(define-module (systems izumi system-configuration)
  #:use-module (suweren commons sudoers))

(define radicale-keys "/secrets/radicale/keys")
(define dovecot-keys "/secrets/dovecot")

( use-modules
  ( gnu )
  ( gnu services syncthing )
  ( guix records )
  ( ice-9 match )
  ( nongnu packages linux )
  ( nongnu system linux-initrd ) )

( use-package-modules
  admin certs kde-frameworks kde-multimedia kde-pim kde-plasma kde-utils mail
  version-control )

( use-service-modules
  base certbot cgit desktop mail shepherd ssh version-control web xorg )

(define nginx-accounts
  (list (user-group (name "nginx")
                    (system? #t))
        (user-account (name "nginx")
                      (group "nginx")
                      (supplementary-groups '("git"))
                      (system? #t)
                      (comment "nginx server user")
                      (home-directory "/var/empty")
                      (shell (file-append (specification->package "shadow")
                                          "/sbin/nologin")))))

(define nginx-service-type*
  (service-type (inherit nginx-service-type)
                (extensions (map (lambda (extension)
                                   (if (eq? (service-extension-target extension)
                                            account-service-type)
                                       (service-extension account-service-type
                                                          (const nginx-accounts))
                                       extension))
                                 (service-type-extensions nginx-service-type)))))

(define hosts-izumi
  (local-file "system-files/hosts"))

( define-record-type*
  <dkimproxy-out-signature-configuration>
  dkimproxy-out-signature-configuration
  make-dkimproxy-out-signature-configuration
  dkimproxy-out-signature-configuration?
  ( type
    dkimproxy-out-signature-configuration-type
    ( default 'dkim ) )
  ( key
    dkimproxy-out-signature-configuration-key
    ( default #f ) )
  ( algorithm
    dkimproxy-out-signature-configuration-algorithm
    ( default #f ) )
  ( method
    dkimproxy-out-signature-configuration-method
    ( default #f) )
  ( domain
    dkimproxy-out-signature-configuration-domain
    ( default #f ) )
  ( identity
    dkimproxy-out-signature-configuration-identity
    ( default #f ) )
  ( selector
    dkimproxy-out-signature-configuration-selector
    ( default #f ) ) )

( define generate-dkimproxy-out-signature-configuration
  ( match-lambda
    ( ( $
        <dkimproxy-out-signature-configuration>
        type
        key
        algorithm
        method
        domain
        identity
        selector )
      ( string-append
        ( match type
          ( 'dkim "dkim" )
          ( 'domainkeys "domainkeys" ) )
        ( if ( or key algorithm method domain identity selector )
          ( string-append
            "("
            ( string-join
              `( ,@ ( if key
                      ( list ( string-append "key=" key ) )
                      '() )
                    ,@ ( if algorithm
                         ( list ( string-append "a=" algorithm ) )
                         '() )
                    ,@ ( if method
                         ( list ( string-append "c=" method ) )
                         '() )
                    ,@ ( if domain
                         ( list ( string-append "d=" domain ) )
                         '() )
                    ,@ ( if identity
                         ( list ( string-append "i=" identity ) )
                         '() )
                    ,@ ( if selector
                         ( list ( string-append "s=" selector ) )
                         '() ) )
              "," )
            ")" )
          "" ) ) ) ) )

( define-record-type*
  <dkimproxy-out-configuration>
  dkimproxy-out-configuration
  make-dkimproxy-out-configuration
  dkimproxy-out-configuration?
  ( package
    dkimproxy-out-configuration-package
    ( default dkimproxy ) )
  ( listen
    dkimproxy-out-configuration-listen
    ( default #f ) )
  ( relay
    dkimproxy-out-configuration-relay
    ( default #f ) )
  ( list-id-map
    dkimproxy-out-configuration-list-id-map
    ( default '() ) )
  ( sender-map
    dkimproxy-out-configuration-sender-map
    ( default '() ) )
  ( reject-error?
    dkimproxy-out-configuration-sender-reject-error?
    ( default #f ) )
  ( config-file
    dkimproxy-out-configuration-config-file
    ( default #f ) ) )

( define ( generate-map-file config filename )
  ( apply
    plain-file
    filename
    ( map ( lambda ( config )
            ( match config
              ( ( selector ( config ... ) )
                ( string-append
                  selector " "
                  ( string-join
                    ( map
                      generate-dkimproxy-out-signature-configuration
                      config )
                    "\n") ) )
              ( ( selector config )
                ( string-append
                  selector " "
                  ( generate-dkimproxy-out-signature-configuration
                    config ) ) ) ) )
      config ) ) )

