dotfiles-guix/systems/cuirass.scm

211 lines
9.7 KiB
Scheme
Raw Permalink Normal View History

2024-10-23 01:02:08 +00:00
(use-modules (freya system)
2024-10-23 22:07:33 +00:00
(ice-9 match)
(gnu packages ci)
2024-12-09 14:16:12 +00:00
(gnu packages databases)
(gnu services)
2024-10-23 22:07:33 +00:00
(gnu services cuirass)
(gnu services avahi)
(gnu services mcron)
(gnu services web)
2024-12-09 16:21:09 +00:00
(gnu services certbot)
2024-12-09 14:16:12 +00:00
(gnu services databases)
2024-10-23 22:07:33 +00:00
(gnu services networking)
2024-12-09 16:21:09 +00:00
(guix modules)
2024-12-09 14:16:12 +00:00
(guix gexp)
2024-10-23 01:02:08 +00:00
(gnu))
2024-10-23 22:07:33 +00:00
;; Cuirass specification
(define %cuirass-specs
#~(list
(specification
(name "sakura")
(build '(channels sakura))
(channels
(list %default-guix-channel
(channel
(name 'sakura)
(url "https://g.freya.cat/freya/sakura")
(branch "main")
(introduction
(make-channel-introduction
2024-12-09 14:16:12 +00:00
"8fb2f9c2fa414754c41c1c73665e3e73e12693ab"
2024-10-23 22:07:33 +00:00
(openpgp-fingerprint
2024-12-09 14:16:12 +00:00
"3CD3 65F0 373C EB13 853A F568 9FBC 6FFD 6D2D BF17"))))))
2024-10-23 22:07:33 +00:00
(priority 0)
(systems '("x86_64-linux")))))
;; Run the garbe collector every day at 3:00 AM
(define garbage-collector-job
#~(job "0 3 * * *"
"guix gc -F 50G"))
;; Restart the cuiras worker every night
(define restart-worker-job
#~(job "0 2 * * *"
"herd restart cuirass-remote-worker"))
2024-12-09 16:21:09 +00:00
;; Nginx deploy hook for certbot
(define %nginx-deploy-hook
(program-file
"nginx-deploy-hook"
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
(kill pid SIGHUP))))
2024-10-23 22:07:33 +00:00
;; Curiass module filter
(define default-module-filter
(match-lambda
(('guix 'config) #f)
(('guix _ ...) #t)
(('gnu _ ...) #t)
(('nongnu _ ...) #f)
(('nonguix _ ...) #f)
(('sakura _ ...) #t)
(_ #f)))
;; Curiass operating system
2024-10-23 01:02:08 +00:00
(operating-system
(inherit %virt-freya-operating-system)
2024-10-23 04:19:24 +00:00
(host-name "cuirass")
2024-10-23 22:07:33 +00:00
(packages (cons* ; ci
2024-12-09 14:16:12 +00:00
cuirass
2024-10-23 22:07:33 +00:00
%virt-freya-packages))
(services (cons* ; avahi
2024-12-09 14:16:12 +00:00
(service avahi-service-type)
2024-10-23 22:07:33 +00:00
; cuirass
(service cuirass-service-type
(cuirass-configuration
(specifications %cuirass-specs)))
; guix publish
(service guix-publish-service-type
(guix-publish-configuration
(cache "/var/cache/publish")
(compression '(("zstd" 19)))
(port 8080)))
; guix publish index.html
(extra-special-file "/srv/http/index.html"
(local-file "../files/index.html"))
2024-12-09 14:16:12 +00:00
; postgresql
(service postgresql-service-type
(postgresql-configuration
(postgresql postgresql-14)))
2024-10-23 22:07:33 +00:00
; cron
(simple-service 'cron
mcron-service-type
(list garbage-collector-job
restart-worker-job))
; iptables
(service iptables-service-type
(iptables-configuration
(ipv4-rules (plain-file "iptables.rules" "*filter
-A INPUT -p tcp --dport 5522 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 5555:5558 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
COMMIT
"))))
2024-12-09 16:21:09 +00:00
; certbot
(service certbot-service-type
(certbot-configuration
(certificates
2024-10-23 22:07:33 +00:00
(list
2024-12-09 16:21:09 +00:00
(certificate-configuration
(deploy-hook %nginx-deploy-hook)
(domains '("cuirass.in.freya.cat"
"substitutes.in.freya.cat")))))
(server "https://ca.in.freya.cat/acme/acme/directory")
(email "freya@freyacat.org")
(webroot "/srv/http")))
; nginx
(let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
(certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
(bootstrapping (not (access? certificate F_OK))))
(service nginx-service-type
(nginx-configuration
(upstream-blocks
(list
(nginx-upstream-configuration
(name "cuirass")
(servers (list "localhost:8081")))
(nginx-upstream-configuration
(name "publish")
(servers (list "localhost:8080")))))
(server-blocks
(list
(nginx-server-configuration
(server-name '("cuirass.in.freya.cat"))
(listen (if bootstrapping
'("9090") ; allow default 80 server to handle .well-known
'("443 ssl")))
(ssl-certificate (if bootstrapping #f certificate))
(ssl-certificate-key (if bootstrapping #f certificate-key))
(locations
(list
(nginx-location-configuration
(uri "~ ^/admin")
(body
(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
(nginx-location-configuration
(uri "/")
(body
(list "proxy_pass http://cuirass;"))))))
(nginx-server-configuration
(server-name '("substitutes.in.freya.cat"))
(listen (if bootstrapping
'("9090") ; allow default 80 server to handle .well-known
'("443 ssl")))
(ssl-certificate (if bootstrapping #f certificate))
(ssl-certificate-key (if bootstrapping #f certificate-key))
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
(index (list "index.html"))
(locations
(list
(nginx-location-configuration
(uri "/signing-key.pub")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/file/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/log/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/nix-cache-info")
(body (list
"proxy_pass http://publish;"
"proxy_hide_header Set-Cookie;")))
(nginx-location-configuration
(uri "/nar/")
(body (list
"proxy_pass http://publish;"
"client_body_buffer_size 256k;"
;; Nars are already compressed. -> no perf change
"gzip off;"
"proxy_pass_header Cache-Control;")))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
"proxy_pass http://publish;"
"client_body_buffer_size 128k;"
"proxy_connect_timeout 2s;"
"proxy_read_timeout 2s;"
"proxy_send_timeout 2s;"
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;")))))))))))
2024-10-23 22:07:33 +00:00
%base-freya-services))
2024-10-23 01:15:56 +00:00
(swap-devices (list (swap-space
2024-10-23 22:07:33 +00:00
(target (uuid
"8ffa6d73-06e9-4dc5-9b15-569b3b176dbc")))))
2024-10-23 01:02:08 +00:00
(file-systems (cons* (file-system
(mount-point "/")
2024-10-23 02:53:48 +00:00
(device (uuid "fae7deed-d630-40a1-adac-87f49b431ad4"))
2024-10-23 01:02:08 +00:00
(type "btrfs"))
(file-system
(mount-point "/boot")
2024-10-23 02:53:48 +00:00
(device (uuid "027A-4AA1"
2024-10-23 01:02:08 +00:00
'fat32))
(type "vfat"))
2024-10-23 22:07:33 +00:00
%base-freya-file-systems))
2024-10-23 01:02:08 +00:00
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
2024-10-23 01:15:56 +00:00
(targets '("/dev/sda")))))