(define-module (systems izumi system-configuration) #:use-module (suweren commons sudoers)) (define radicale-keys "/secrets/radicale/keys") (define dovecot-keys "/secrets/dovecot") ( use-modules ( gnu ) ( gnu services syncthing ) ( guix records ) ( ice-9 match ) ( nongnu packages linux ) ( nongnu system linux-initrd ) ) ( use-package-modules admin certs kde-frameworks kde-multimedia kde-pim kde-plasma kde-utils mail version-control ) ( use-service-modules base certbot cgit desktop mail shepherd ssh version-control web xorg ) (define nginx-accounts (list (user-group (name "nginx") (system? #t)) (user-account (name "nginx") (group "nginx") (supplementary-groups '("git")) (system? #t) (comment "nginx server user") (home-directory "/var/empty") (shell (file-append (specification->package "shadow") "/sbin/nologin"))))) (define nginx-service-type* (service-type (inherit nginx-service-type) (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) account-service-type) (service-extension account-service-type (const nginx-accounts)) extension)) (service-type-extensions nginx-service-type))))) (define hosts-izumi (local-file "system-files/hosts")) ( operating-system ( bootloader ( bootloader-configuration ( bootloader grub-efi-bootloader ) ( keyboard-layout ( keyboard-layout "pl" ) ) ( targets ( list "/boot/efi" ) ) ) ) ( mapped-devices ( list ( mapped-device ( source "/dev/sda2" ) ( target "izumi" ) ( type luks-device-mapping ) ) ) ) ( file-systems ( append %base-file-systems ( list ( file-system ( device "/dev/sda1" ) ( mount-point "/boot/efi" ) ( type "vfat" ) ) ( file-system ( dependencies mapped-devices ) ( device "/dev/mapper/izumi" ) ( mount-point "/" ) ( type "xfs" ) ) ) ) ) ( firmware ( list linux-firmware ) ) ( groups ( append %base-groups ( list ( user-group ( name "vmail" ) ( system? #t ) )) ) ) ( host-name "izumi" ) (hosts-file hosts-izumi) ( initrd microcode-initrd ) ( kernel linux ) ( keyboard-layout ( keyboard-layout "pl" ) ) ( locale "pl_PL.utf8" ) ( services ( append ( modify-services %desktop-services ( elogind-service-type configuration => ( elogind-configuration ( inherit configuration ) ( handle-lid-switch 'ignore ) ( handle-lid-switch-docked 'ignore ) ( handle-lid-switch-external-power 'ignore ) ) ) ( gdm-service-type configuration => ( gdm-configuration ( inherit configuration ) ( auto-suspend? #f ) ( wayland? #t ) ) ) ( guix-service-type configuration => ( let* ( ( non-guix.pub ( string-append "( public-key ( ecc ( curve Ed25519 )" "( q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98# ) ) )" ) ) ( authorized-keys ( append %default-authorized-guix-keys ( list ( plain-file "non-guix.pub" non-guix.pub ) ) ) ) ( extra-options ( list "--gc-keep-derivations=yes" "--gc-keep-outputs=yes" ) ) ( substitute-urls ( append %default-substitute-urls ( list "https://substitutes.nonguix.org" ) ) ) ) ( guix-configuration ( inherit configuration ) ( authorized-keys authorized-keys ) ( extra-options extra-options ) ( substitute-urls substitute-urls ) ) ) ) ) ( list (@ (users id1000) dkim-service) (@ (users id1000) dovecot-service) (@ (users id1000) smtp-service) (service (service-type (inherit certbot-service-type) (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) nginx-service-type) (service-extension nginx-service-type* (@@ (gnu services certbot) certbot-nginx-server-configurations)) extension)) (service-type-extensions certbot-service-type)))) ( certbot-configuration ( certificates ( list ( certificate-configuration ( deploy-hook ( program-file "nginx-deploy-hook" #~ ( let ( ( pid ( call-with-input-file "/var/run/nginx/pid" read ) ) ) ( kill pid SIGHUP ) ) ) ) ( domains ( list "marekpasnikowski.pl" "git.marekpasnikowski.pl" "radicale.marekpasnikowski.pl" ) ) ) ) ) ( email "marek@marekpasnikowski.pl" ) ( webroot "/srv/www/marek/marekpasnikowski.pl" ) ) ) (service (service-type (inherit