( define dkimproxy-out-shepherd-service
  ( match-lambda
    ( ( $
        <dkimproxy-out-configuration>
        package
        listen
        relay
        list-id-map
        sender-map
        reject-error?
        config-file )
      ( list
        ( shepherd-service
          ( provision '( dkimproxy-out ) )
          ( requirement '( loopback ) )
          ( documentation "Outbound DKIM proxy." )
          ( start
            ( let ( ( proxy ( file-append package "/bin/dkimproxy.out" ) ) )
              ( if config-file
                #~
                ( make-forkexec-constructor
                  ( list
                    #$
                    proxy
                    ( string-append "--conf_file=" #$ config-file )
                    "--pidfile=/var/run/dkimproxy.out.pid"
                    "--user=dkimproxy" "--group=dkimproxy" )
                  #:pid-file "/var/run/dkimproxy.out.pid" )
                ( let*
                    ( ( first-signature
                        ( match sender-map
                          ( ( ( sender ( signature _ ... ) ) _ ... ) signature )
                          ( ( ( sender signature ) _ ... ) signature ) ) )
                      ( domains
                        ( apply append
                          ( map
                            ( lambda ( sender )
                              ( match sender
                                ( ( ( domains ... ) config ) domains )
                                ( ( domain config ) domain ) ) )
                            sender-map ) ) )
                      ( sender-map
                        ( generate-map-file sender-map "sender.map" ) )
                      ( listid-map
                        ( if ( null? list-id-map )
                          #f
                          ( generate-map-file list-id-map "listid.map" ) ) )
                      ( keyfile
                        ( dkimproxy-out-signature-configuration-key
                          first-signature ) )
                      ( selector
                        ( dkimproxy-out-signature-configuration-selector
                          first-signature ) )
                      ( method
                        ( dkimproxy-out-signature-configuration-method
                          first-signature ) )
                      ( signature
                        ( match ( dkimproxy-out-signature-configuration-type
                                  first-signature )
                          ( 'dkim "dkim" )
                          ( 'domainkeys "domainkeys" ) ) ) )
                  #~
                  ( make-forkexec-constructor
                    `( ,#$
                       proxy
                       "--pidfile=/var/run/dkimproxy.out.pid"
                       "--user=dkimproxy" "--group=dkimproxy"
                       ,( string-append "--listen=" #$ listen )
                       ,( string-append "--relay=" #$ relay )
                       ,( string-append "--sender_map=" #$ sender-map )
                       ,@ ( if #$ listid-map
                            ( list
                              ( string-append "--listid_map=" #$ listid-map ) )
                            '() )
                       ,( string-append "--domain=" #$ domains )
                       ,( string-append "--keyfile=" #$ keyfile )
                       ,( string-append "--selector=" #$ selector )
                       ,@ ( if #$ method
                            ( list
                              ( string-append "--method=" #$ method ) )
                            '() )
                       ,@ ( if #$ reject-error?
                            '( "--reject_error" )
                            '() )
                       ,@ ( if #$ signature
                            ( list
                              ( string-append "--signature=" #$ signature ) )
                            '() ) ) ) ) ) ) )
          ( stop #~ ( make-kill-destructor ) ) ) ) ) ) )

( define %dkimproxy-accounts
  ( list ( user-group
           ( name "dkimproxy" )
           ( system? #t ) )
    ( user-account
      ( name "dkimproxy" )
      ( group "dkimproxy" )
      ( system? #t )
      ( comment "Dkimproxy user" )
      ( home-directory "/var/empty" )
      ( shell ( file-append shadow "/sbin/nologin" ) ) ) ) )

( define dkimproxy-out-service-type
  ( service-type
    ( name 'dkimproxy-out )
    ( description "stub" )
    ( extensions
      ( list
        ( service-extension
          account-service-type
          ( const %dkimproxy-accounts ) )
        ( service-extension
          shepherd-root-service-type
          dkimproxy-out-shepherd-service ) ) ) ) )

( define ( wip-dkim-service domain )
  ( service dkimproxy-out-service-type
    ( dkimproxy-out-configuration
      ( listen "127.0.0.1:10027" )
      ( relay "127.0.0.1:10028" )
      ( sender-map
        `( ( ,domain
             ( ,( dkimproxy-out-signature-configuration
                  ( algorithm "rsa-sha256" )
                  ( key "/etc/mail/dkim/marekpasnikowski.pl.key" )
                  ( method "relaxed" )
                  ( selector "dkim" )
                  ( type 'dkim ) )
               ,( dkimproxy-out-signature-configuration
                  ( method "mofws" )
                  ( type 'domainkeys ) ) ) ) ) ) ) ) )

