy-hook-file)) - (domains (list "marekpasnikowski.pl" - "git.marekpasnikowski.pl" - "guix.marekpasnikowski.pl" - "matrix.marekpasnikowski.pl" - "mx.marekpasnikowski.pl" - "radicale.marekpasnikowski.pl" - "schron.marekpasnikowski.pl" - "sejf.marekpasnikowski.pl" - "test.marekpasnikowski.pl" - "www.marekpasnikowski.pl")))) - -(define certbot-configuration - (gnu:services:certbot:certbot-configuration - (certificates (list certificate-configuration)) - (email "marek@marekpasnikowski.pl") - (webroot "/srv/www/marek/marekpasnikowski.pl"))) - -(define-public certbot - (gnu:services:service - certbot-type - certbot-configuration)) - -(define-public cgit - (gnu:services:service - cgit-type - cgit-configuration)) - -(define-public etc - (let* - ((mailname-file- (plain-file "mailname" - "marekpasnikowski.pl\n")) - (mailname-link- (list "mailname" - mailname-file-)) - (etc-links- (list mailname-link-))) - (gnu:services:simple-service 'etc-files - gnu:services:etc-service-type - etc-links-))) - -(define fcgiwrap-configuration - (gnu:services:web:fcgiwrap-configuration - (user "git") - (group "git"))) - -(define-public fcgiwrap - (gnu:services:service - gnu:services:web:fcgiwrap-service-type - fcgiwrap-configuration)) - -(define-public file-system-efi - (gnu:system:file-systems:file-system - (device (gnu:system:file-systems:file-system-label "AISAKA")) - (mount-point "/boot") - (type "vfat") - (flags (list)) - (options #f) - (mount? #t) - (mount-may-fail? #t) - (needed-for-boot? #f) - (check? #t) - (skip-check-if-clean? #f) - (repair 'preen) - (create-mount-point? #f) - (dependencies (list)) - (shepherd-requirements (list)) - (location (current-source-location)))) - -(define-public file-system-root - (gnu:system:file-systems:file-system - (device (gnu:system:file-systems:file-system-label "aisaka-root")) - (mount-point "/") - (type "ext4") - (flags (list)) - (options #f) - (mount? #t) - (mount-may-fail? #f) - (needed-for-boot? #t) - (check? #t) - (skip-check-if-clean? #f) - (repair 'preen) - (create-mount-point? #f) - (dependencies (list)) - (shepherd-requirements (list)) - (location (current-source-location)))) - -(define gitolite-rc-file - (gnu:services:version-control:gitolite-rc-file - (umask #o0027))) - -(define gitolite-configuration - (gnu:services:version-control:gitolite-configuration - (rc-file gitolite-rc-file) - (admin-pubkey #f))) - -(define-public gitolite - (gnu:services:service - gnu:services:version-control:gitolite-service-type - gitolite-configuration)) - -(define-public system-keyboard-layout - (gnu:system:keyboard:keyboard-layout "pl")) - -(define-public nginx - (gnu:services:service - nginx-service-type* - nginx-configuration*)) - -(define rakan-machine - #~(build-machine - (name "rakan") - (systems (list "x86_64-linux" - "i686-linux")) - (user "marek") - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@rakan") - (private-key "/home/marek/.ssh/id_ed25519"))) - -(define guix-offload-rakan - (gnu:services:base:guix-extension - (authorized-keys (list deployment:keys:akashi-guix - deployment:keys:rakan-guix)) - (build-machines (list rakan-machine)))) - -(define-public offload-rakan - (gnu:services:simple-service 'offload-rakan - gnu:services:base:guix-service-type - guix-offload-rakan)) - -(define radicale-auth-configuration - (gnu:services:mail:radicale-auth-configuration - (type 'htpasswd) - (htpasswd-filename radicale-keys) - (htpasswd-encryption 'plain))) - -(define radicale-storage-configuration - (gnu:services:mail:radicale-storage-configuration - (filesystem-folder "/data/radicale/collections"))) - -(define radicale-configuration - (gnu:services:mail:radicale-configuration - (auth radicale-auth-configuration) - (storage radicale-storage-configuration))) - -(define-public radicale - (gnu:services:service - gnu:services:mail:radicale-service-type - radicale-configuration)) - -(define enp1s0-address-4 - (gnu:services:base:network-address - (device "enp1s0") - (value "192.168.10.2/24") - (ipv6? #f))) - -(define enp2s0-address-4 - (gnu:services:base:network-address - (device "enp2s0") - (value "192.168.1.2/24") - (ipv6? #f))) - -(define enp1s0-route-4-default - (gnu:services:base:network-route - (destination "default") - (source #f) - (device #f) - (ipv6? #f) - (gateway "192.168.10.1"))) - -(define network-hardware - (gnu:services:base:static-networking - (addresses (list enp1s0-address-4 - enp2s0-address-4)) - (links (list)) - (routes (list enp1s0-route-4-default)) - (name-servers (list "192.168.10.1" - "192.168.1.1")) - (provision (list 'network-hardware)) - (requirement (list)))) - -(define static-networking-configuration - (list network-hardware)) - -(define-public static-networking - (gnu:services:service - gnu:services:networking:static-networking-service-type - static-networking-configuration)) - -(define ip-command - (file-append gnu:packages:linux:iproute - "/sbin/ip")) - -(define network-enp2s0-route-default - (let - ((route-default- #~(list #$ip-command - "route" - "add" - "default" - "via" - "192.168.1.1" - "table" - "1"))) - (gnu:services:shepherd:shepherd-service - (provision (list 'network-enp2s0-route-default)) - (requirement (list 'network-enp2s0-table)) - (one-shot? #t) - (respawn? #f) - (start #~(make-forkexec-constructor #$route-default-)) - (stop #~(const #f)) - (actions (list)) - (auto-start? #t) - (documentation "Sets up a default route for traffic from enp2s0.") - (modules gnu:services:shepherd:%default-modules)))) - -(define network-enp2s0-table - (let - ((table- #~(list #$ip-command - "rule" - "add" - "from" - "192.168.1.2" - "table" - "1" - "prio" - "1"))) - (gnu:services:shepherd:shepherd-service - (provision (list 'network-enp2s0-table)) - (requirement (list 'network-hardware)) - (one-shot? #t) - (respawn? #f) - (start #~(make-forkexec-constructor #$table-)) - (stop #~(const #f)) - (actions (list)) - (auto-start? #t) - (documentation "Defines a table of rules number 1 for routes through enp2s0.") - (modules gnu:services:shepherd:%default-modules)))) - -(define networking - (gnu:services:shepherd:shepherd-service - (provision (list 'networking)) - (requirement (list 'network-enp2s0-table - 'network-enp2s0-route-default)) - (one-shot? #t) - (respawn? #f) - (start #~(const #t)) - (stop #~(const #f)) - (actions (list)) - (auto-start? #t) - (documentation "Defines a graph root of one-shot services to invoke various ip commands.") - (modules gnu:services:shepherd:%default-modules))) - -(define-public iproute2-networking - (let - ((extensions- (list network-enp2s0-table - network-enp2s0-route-default - networking))) - (gnu:services:simple-service 'networking - gnu:services:shepherd:shepherd-root-service-type - extensions-))) - -(define swap-device-izumi-1-label - (gnu:system:file-systems:file-system-label "izumi-swap-f")) - -(define-public %sovereign-services* - (gnu:services:modify-services sovereign:systems:%sovereign-services - (gnu:services:delete gnu:services:networking:network-manager-service-type))) - -(define-public system-bootloader - (gnu:bootloader:bootloader-configuration - (bootloader gnu:bootloader:grub:grub-efi-bootloader) - (targets (list "/boot")) - (keyboard-layout sovereign:devices:pl-keyboard-layout))) - -(define-public vmail-group - (gnu:system:accounts:user-group - (name "vmail") - (system? #t))) - -(define named-home-environments - (list users:id1000:named-home-environment)) - -(define guix-publish-configuration - (gnu:services:base:guix-publish-configuration - (host "192.168.10.2") - (port 8080) - (advertise? #t))) - -(define-public guix-home-service - (sovereign:systems:guix-home-service named-home-environments)) - -(define-public guix-publish-service - (sovereign:services:guix-publish-service guix-publish-configuration)) diff --git a/deployment/systems/akashi.scm b/deployment/systems/akashi.scm deleted file mode 100644 index 142ffae..0000000 --- a/deployment/systems/akashi.scm +++ /dev/null @@ -1,125 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski - -(define-module (deployment systems akashi) - #:use-module (guix gexp) - #:use-module (users id1000) - #:use-module ((deployment keys) - #:prefix deployment:keys:) - #:use-module ((gnu packages linux) - #:prefix gnu:packages:linux:) - #:use-module ((gnu services) - #:prefix gnu:services:) - #:use-module ((gnu services base) - #:prefix gnu:services:base:) - #:use-module ((gnu services guix) - #:prefix gnu:services:guix:) - #:use-module ((gnu system) - #:prefix gnu:system:) - #:use-module ((gnu system file-systems) - #:prefix gnu:system:file-systems:) - #:use-module ((gnu system keyboard) - #:prefix gnu:system:keyboard:) - #:use-module ((gnu system linux-initrd) - #:prefix gnu:system:linux-initrd:) - #:use-module ((gnu system locale) - #:prefix gnu:system:locale:) - #:use-module ((gnu system nss) - #:prefix gnu:system:nss:) - #:use-module ((gnu system pam) - #:prefix gnu:system:pam:) - #:use-module ((gnu system shadow) - #:prefix gnu:system:shadow:) - #:use-module ((guix diagnostics) - #:prefix guix:diagnostics:) - #:use-module ((machines thinkpad-x200) - #:prefix machines:thinkpad-x200:) - #:use-module ((sovereign systems) - #:prefix sovereign:systems:)) - -(define-public architecture "x86_64-linux") - -(define-public system-name "akashi") - -(define root-partition - ((@ (gnu system file-systems) file-system) - (mount-point "/") - (device ((@ (gnu system file-systems) file-system-label) "akashi-root")) - (type "ext4"))) - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -(define system-keyboard-layout - (gnu:system:keyboard:keyboard-layout "pl")) - -(define offload-hub - #~(build-machine - (name "www.marekpasnikowski.pl") - (systems (list "x86_64-linux" - "i686-linux")) - (user "marek") - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0Eh0q54myeSEironEP9DEKl+ownYuH7oSgAVuLIDNt root@aisaka") - (port 23) - (private-key "/home/marek/.ssh/id_ed25519"))) - -(define guix-offload-targets - (gnu:services:base:guix-extension - (authorized-keys (list deployment:keys:aisaka-guix)) - (build-machines (list offload-hub)))) - -(define offload-extension - (gnu:services:simple-service 'offload-extension - gnu:services:base:guix-service-type - guix-offload-targets)) - -(define home-environments - `((,uid1000-name ,uid1000-home-environment))) - -(define guix-home - (gnu:services:service gnu:services:guix:guix-home-service-type - home-environments)) - -(define-public system - (gnu:system:operating-system - (kernel gnu:packages:linux:linux-libre) - (kernel-loadable-modules (list)) - (kernel-arguments (cons* "thinkpad_acpi.fan_control=1" - "thinkpad_acpi.fan='level 7'" - gnu:system:%default-kernel-arguments)) - (hurd #f) - (bootloader (machines:thinkpad-x200:bootloader-configuration* system-keyboard-layout)) - (label (sovereign:systems:operating-system-label* system-name - gnu:system:this-operating-system)) - (keyboard-layout system-keyboard-layout) - (initrd gnu:system:linux-initrd:base-initrd) - (initrd-modules gnu:system:linux-initrd:%base-initrd-modules) - (firmware (list)) - (host-name system-name) - (hosts-file #f) - (mapped-devices (list)) - (file-systems (cons* root-partition - gnu:system:file-systems:%base-file-systems)) - (swap-devices (machines:thinkpad-x200:swap-devices* system-name)) - (users (list uid1000-account)) - (groups gnu:system:shadow:%base-groups) - (skeletons (gnu:system:shadow:default-skeletons)) - (issue (@@ (gnu system) - %default-issue)) - (packages gnu:system:%base-packages) - (timezone "Europe/Warsaw") - (locale sovereign:systems:pl-locale) - (locale-definitions sovereign:systems:%sovereign-locale-definitions) - (locale-libcs gnu:system:locale:%default-locale-libcs) - (name-service-switch gnu:system:nss:%default-nss) - (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) - (services (cons* guix-home - offload-extension - sovereign:systems:%sovereign-services)) - (pam-services (gnu:system:pam:base-pam-services)) - (privileged-programs gnu:system:%default-privileged-programs) - (setuid-programs gnu:system:%setuid-programs) - (sudoers-file sovereign:systems:%sovereign-sudoers-specification) - (location (and=> (current-source-location) - guix:diagnostics:source-properties->location)))) - -(define-public operating-system* system) diff --git a/deployment/systems/asakura.scm b/deployment/systems/asakura.scm deleted file mode 100644 index 2b8397d..0000000 --- a/deployment/systems/asakura.scm +++ /dev/null @@ -1,132 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski - -(define-module (deployment systems asakura) - #:use-module ((gnu system) #:prefix gnu:system:) - #:use-module ((gnu system file-systems) #:prefix gnu:system:file-systems:) - #:use-module ((gnu system uuid) #:prefix gnu:system:uuid:) - #:use-module ((nongnu packages linux) #:prefix nongnu:packages:linux:) - #:use-module ((nongnu system linux-initrd) #:prefix nongnu:system:linux-initrd:) - #:use-module ((sovereign devices amd64) #:prefix sovereign:devices:amd64:) - #:use-module ((sovereign packages protonmail) #:prefix sovereign:packages:protonmail:) - #:use-module ((sovereign systems) #:prefix sovereign:systems:) - #:use-module ((users id1000) #:prefix users:id1000:)) - -(define efi-filesystem-uuid - (gnu:system:uuid:uuid - "B4FB-CBD9" - 'fat32)) - -(define host-name - "asakura") - -(define (label number) - (gnu:system:file-systems:file-system-label - (string-append host-name - "-swap" - number))) - -(define root-filesystem-uuid - (gnu:system:uuid:uuid - "615a98cd-a632-4ee5-a6f4-e5ebcaa6fb8c")) - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -(define efi-partition - (gnu:system:file-systems:file-system - (mount-point "/boot") - (device efi-filesystem-uuid) - (type "vfat"))) - -(define keyboard-layout - ((@ (gnu system keyboard) keyboard-layout) - "pl")) - -(define (libvirt-service) - (use-modules (gnu services virtualization)) - ((@ (gnu services) service) - libvirt-service-type)) - -(define (virtlog-service) - (use-modules (gnu services virtualization)) - ((@ (gnu services) service) - virtlog-service-type)) - -(define root-partition - (gnu:system:file-systems:file-system - (mount-point "/") - (device root-filesystem-uuid) - (type "ext4"))) - -(define (swap-label number) - (let ((target-label (label number))) - (gnu:system:file-systems:swap-space - (target target-label)))) - -(define (system-packages-service) - (use-modules (gnu packages gnupg) - (gnu packages kde-pim) - (gnu services)) - (simple-service 'system-packages - profile-service-type - (list kgpg - pinentry-qt - pinentry-tty))) - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -(define (bootloader) - (use-modules (gnu bootloader grub)) - ((@ (gnu bootloader) bootloader-configuration) - (bootloader grub-efi-bootloader) - (targets (list "/boot")) - (keyboard-layout keyboard-layout))) - -(define (file-systems) - (append gnu:system:file-systems:%base-file-systems - (list root-partition - efi-partition))) - -(define services - (let* - ( (l-guix-homes (list users:id1000:named-home-environment)) - (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes))) - (append sovereign:systems:%sovereign-services - (list sovereign:packages:protonmail:nogui-profile - l-guix-home-service - (system-packages-service))))) - -(define swap-device-1 - (swap-label "-1")) - -(define swap-device-2 - (swap-label "-2")) - -(define (users) - (use-modules (gnu system accounts)) - (append (@ (gnu system shadow) %base-user-accounts) - (list users:id1000:uid1000-account))) - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -(define-public system - (gnu:system:operating-system - (kernel nongnu:packages:linux:linux) - (bootloader (bootloader)) - (label (sovereign:systems:operating-system-label* host-name - gnu:system:this-operating-system)) - (keyboard-layout keyboard-layout) - (initrd nongnu:system:linux-initrd:microcode-initrd) - (firmware (list nongnu:packages:linux:linux-firmware)) - (host-name host-name) - (file-systems (file-systems)) - (swap-devices (list swap-device-1 - swap-device-2)) - (users (users)) - (timezone "Europe/Warsaw") - (locale sovereign:systems:pl-locale) - (locale-definitions sovereign:systems:%sovereign-locale-definitions) - (services services) - (sudoers-file sovereign:systems:%sovereign-sudoers-specification))) - -(define-public operating-system* system) diff --git a/deployment/systems/cokolwiek.scm b/deployment/systems/cokolwiek.scm deleted file mode 100644 index 15beb99..0000000 --- a/deployment/systems/cokolwiek.scm +++ /dev/null @@ -1,105 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski - -(define-module (deployment systems cokolwiek) - #:use-module ( (gnu packages package-management) - #:prefix gnu:packages:package-management:) - #:use-module ( (gnu services) - #:prefix