cgit-service-type) (extensions (map (lambda (extension) (if (eq? (service-extension-target extension) nginx-service-type) (service-extension nginx-service-type* cgit-configuration-nginx-config) extension)) (service-type-extensions cgit-service-type)))) ( cgit-configuration ( nginx ( list ( nginx-server-configuration ( locations ( list ( git-http-nginx-location-configuration ( git-http-configuration ( git-root "/var/lib/gitolite/repositories" ) ( uri-path "/git" ) ) ) ( nginx-location-configuration ( body ( list "fastcgi_param HTTP_HOST $server_name ;" "fastcgi_param PATH_INFO $uri ;" "fastcgi_param QUERY_STRING $args ;" "fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi ;" "fastcgi_pass 127.0.0.1:9000 ;" ) ) ( uri "@cgit" ) ) ( nginx-location-configuration ( body ( list "root /srv/www/marek/marekpasnikowski.pl/ ;" ) ) ( uri "/.well-known" ) ) ) ) ( listen ( list "192.168.10.2:443 ssl" ) ) ( root cgit ) ( server-name ( list "git.marekpasnikowski.pl" ) ) ( ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem" ) ( ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem" ) ( try-files ( list "$uri" "@cgit" ) ) ) ) ) ( repositories ( list ( repository-cgit-configuration ( hide? #t ) ( path "/srv/git/marek/packages" ) ) ) ) ( repository-directory "/var/lib/gitolite/repositories" ) ) ) (service fcgiwrap-service-type (fcgiwrap-configuration (user "git") (group "git"))) ( service gitolite-service-type ( gitolite-configuration ( rc-file ( gitolite-rc-file ( umask #o0027 ) ) ) ( admin-pubkey ( plain-file "gitolite-admin.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4THTYnHCc/ihCJNKJtGTNu1zCnLndbMHnxnrxzJk+N marek@izumi\n") ) ) ) ( service plasma-desktop-service-type ) ( service syncthing-service-type ( syncthing-configuration ( user "marek" ) ) ) (service nginx-service-type* ( nginx-configuration ( server-blocks ( list ;; Top-Level ( nginx-server-configuration ( locations ( list ( nginx-location-configuration ( uri "/.well-known" ) ( body ( list "root /srv/www/marek/marekpasnikowski.pl ;" ) ) ) ) ) ( listen ( list "192.168.10.2:443 ssl" ) ) ( root "/srv/www/marek/marekpasnikowski.pl" ) ( server-name ( list "marekpasnikowski.pl" ) ) ( ssl-certificate "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem" ) ( ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem" ) ) ;; Radicale ( nginx-server-configuration ( locations ( list ( nginx-location-configuration ( body ( list "proxy_pass http://localhost:5232/ ;" "proxy_set_header X-Script-Name \"\" ;" "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;" "proxy_set_header Host $http_host ;" "proxy_pass_header Authorization ;" ) ) ( uri "/" ) ) ( nginx-location-configuration ( body ( list "root /srv/www/marek/marekpasnikowski.pl ;" ) ) ( uri "/.well-known" ) ) ) ) ( listen ( list "192.168.10.2:443 ssl" ) ) ( server-name ( list "radicale.marekpasnikowski.pl" ) ) ) ) ) ) ) ( service openssh-service-type ) ( service radicale-service-type ( radicale-configuration ( auth ( radicale-auth-configuration ( type 'htpasswd ) ( htpasswd-filename radicale-keys ) ( htpasswd-encryption 'plain ) ) ) ) ) ( simple-service 'base-profile profile-service-type ( append %base-packages ( list ) ) ) ( simple-service 'nss-profile profile-service-type ( list nss-certs ) ) ( simple-service 'etc-files etc-service-type ( list `( "mailname" ,( plain-file "mailname" "marekpasnikowski.pl\n" ) ) ) ) ) ) ) ( sudoers-file %sudoers-specification* ) ( swap-devices ( list ( swap-space ( target "/dev/sda3" ) ) ) ) ( timezone "Europe/Warsaw" ) ( users ( append %base-user-accounts ( list ( user-account ( comment "vmail" ) ( group "vmail" ) ( home-directory "/home/vmail" ) ( name "vmail" ) ( system? #t ) ) ( user-account ( comment "Marek Paśnikowski" ) ( group "users" ) ( home-directory "/home/marek" ) ( name "marek" ) ( supplementary-groups ( list "audio" "netdev" "video" "wheel" ) ) ) ) ) ) )