( define* ( wip-mail-services #:key interface domain )
  ( list
    ( wip-dkim-service domain ) ) )

( operating-system
  ( bootloader
    ( bootloader-configuration
      ( bootloader grub-efi-bootloader )
      ( keyboard-layout ( keyboard-layout "pl" ) )
      ( targets ( list "/boot/efi" ) ) ) )
  ( mapped-devices
    ( list
      ( mapped-device
        ( source "/dev/sda2" )
        ( target "izumi" )
        ( type luks-device-mapping ) ) ) )
  ( file-systems
    ( append
      %base-file-systems
      ( list
        ( file-system
          ( device "/dev/sda1" )
          ( mount-point "/boot/efi" )
          ( type "vfat" ) )
        ( file-system
          ( dependencies mapped-devices )
          ( device "/dev/mapper/izumi" )
          ( mount-point "/" )
          ( type "xfs" ) ) ) ) )
  ( firmware ( list linux-firmware ) )
  ( groups
    ( append
      %base-groups
      ( list
        ( user-group
          ( name "vmail" )
          ( system? #t ) )) ) )
  ( host-name "izumi" )
  (hosts-file hosts-izumi)
  ( initrd microcode-initrd )
  ( kernel linux )
  ( keyboard-layout ( keyboard-layout "pl" ) )
  ( locale "pl_PL.utf8" )
  ( services
    ( append
      ( modify-services
        %desktop-services
        ( elogind-service-type
          configuration =>
          ( elogind-configuration
            ( inherit configuration )
            ( handle-lid-switch 'ignore )
            ( handle-lid-switch-docked 'ignore )
            ( handle-lid-switch-external-power 'ignore ) ) )
        ( gdm-service-type
          configuration =>
          ( gdm-configuration
            ( inherit configuration )
            ( auto-suspend? #f )
            ( wayland? #t ) ) )
        ( guix-service-type
          configuration =>
          ( let*
              ( ( non-guix.pub
                  ( string-append
                    "( public-key ( ecc ( curve Ed25519 )"
                    "( q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98# ) ) )" ) )
                ( authorized-keys
                  ( append
                    %default-authorized-guix-keys
                    ( list ( plain-file "non-guix.pub" non-guix.pub ) ) ) )
                ( extra-options
                  ( list "--gc-keep-derivations=yes" "--gc-keep-outputs=yes" ) )
                ( substitute-urls
                  ( append
                    %default-substitute-urls
                    ( list "https://substitutes.nonguix.org" ) ) ) )
            ( guix-configuration
              ( inherit configuration )
              ( authorized-keys authorized-keys )
              ( extra-options extra-options )
              ( substitute-urls substitute-urls ) ) ) ) )
      ( wip-mail-services
        #:interface "enp1s0"
        #:domain "marekpasnikowski.pl" )
      ( list
	(@ (users id1000) dovecot-service)
	(@ (users id1000) smtp-service)
	(service (service-type (inherit certbot-service-type)
                               (extensions (map (lambda (extension)
                                                  (if (eq? (service-extension-target extension)
                                                           nginx-service-type)
                                                      (service-extension nginx-service-type*
                                                                         (@@ (gnu services certbot)
                                                                             certbot-nginx-server-configurations))
                                                      extension))
                                                (service-type-extensions certbot-service-type))))
		 ( certbot-configuration
		   ( certificates
		     ( list
                       ( certificate-configuration
			 ( deploy-hook
			   ( program-file
			     "nginx-deploy-hook"
			     #~
			     ( let
				 ( ( pid ( call-with-input-file "/var/run/nginx/pid" read ) ) )
                               ( kill pid SIGHUP ) ) ) )
			 ( domains
			   ( list
			     "marekpasnikowski.pl"
			     "git.marekpasnikowski.pl"
			     "radicale.marekpasnikowski.pl" ) ) ) ) )
		   ( email "marek@marekpasnikowski.pl" )
		   ( webroot "/srv/www/marek/marekpasnikowski.pl" ) ) )
        (service (service-type (inherit cgit-service-type)
                               (extensions (map (lambda (extension)
                                                  (if (eq? (service-extension-target extension)
                                                           nginx-service-type)
                                                      (service-extension nginx-service-type*
                                                                         cgit-configuration-nginx-config)
                                                      extension))
                                                (service-type-extensions cgit-service-type))))
                 ( cgit-configuration
                   ( nginx
                     ( list
                       ( nginx-server-configuration
                         ( locations
                           ( list
                             ( git-http-nginx-location-configuration
                               ( git-http-configuration
                                 ( git-root "/var/lib/gitolite/repositories" )