gnu:services:) - #:use-module ( (gnu services base) - #:prefix gnu:services:base:) - #:use-module ( (gnu services guix) - #:prefix gnu:services:guix:) - #:use-module ( (gnu system) - #:prefix gnu:system:) - #:use-module ( (gnu system file-systems) - #:prefix gnu:system:file-systems:) - #:use-module ( (gnu system linux-initrd) - #:prefix gnu:system:linux-initrd:) - #:use-module ( (gnu system shadow) - #:prefix gnu:system:shadow:) - #:use-module ( (nongnu packages linux) - #:prefix nongnu:packages:linux:) - #:use-module ( (nongnu system linux-initrd) - #:prefix nongnu:system:linux-initrd:) - #:use-module ( (sovereign channels) - #:prefix sovereign:channels:) - #:use-module ( (sovereign devices) - #:prefix sovereign:devices:) - #:use-module ( (sovereign devices amd64) - #:prefix sovereign:devices:amd64:) - #:use-module ( (sovereign packages protonmail) - #:prefix sovereign:packages:protonmail:) - #:use-module ( (sovereign systems) - #:prefix sovereign:systems:) - #:use-module ( (users id1000) - #:prefix users:id1000:) - #:use-module ( (users id1001) - #:prefix users:id1001:)) - -(define system-name - "cokolwiek") - -(define file-system-efi - (let* - ( (l-system-name (string-upcase system-name)) - (l-device (sovereign:devices:file-system-label l-system-name))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/efi) - (device l-device)))) - -(define file-system-root - (let - ( (l-device (sovereign:devices:file-system-label system-name - "root"))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/root) - (device l-device)))) - -(define swap - (let - ( (l-target (sovereign:devices:file-system-label system-name - "swap"))) - (gnu:system:file-systems:swap-space - (inherit sovereign:devices:swap/no-trim) - (target l-target)))) - -(define-public system - (let* - ( (l-guix-homes (list users:id1000:named-home-environment - users:id1001:named-home-environment)) - (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes)) - (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) - (l-file-systems (cons* file-system-root - file-system-efi - gnu:system:file-systems:%base-file-systems)) - (l-firmware (list nongnu:packages:linux:linux-firmware)) - (l-initrd-modules (cons* "mei_me" - gnu:system:linux-initrd:%base-initrd-modules)) - (l-services (cons* l-guix-home-service - sovereign:packages:protonmail:nogui-profile - sovereign:systems:%sovereign-services)) - (l-swap-devices (list swap)) - (l-users (cons* users:id1000:uid1000-account - users:id1001:user-account - gnu:system:shadow:%base-user-accounts))) - (gnu:system:operating-system - (kernel nongnu:packages:linux:linux) - (bootloader l-bootloader) - (label (sovereign:systems:operating-system-label* system-name - gnu:system:this-operating-system)) - (keyboard-layout sovereign:devices:pl-keyboard-layout) - (initrd nongnu:system:linux-initrd:microcode-initrd) - (initrd-modules l-initrd-modules) - (firmware l-firmware) - (host-name system-name) - (file-systems l-file-systems) - (swap-devices l-swap-devices) - (users l-users) - (timezone "Europe/Warsaw") - (locale sovereign:systems:pl-locale) - (locale-definitions sovereign:systems:%sovereign-locale-definitions) - (services l-services) - (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))) - -(define-public operating-system* system) diff --git a/deployment/systems/git-ignore.conf b/deployment/systems/git-ignore.conf deleted file mode 100644 index 98e588f..0000000 --- a/deployment/systems/git-ignore.conf +++ /dev/null @@ -1,48 +0,0 @@ -# -*- mode: gitignore; -*- -*~ -\#*\# -/.emacs.desktop -/.emacs.desktop.lock -*.elc -auto-save-list -tramp -.\#* - -# Org-mode -.org-id-locations -*_archive - -# flymake-mode -*_flymake.