[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: hydra: Factorize front-end config in (sysadmin services).
From: |
Ludovic Courtès |
Subject: |
01/02: hydra: Factorize front-end config in (sysadmin services). |
Date: |
Fri, 19 Jan 2018 05:01:37 -0500 (EST) |
civodul pushed a commit to branch master
in repository maintenance.
commit d3de8c34b4b6e173d3e8164bb55e7a2aa2270095
Author: Ludovic Courtès <address@hidden>
Date: Fri Jan 19 10:56:00 2018 +0100
hydra: Factorize front-end config in (sysadmin services).
* hydra/modules/sysadmin/services.scm: New file.
* hydra/bayfront.scm: Use it.
(%gc-jobs, %certbot-job, %guix-daemon-config, start-firewall)
(firewall-service, %nginx-mime-types, %nginx-cache-activation)
(%cuirass-specs): Remove.
<top level>: Trim 'services' list and use 'frontend-services'.
* hydra/berlin.scm: Likewise.
* hydra/berlin-new.scm: Likewise.
---
hydra/bayfront.scm | 162 ++-------------------------
hydra/berlin-new.scm | 152 ++-----------------------
hydra/berlin.scm | 148 +-----------------------
hydra/modules/sysadmin/services.scm | 217 ++++++++++++++++++++++++++++++++++++
4 files changed, 240 insertions(+), 439 deletions(-)
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index 49280a4..461334f 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -1,8 +1,8 @@
;; OS configuration for bayfront, the frontend of the compile farm.
-(use-modules (gnu) (guix) (sysadmin people))
-(use-service-modules base networking admin mcron shepherd ssh web cuirass)
-(use-package-modules admin linux ssh tls vim package-management web wget ci)
+(use-modules (gnu) (guix) (sysadmin people) (sysadmin services))
+(use-service-modules base networking admin shepherd)
+(use-package-modules admin linux ssh tls vim package-management web wget)
(define %sysadmins
;; The sysadmins.
@@ -16,70 +16,6 @@
(full-name "Ricardo Wurmus")
(ssh-public-key (local-file "keys/ssh/rekado.pub")))))
-
-(define %gc-job
- ;; The garbage collection mcron job, once per day.
- #~(job '(next-hour '(4))
- (string-append #$guix "/bin/guix gc -F80G")))
-
-(define %certbot-job
- ;; Attempt to renew the Let's Encrypt certificate twice a week.
- #~(job (lambda (now)
- (next-day-from (next-hour-from now '(3))
- '(2 5)))
- (string-append #$certbot "/bin/certbot renew")))
-
-(define %guix-daemon-config
- (guix-configuration
- ;; Disable substitutes altogether.
- (use-substitutes? #f)
- (substitute-urls '())
- (authorized-keys '())
- (max-silent-time 7200)
- (timeout (* 4 max-silent-time))
- (log-compression 'gzip) ;be friendly to 'guix publish' users
-
- (extra-options '("--max-jobs=5" "--cores=8" ;we have 32 cores
- "--cache-failures"
- "--gc-keep-outputs" "--gc-keep-derivations"))))
-
-(define start-firewall
- ;; Rules to throttle malicious SSH connection attempts. This will allow at
- ;; most 3 connections per minute from any host, and will block the host for
- ;; another minute if this rate is exceeded. Taken from
- ;; <http://www.la-samhna.de/library/brutessh.html#3>.
- #~(let ((iptables
- (lambda (str)
- (zero? (apply system*
- #$(file-append iptables
- "/sbin/iptables")
- (string-tokenize str))))))
- (format #t "Installing iptables SSH rules...~%")
- (and (iptables "-A INPUT -p tcp --dport 22 -m state \
- --state NEW -m recent --set --name SSH -j ACCEPT")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl \
- --name SSH -j LOG --log-prefix SSH_brute_force")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
-
-(define firewall-service
- ;; The "firewall". Make it a Shepherd service because as an activation
- ;; script it might run too early, before the Netfilter modules can be
- ;; loaded for some reason.
- (simple-service 'firewall shepherd-root-service-type
- (list (shepherd-service
- (provision '(firewall))
- (requirement '())
- (start #~(lambda ()
- #$start-firewall))
- (respawn? #f)))))
-
-
-;;;
-;;; NGINX.
-;;;
-
(define %nginx-config
;; Our nginx configuration directory. It expects 'guix publish' to be
;; running on port 3000.
@@ -98,49 +34,6 @@
(substitute* "bayfront-locations.conf"
(("@WWWROOT@")
#$(local-file "nginx/html" #:recursive? #t)))))))
-
-(define %nginx-mime-types
- ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
- (simple-service 'nginx-mime.types
- etc-service-type
- `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
-
-(define %nginx-cache-activation
- ;; Make sure /var/cache/nginx exists on the first run.
- (simple-service 'nginx-/var/cache/nginx
- activation-service-type
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (mkdir-p "/var/cache/nginx")))))
-
-
-;;;
-;;; Cuirass.
