(use-modules (freya system)
             (ice-9 match)
             (gnu packages ci)
             (gnu packages databases)
             (gnu services)
             (gnu services cuirass)
             (gnu services avahi)
             (gnu services mcron)
             (gnu services web)
             (gnu services certbot)
             (gnu services databases)
             (gnu services networking)
             (guix modules)
             (guix gexp)
             (gnu))

;; Cuirass specification
(define %cuirass-specs
  #~(list
      (specification
        (name "sakura")
        (build '(channels sakura))
        (channels
          (list %default-guix-channel
                (channel
                  (name 'sakura)
                  (url "https://g.freya.cat/freya/sakura")
                  (branch "main")
                  (introduction
                    (make-channel-introduction
                      "8fb2f9c2fa414754c41c1c73665e3e73e12693ab"
                      (openpgp-fingerprint
                        "3CD3 65F0 373C EB13 853A  F568 9FBC 6FFD 6D2D BF17"))))))
        (priority 0)
        (systems '("x86_64-linux")))))

;; Run the garbe collector every day at 3:00 AM
(define garbage-collector-job
  #~(job "0 3 * * *"
         "guix gc -F 50G"))

;; Restart the cuiras worker every night
(define restart-worker-job
  #~(job "0 2 * * *"
         "herd restart cuirass-remote-worker"))

;; Nginx deploy hook for certbot
(define %nginx-deploy-hook
  (program-file
    "nginx-deploy-hook"
    #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
        (kill pid SIGHUP))))

;; Curiass module filter
(define default-module-filter
  (match-lambda
    (('guix 'config) #f)
    (('guix _ ...) #t)
    (('gnu _ ...) #t)
    (('nongnu _ ...) #f)
    (('nonguix _ ...) #f)
    (('sakura _ ...) #t)
    (_ #f)))

;; Curiass operating system
(operating-system
  (inherit %virt-freya-operating-system)
  (host-name "cuirass")
  (packages (cons* ; ci
                   cuirass
                   %virt-freya-packages))
  (services (cons* ; avahi
                   (service avahi-service-type)
                   ; cuirass
                   (service cuirass-service-type
                     (cuirass-configuration
                       (specifications %cuirass-specs)))
                   ; guix publish
                   (service guix-publish-service-type
                     (guix-publish-configuration
                       (cache "/var/cache/publish")
                       (compression '(("zstd" 19)))
                       (port 8080)))
                   ; guix publish index.html
                   (extra-special-file "/srv/http/index.html"
                                       (local-file "../files/index.html"))
                   ; postgresql
                   (service postgresql-service-type
                            (postgresql-configuration
                              (postgresql postgresql-14)))
                   ; cron
                   (simple-service 'cron
                                   mcron-service-type
                                   (list garbage-collector-job
                                         restart-worker-job))
                   ; iptables
                   (service iptables-service-type
                     (iptables-configuration
                       (ipv4-rules (plain-file "iptables.rules" "*filter
-A INPUT -p tcp --dport 5522 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 5555:5558 ! -s 127.0.0.1 -j REJECT
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
COMMIT
"))))
                   ; certbot
                   (service certbot-service-type
                     (certbot-configuration
                       (certificates
                         (list
                           (certificate-configuration
                             (deploy-hook %nginx-deploy-hook)
                             (domains '("cuirass.in.freya.cat"
                                        "substitutes.in.freya.cat")))))
                       (server "https://ca.in.freya.cat/acme/acme/directory")
                       (email "freya@freyacat.org")
                       (webroot "/srv/http")))
                   ; nginx
                   (let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
                          (certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
                          (bootstrapping (not (access? certificate F_OK))))
                     (service nginx-service-type
                       (nginx-configuration
                         (upstream-blocks
                           (list
                             (nginx-upstream-configuration
                               (name "cuirass")
                               (servers (list "localhost:8081")))
                             (nginx-upstream-configuration
                               (name "publish")
                               (servers (list "localhost:8080")))))
                         (server-blocks
                           (list
                             (nginx-server-configuration
                               (server-name '("cuirass.in.freya.cat"))
                               (listen (if bootstrapping
                                         '("9090") ; allow default 80 server to handle .well-known
                                         '("443 ssl")))
                               (ssl-certificate (if bootstrapping #f certificate))
                               (ssl-certificate-key (if bootstrapping #f certificate-key))
                               (locations
                                 (list
                                   (nginx-location-configuration
                                     (uri "~ ^/admin")
                                     (body
                                       (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
                                   (nginx-location-configuration
                                     (uri "/")
                                     (body
                                       (list "proxy_pass http://cuirass;"))))))
                             (nginx-server-configuration
                               (server-name '("substitutes.in.freya.cat"))
                               (listen (if bootstrapping
                                         '("9090") ; allow default 80 server to handle .well-known
                                         '("443 ssl")))
                               (ssl-certificate (if bootstrapping #f certificate))
                               (ssl-certificate-key (if bootstrapping #f certificate-key))
                               (raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
                               (index (list "index.html"))
                               (locations
                                 (list
                                   (nginx-location-configuration
                                     (uri "/signing-key.pub")
                                     (body '("proxy_pass http://publish;")))
                                   (nginx-location-configuration
                                     (uri "/file/")
                                     (body '("proxy_pass http://publish;")))
                                   (nginx-location-configuration
                                     (uri "/log/")
                                     (body '("proxy_pass http://publish;")))
                                   (nginx-location-configuration
                                     (uri "/nix-cache-info")
                                     (body (list
                                       "proxy_pass http://publish;"
                                       "proxy_hide_header Set-Cookie;")))
                                   (nginx-location-configuration
                                     (uri "/nar/")
                                     (body (list
                                       "proxy_pass http://publish;"
                                       "client_body_buffer_size 256k;"
                                       ;; Nars are already compressed. -> no perf change
                                       "gzip off;"
                                       "proxy_pass_header Cache-Control;")))
                                   (nginx-location-configuration
                                     (uri "~ \\.narinfo$")
                                     (body
                                      (list
                                        "proxy_pass http://publish;"
                                        "client_body_buffer_size 128k;"
                                        "proxy_connect_timeout 2s;"
                                        "proxy_read_timeout 2s;"
                                        "proxy_send_timeout 2s;"
                                        "proxy_pass_header Cache-Control;"
                                        "proxy_ignore_client_abort on;")))))))))))
                   %base-freya-services))
  (swap-devices (list (swap-space
                        (target (uuid
                                  "8ffa6d73-06e9-4dc5-9b15-569b3b176dbc")))))
  (file-systems (cons* (file-system
                         (mount-point "/")
                         (device (uuid "fae7deed-d630-40a1-adac-87f49b431ad4"))
                         (type "btrfs"))
                       (file-system
                         (mount-point "/boot")
                         (device (uuid "027A-4AA1"
                                       'fat32))
                         (type "vfat"))
                       %base-freya-file-systems))
  (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (targets '("/dev/sda")))))