* - -# eshell files -/eshell/history -/eshell/lastdir - -# elpa packages -/elpa/ - -# reftex files -*.rel - -# AUCTeX auto folder -/auto/ - -# cask packages -.cask/ -dist/ - -# Flycheck -flycheck_*.el - -# server auth directory -/server/ - -# projectiles files -.projectile - -# directory configuration -.dir-locals.el - -# network security -/network-security.data diff --git a/deployment/systems/gitconfig b/deployment/systems/gitconfig deleted file mode 100644 index 300f906..0000000 --- a/deployment/systems/gitconfig +++ /dev/null @@ -1,10 +0,0 @@ -[commit] - gpgsign = true - -[user] - email = marek@marekpasnikowski.pl - name = Marek Paśnikowski - signingkey = 6D81B1207711899F - -[push] - autoSetupRemote = true diff --git a/deployment/systems/mcdowell.scm b/deployment/systems/mcdowell.scm deleted file mode 100644 index 341bb50..0000000 --- a/deployment/systems/mcdowell.scm +++ /dev/null @@ -1,121 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski - -(define-module (deployment systems mcdowell) - #:use-module ( (deployment keys) - #:prefix deployment:keys:) - #:use-module ( (gnu packages package-management) - #:prefix gnu:packages:package-management:) - #:use-module ( (gnu services) - #:prefix gnu:services:) - #:use-module ( (gnu services base) - #:prefix gnu:services:base:) - #:use-module ( (gnu services guix) - #:prefix gnu:services:guix:) - #:use-module ( (gnu system) - #:prefix gnu:system:) - #:use-module ( (gnu system file-systems) - #:prefix gnu:system:file-systems:) - #:use-module ( (gnu system linux-initrd) - #:prefix gnu:system:linux-initrd:) - #:use-module ( (gnu system shadow) - #:prefix gnu:system:shadow:) - #:use-module ( (nongnu packages linux) - #:prefix nongnu:packages:linux:) - #:use-module ( (nongnu system linux-initrd) - #:prefix nongnu:system:linux-initrd:) - #:use-module ( (sovereign channels) - #:prefix sovereign:channels:) - #:use-module ( (sovereign devices) - #:prefix sovereign:devices:) - #:use-module ( (sovereign devices amd64) - #:prefix sovereign:devices:amd64:) - #:use-module ( (sovereign packages protonmail) - #:prefix sovereign:packages:protonmail:) - #:use-module ( (sovereign systems) - #:prefix sovereign:systems:) - #:use-module ( (users id1000) - #:prefix users:id1000:) - #:use-module (guix gexp)) - -(define system-name - "mcdowell") - -(define file-system-efi - (let* - ( (l-system-name (string-upcase system-name)) - (l-device (sovereign:devices:file-system-label l-system-name))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/efi) - (device l-device)))) - -(define file-system-root - (let - ( (l-device (sovereign:devices:file-system-label system-name - "root"))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/root) - (device l-device)))) - -(define swap - (let - ( (l-target (sovereign:devices:file-system-label system-name - "swap"))) - (gnu:system:file-systems:swap-space - (inherit sovereign:devices:swap/no-trim) - (target l-target)))) - -(define rakan-machine - #~(build-machine - (name "rakan") - (systems (list "x86_64-linux" - "i686-linux")) - (user "marek") - (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxlIhNlkWCNA+l/RiOJztB+VWhuJtDTUvSwwlE3MpgJ root@mcdowell") - (private-key "/home/marek/.ssh/id_ed25519"))) - -(define guix-offload-rakan - (gnu:services:base:guix-extension - (authorized-keys (list deployment:keys:rakan-guix)) - (build-machines (list rakan-machine)))) - -(define-public system - (let* - ( (l-guix-homes (list users:id1000:named-home-environment)) - (l-guix-home-service (sovereign:systems:guix-home-service l-guix-homes)) - (l-bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) - (l-file-systems (cons* file-system-root - file-system-efi - gnu:system:file-systems:%base-file-systems)) - (l-firmware (list nongnu:packages:linux:linux-firmware)) - (l-initrd-modules (cons* "mei_me" - gnu:system:linux-initrd:%base-initrd-modules)) - (l-services (cons* l-guix-home-service - sovereign:packages:protonmail:nogui-profile - (gnu:services:simple-service 'offload-rakan - gnu:services:base:guix-service-type - guix-offload-rakan) - sovereign:systems:%sovereign-services)) - (l-swap-devices (list swap)) - (l-users (cons* users:id1000:uid1000-account - gnu:system:shadow:%base-user-accounts))) - (gnu:system:operating-system - (kernel nongnu:packages:linux:linux) - (bootloader l-bootloader) - (label (sovereign:systems:operating-system-label* system-name - gnu:system:this-operating-system)) - (keyboard-layout sovereign:devices:pl-keyboard-layout) - (initrd nongnu:system:linux-initrd:microcode-initrd) - (initrd-modules l-initrd-modules) - (firmware l-firmware) - (host-name system-name) - (file-systems