-;;;
-
-(define %cuirass-specs
- ;; Cuirass specifications to build Guix.
- #~(list `((#:name . "guix")
- (#:url . "git://git.savannah.gnu.org/guix.git")
- (#:load-path . ".")
-
- ;; FIXME: Currently this must be an absolute file name because
- ;; the 'evaluate' command of Cuirass loads it with
- ;; 'primitive-load'.
- ;; Use our own variant of Cuirass' 'examples/gnu-system.scm'.
- (#:file . #$(local-file "cuirass-jobs.scm"))
- (#:no-compile? #t) ;don't try to run ./bootstrap etc.
-
- (#:proc . hydra-jobs)
- (#:arguments (subset . "all"))
- (#:branch . "master"))))
-
-
-;;;
-;;; Operating system.
-;;;
-
(define %motd
;; Message of the day! Libcaca's img2txt gives something that's not so
;; great.
@@ -197,9 +90,7 @@ Happy hacking!\n"))
mdadm vim lm-sensors openssh
%base-packages))
- (services (cons* (service sysadmin-service-type %sysadmins)
-
- ;; TODO: create a bonding interface over ens9 + ens10
+ (services (cons* ;; TODO: create a bonding interface over ens9 + ens10
;; TODO: configure ens10 as with:
;; ip a add dev ens10 2a01:474:0::56/48
;; ip -6 route add default via 2a01:474:0::126
@@ -216,31 +107,6 @@ Happy hacking!\n"))
;; Don't repeat #:gateway and #:name-servers.
)
- (service openssh-service-type)
-
- ;; The Web service.
- (service guix-publish-service-type
- (guix-publish-configuration
- (port 3000)
- (cache "/var/cache/guix/publish")
- (ttl (* 45 24 3600))
- (compression-level 9)
- (workers 8)))
-
- (service nginx-service-type
- (nginx-configuration
- (file
- (file-append %nginx-config "/bayfront.conf"))))
-
- %nginx-mime-types
- %nginx-cache-activation
-
- (service cuirass-service-type
- (cuirass-configuration
- (interval (* 5 60))
- (specifications %cuirass-specs)))
-
-
;; Make SSH and HTTP/HTTPS available over Tor.
(tor-hidden-service "http"
'((22 "127.0.0.1:22")
@@ -248,18 +114,8 @@ Happy hacking!\n"))
(443 "127.0.0.1:443")))
(tor-service)
- ;; Cron and log rotation.
- (service rottlog-service-type (rottlog-configuration))
- (service mcron-service-type
- (mcron-configuration
- (jobs (list %gc-job %certbot-job))))
-
- firewall-service
-
- (modify-services %base-services
- ;; Disable substitutes altogether.
- (guix-service-type config => %guix-daemon-config)
- (login-service-type
- config => (login-configuration
- (inherit config)
- (motd %motd)))))))
+ (frontend-services %sysadmins
+ #:motd %motd
+ #:nginx-config-file
+ (file-append %nginx-config
+ "/bayfront.conf")))))
diff --git a/hydra/berlin-new.scm b/hydra/berlin-new.scm
index cddc94a..fe6c60f 100644
--- a/hydra/berlin-new.scm
+++ b/hydra/berlin-new.scm
@@ -1,10 +1,10 @@
;; OS configuration for "berlin", the frontend of the compile farm
;; hosted at the MDC.
-(use-modules (gnu) (guix) (sysadmin people))
-(use-service-modules base networking admin mcron shepherd ssh web cuirass)
-(use-package-modules admin certs emacs linux ssh tls vim
- package-management web wget ci rsync)
+(use-modules (gnu) (guix) (sysadmin services) (sysadmin people))
+(use-service-modules base networking admin shepherd)
+(use-package-modules admin certs emacs linux ssh tls vim package-management
+ web wget ci rsync)
(define %sysadmins
;; The sysadmins.
@@ -18,69 +18,6 @@
(full-name "Andreas Enge")
(ssh-public-key (local-file "keys/ssh/andreas.pub")))))
-
-(define %gc-job
- ;; The garbage collection mcron job, once per day.
- #~(job '(next-hour '(4))
- (string-append #$guix "/bin/guix gc -F80G")))
-
-(define %certbot-job
- ;; Attempt to renew the Let's Encrypt certificate twice a week.
- #~(job (lambda (now)
- (next-day-from (next-hour-from now '(3))
- '(2 5)))
- (string-append #$certbot "/bin/certbot renew")))
-
-(define %guix-daemon-config
- (guix-configuration
- ;; Disable substitutes altogether.