                                 ( uri-path "/git" ) ) )
                             ( nginx-location-configuration
                               ( body
                                 ( list
                                   "fastcgi_param HTTP_HOST $server_name ;"
                                   "fastcgi_param PATH_INFO $uri ;"
                                   "fastcgi_param QUERY_STRING $args ;"
                                   "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;"
                                   "fastcgi_pass 127.0.0.1:9000 ;" ) )
                               ( uri "@cgit" ) )
                             ( nginx-location-configuration
                               ( body ( list "root /srv/www/marek/marekpasnikowski.pl/ ;" ) )
                               ( uri "/.well-known" ) ) ) )
                         ( listen ( list "192.168.10.2:443 ssl" ) )
                         ( root cgit )
                         ( server-name ( list "git.marekpasnikowski.pl" ) )
                         ( ssl-certificate
                           "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem" )
                         ( ssl-certificate-key
                           "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem" )
                         ( try-files ( list "$uri" "@cgit" ) ) ) ) )
                   ( repositories
                     ( list
                       ( repository-cgit-configuration
                         ( hide? #t )
                         ( path "/srv/git/marek/packages" ) ) ) )
                   ( repository-directory "/var/lib/gitolite/repositories" ) ) )
        (service fcgiwrap-service-type
                 (fcgiwrap-configuration (user "git")
                                         (group "git")))
        ( service gitolite-service-type
          ( gitolite-configuration
            ( rc-file ( gitolite-rc-file ( umask #o0027 ) ) )
            ( admin-pubkey ( plain-file  "gitolite-admin.pub"
                             "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4THTYnHCc/ihCJNKJtGTNu1zCnLndbMHnxnrxzJk+N marek@izumi\n") ) ) )
        ( service gnome-desktop-service-type )
	( service syncthing-service-type ( syncthing-configuration ( user "marek" ) ) )
        (service nginx-service-type*
		 ( nginx-configuration
		   ( server-blocks
		     ( list
                       ;; Top-Level
                       ( nginx-server-configuration
			 ( locations
			   ( list
			     ( nginx-location-configuration
                               ( uri "/.well-known" )
                               ( body
				 ( list "root /srv/www/marek/marekpasnikowski.pl ;" ) ) ) ) )
			 ( listen ( list "192.168.10.2:443 ssl" ) )
			 ( root "/srv/www/marek/marekpasnikowski.pl" )
			 ( server-name ( list "marekpasnikowski.pl" ) )
			 ( ssl-certificate
			   "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem" )
			 ( ssl-certificate-key
			   "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem" ) )
                       ;; Radicale
                       ( nginx-server-configuration
			 ( locations
			   ( list
			     ( nginx-location-configuration
                               ( body
				 ( list
				   "proxy_pass http://localhost:5232/ ;"
				   "proxy_set_header X-Script-Name \"\" ;"
				   "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;"
				   "proxy_set_header Host $http_host ;"
				   "proxy_pass_header Authorization ;" ) )
                               ( uri "/" ) )
			     ( nginx-location-configuration
                               ( body
				 ( list "root /srv/www/marek/marekpasnikowski.pl ;" ) )
                               ( uri "/.well-known" ) ) ) )
			 ( listen ( list "192.168.10.2:443 ssl" ) )
			 ( server-name ( list "radicale.marekpasnikowski.pl" ) ) ) ) ) ) )
        ( service openssh-service-type )
        ( service radicale-service-type
          ( radicale-configuration
            ( auth
              ( radicale-auth-configuration
                ( type 'htpasswd )
                ( htpasswd-filename radicale-keys )
                ( htpasswd-encryption 'plain ) ) ) ) )
        ( simple-service 'base-profile profile-service-type
          ( append %base-packages
            ( list ) ) )
        ( simple-service
          'nss-profile
          profile-service-type
          ( list nss-certs ) )
        ( simple-service
          'etc-files
          etc-service-type
          ( list
            `( "mailname" ,( plain-file "mailname" "marekpasnikowski.pl\n" ) ) ) ) ) ) )
  ( sudoers-file %sudoers-specification* )
  ( swap-devices
    ( list
      ( swap-space
        ( target "/dev/sda3" ) ) ) )
  ( timezone "Europe/Warsaw" )
  ( users
    ( append
      %base-user-accounts
      ( list
        ( user-account
          ( comment "vmail" )
          ( group "vmail" )
          ( home-directory "/home/vmail" )
          ( name "vmail" )
          ( system? #t ) )
        ( user-account
          ( comment "Marek Paśnikowski" )
          ( group "users" )
          ( home-directory "/home/marek" )
          ( name "marek" )
          ( supplementary-groups
            ( list "audio" "netdev" "video" "wheel" ) ) ) ) ) ) )