l-file-systems) - (swap-devices l-swap-devices) - (users l-users) - (timezone "Europe/Warsaw") - (locale sovereign:systems:pl-locale) - (locale-definitions sovereign:systems:%sovereign-locale-definitions) - (services l-services) - (sudoers-file sovereign:systems:%sovereign-sudoers-specification)))) - -(define-public operating-system* system) diff --git a/deployment/systems/rakan.scm b/deployment/systems/rakan.scm deleted file mode 100644 index 35e0803..0000000 --- a/deployment/systems/rakan.scm +++ /dev/null @@ -1,247 +0,0 @@ -;;; SPDX-License-Identifier: GPL-3.0-or-later -;;; SPDX-FileCopyrightText: 2024-2025 Marek Paśnikowski - -(define-module (deployment systems rakan) - #:use-module (guix gexp) - #:use-module ( (deployment keys) - #:prefix deployment:keys:) - #:use-module ( (deployment services databases) - #:prefix deployment:services:databases:) - #:use-module ( (deployment services matrix) - #:prefix deployment:services:matrix:) - #:use-module ( (gnu home) - #:prefix gnu:home:) - #:use-module ( (gnu home services) - #:prefix gnu:home:services:) - #:use-module ( (gnu packages mail) - #:prefix gnu:packages:mail:) - #:use-module ( (gnu services) - #:prefix gnu:services:) - #:use-module ( (gnu services base) - #:prefix gnu:services:base:) - #:use-module ( (gnu services guix) - #:prefix gnu:services:guix:) - #:use-module ( (gnu services samba) - #:prefix gnu:services:samba:) - #:use-module ( (gnu system) - #:prefix gnu:system:) - #:use-module ( (gnu system file-systems) - #:prefix gnu:system:file-systems:) - #:use-module ( (gnu system linux-initrd) - #:prefix gnu:system:linux-initrd:) - #:use-module ( (gnu system locale) - #:prefix gnu:system:locale:) - #:use-module ( (gnu system nss) - #:prefix gnu:system:nss:) - #:use-module ( (gnu system pam) - #:prefix gnu:system:pam:) - #:use-module ( (gnu system shadow) - #:prefix gnu:system:shadow:) - #:use-module ( (guix diagnostics) - #:prefix guix:diagnostics:) - #:use-module ( (nongnu packages linux) - #:prefix nongnu:packages:linux:) - #:use-module ( (nongnu system linux-initrd) - #:prefix nongnu:system:linux-initrd:) - #:use-module ( (gnu home-services mail) - #:prefix rde/gnu:home-services:mail:) - #:use-module ( (sovereign devices) - #:prefix sovereign:devices:) - #:use-module ( (sovereign devices amd64) - #:prefix sovereign:devices:amd64:) - #:use-module ( (sovereign packages emacs) - #:prefix sovereign:packages:emacs:) - #:use-module ( (sovereign packages protonmail) - #:prefix sovereign:packages:protonmail:) - #:use-module ( (sovereign services) - #:prefix sovereign:services:) - #:use-module ( (sovereign systems) - #:prefix sovereign:systems:) - #:use-module ( (users id1000) - #:prefix users:id1000:)) - -(define system-name - "rakan") - -(define file-system-efi - (let* - ( (l-system-name (string-upcase system-name)) - (l-device (sovereign:devices:file-system-label l-system-name))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/efi) - (device l-device)))) - -(define file-system-root - (let - ( (l-device (sovereign:devices:file-system-label system-name - "root"))) - (gnu:system:file-systems:file-system - (inherit sovereign:devices:file-system/root) - (device l-device)))) - -(define swap - (let - ( (l-target (sovereign:devices:file-system-label system-name - "swap"))) - (gnu:system:file-systems:swap-space - (inherit sovereign:devices:swap/no-trim) - (target l-target)))) - -(define guix-offload-authorizations - (gnu:services:base:guix-extension - (authorized-keys (list deployment:keys:aisaka-guix)))) - -(define (l2md-maildir name) - (string-append "~/Publiczne/l2md/" - name)) - -(define l2md-repo-guile-user - (rde/gnu:home-services:mail:l2md-repo - (name "guile-user") - (urls "https://yhetil.org/guile-user/0") - (maildir (l2md-maildir name)) - (pipe "") - (initial-import 0) - (sync-enabled? #t))) - -(define l2md-repo-guix-devel - (rde/gnu:home-services:mail:l2md-repo - (name "guix-devel") - (urls "https://yhetil.org/guix-devel/0") - (maildir (l2md-maildir name)) - (pipe "") - (initial-import 0) - (sync-enabled? #t))) - -(define l2md-repo-guix-user - (rde/gnu:home-services:mail:l2md-repo - (name "guix-user") - (urls "https://yhetil.org/guix-user/0") - (maildir (l2md-maildir name)) - (pipe "") - (initial-import 0) - (sync-enabled? #t))) - -(define l2md-configuration - (rde/gnu:home-services:mail:home-l2md-configuration - (l2md gnu:packages:mail:l2md) - (autostart? #t) - (period 180) - (oneshot 0) - (maildir "") - (pipe "") - (base "~/Publiczne/l2md") - (repos (list l2md-repo-guile-user - l2md-repo-guix-devel - l2md-repo-guix-user)))) - -(define home-l2md - (gnu:services:service - rde/gnu:home-services:mail:home-l2md-service-type - l2md-configuration)) - -(define samba-configuration - (gnu:services:samba:samba-configuration - (enable-smbd? #t) - (config-file (mixed-text-file "smb.conf" - "[global]\n" - "map to guest = Bad User\n" - "logging = syslog@1\n" - "\n" - "[public]\n" - "browsable = yes\n" - "path = /tmp\n" - "read only = no\n" - "guest ok = yes\n" - "guest only = yes\n")))) - -(define samba-service - (gnu:services:service - gnu:services:samba:samba-service-type - samba-configuration)) - -(define named-home-environment-1000 - (let - ( (named-home-environment- users:id1000:named-home-environment)) - (let - ( (home-environment- (car (cdr named-home-environment-))) - (name- (car named-home-environment-))) - (let* - ( (services- (gnu:home:home-environment-user-services home-environment-)) - (packages- (gnu:home:home-environment-packages home-environment-)) - (home-environment-* (gnu:home:home-environment - (inherit home-environment-) - (packages packages-) - (services (cons* home-l2md - services-))))) - (list name- - home-environment-*))))) - -(define guix-homes - (list named-home-environment-1000)) - -(define guix-home-service - (sovereign:systems:guix-home-service guix-homes)) - -(define offload-auth - (gnu:services:simple-service 'offload-authorizations - gnu:services:base:guix-service-type - guix-offload-authorizations)) - -(define guix-publish-configuration - (gnu:services:base:guix-publish-configuration - (host "0.0.0.0") - (port 8080) - (advertise? #t))) - -(define-public guix-publish-service - (sovereign:services:guix-publish-service guix-publish-configuration)) - -(define-public system - (gnu:system:operating-system - (kernel nongnu:packages:linux:linux) - (kernel-loadable-modules (list)) - (kernel-arguments gnu:system:%default-kernel-arguments) - (hurd #f) - (bootloader (sovereign:devices:amd64:custom-bootloader-configuration system-name)) - (label (sovereign:systems:operating-system-label* system-name - gnu:system:this-operating-system)) - (keyboard-layout sovereign:devices:pl-keyboard-layout) - (initrd nongnu:system:linux-initrd:microcode-initrd) - (initrd-modules (cons* "mei_me" - gnu:system:linux-initrd:%base-initrd-modules)) - (firmware (list nongnu:packages:linux:linux-firmware)) - (host-name system-name) - (hosts-file #f) - (mapped-devices (list)) - (file-systems (cons* file-system-root - file-system-efi - gnu:system:file-systems:%base-file-systems)) - (swap-devices (list swap)) - (users (cons* users:id1000:uid1000-account - gnu:system:shadow:%base-user-accounts)) - (groups gnu:system:shadow:%base-groups) - (skeletons (gnu:system:shadow:default-skeletons)) - (issue (@@ (gnu system) %default-issue)) - (packages gnu:system:%base-packages) - (timezone "Europe/Warsaw") - (locale sovereign:systems:pl-locale) - (locale-definitions sovereign:systems:%sovereign-locale-definitions) - (locale-libcs gnu:system:locale:%default-locale-libcs) - (name-service-switch gnu:system:nss:%default-nss) - (essential-services (gnu:system:operating-system-default-essential-services gnu:system:this-operating-system)) - (services (cons* guix-home-service - guix-publish-service - deployment:services:databases:matrix-postgresql-service - deployment:services:matrix:matrix-service-rakan - sovereign:packages:protonmail:nogui-profile - offload-auth - samba-service - sovereign:systems:%sovereign-services)) - (pam-services (gnu:system:pam:base-pam-services)) - (privileged-programs gnu:system:%default-privileged-programs) - (sudoers-file sovereign:systems:%sovereign-sudoers-specification) - (location (and=> (current-source-location) - guix:diagnostics:source-properties->location)))) - -(define-public operating-system* system) -- cgit v1.3