- (use-substitutes? #f)
- (substitute-urls '())
- (authorized-keys '())
- (max-silent-time 7200)
- (timeout (* 4 max-silent-time))
-
- (extra-options '("--max-jobs=5" "--cores=4" ;we have 8 cores
- "--cache-failures"
- "--gc-keep-outputs" "--gc-keep-derivations"))))
-
-(define start-firewall
- ;; Rules to throttle malicious SSH connection attempts. This will allow at
- ;; most 3 connections per minute from any host, and will block the host for
- ;; another minute if this rate is exceeded. Taken from
- ;; <http://www.la-samhna.de/library/brutessh.html#3>.
- #~(let ((iptables
- (lambda (str)
- (zero? (apply system*
- #$(file-append iptables
- "/sbin/iptables")
- (string-tokenize str))))))
- (format #t "Installing iptables SSH rules...~%")
- (and (iptables "-A INPUT -p tcp --dport 22 -m state \
- --state NEW -m recent --set --name SSH -j ACCEPT")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl \
- --name SSH -j LOG --log-prefix SSH_brute_force")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
-
-(define firewall-service
- ;; The "firewall". Make it a Shepherd service because as an activation
- ;; script it might run too early, before the Netfilter modules can be
- ;; loaded for some reason.
- (simple-service 'firewall shepherd-root-service-type
- (list (shepherd-service
- (provision '(firewall))
- (requirement '())
- (start #~(lambda ()
- #$start-firewall))
- (respawn? #f)))))
-
-
-;;;
-;;; NGINX.
-;;;
-
(define %nginx-config
;; Our nginx configuration directory. It expects 'guix publish' to be
;; running on port 3000.
@@ -100,43 +37,6 @@
(("@WWWROOT@")
#$(local-file "nginx/html/berlin" #:recursive?
#t)))))))
-(define %nginx-mime-types
- ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
- (simple-service 'nginx-mime.types
- etc-service-type
- `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
-
-(define %nginx-cache-activation
- ;; Make sure /var/cache/nginx exists on the first run.
- (simple-service 'nginx-/var/cache/nginx
- activation-service-type
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (mkdir-p "/var/cache/nginx")))))
-
-
-;;;
-;;; Cuirass.
-;;;
-
-(define %cuirass-specs
- ;; Cuirass specifications to build Guix.
- #~(list `((#:name . "guix")
- ;; FIXME: The campus firewall blocks access to git://
- (#:url . "https://git.savannah.gnu.org/git/guix.git")
- (#:load-path . ".")
-
- ;; FIXME: Currently this must be an absolute file name because
- ;; the 'evaluate' command of Cuirass loads it with
- ;; 'primitive-load'.
- ;; Use our own variant of Cuirass' 'examples/gnu-system.scm'.
- (#:file . #$(local-file "cuirass-jobs.scm"))
- (#:no-compile? #t) ;don't try to run ./bootstrap etc.
-
- (#:proc . hydra-jobs)
- (#:arguments (subset . "all"))
- (#:branch . "master"))))
;;;
@@ -224,8 +124,6 @@ Happy hacking!\n"))
%base-packages))
(services (cons*
- (service sysadmin-service-type %sysadmins)
-
;; Connection to the DMZ for public access
(static-networking-service "eno1"
"141.80.181.40"
@@ -241,35 +139,12 @@ Happy hacking!\n"))
(static-networking-service "enp4s0f1"
"192.168.168.2"
#:netmask "255.255.255.0")
- (service openssh-service-type)
;; Allow login over serial console.
(agetty-service (agetty-configuration
(tty "ttyS0")
(baud-rate "115200")))
- ;; The Web service.
- (service guix-publish-service-type
- (guix-publish-configuration
- (port 3000)
- (cache "/var/cache/guix/publish")
- (ttl (* 45 24 3600))
- (compression-level 9)
- (workers 6)))
-
- (service nginx-service-type
- (nginx-configuration
- (file
- (file-append %nginx-config "/berlin.conf"))))
-
- %nginx-mime-types
- %nginx-cache-activation
-
- (service cuirass-service-type
- (cuirass-configuration
- (interval (* 5 60))
- (specifications %cuirass-specs)))
-
;; Make SSH and HTTP/HTTPS available over Tor.
(tor-hidden-service "http"
'((22 "127.0.0.1:22")
@@ -277,18 +152,7 @@ Happy hacking!\n"))
(443 "127.0.0.1:443")))
(tor-service)
- ;; Cron and log rotation.
- (service rottlog-service-type (rottlog-configuration))
- (service mcron-service-type
- (mcron-configuration
- (jobs (list %gc-job %certbot-job))))
-
- firewall-service
-
- (modify-services %base-services
- ;; Disable substitutes altogether.
- (guix-service-type config => %guix-daemon-config)
- (login-service-type
- config => (login-configuration
- (inherit config)
- (motd %motd)))))))
+ (frontend-services %sysadmins
+ #:motd %motd
+ #:nginx-config-file
+ (file-append %nginx-config "/berlin.conf")))))
diff --git a/hydra/berlin.scm b/hydra/berlin.scm
index 3c49c8c..ce3fa9d 100644
--- a/hydra/berlin.scm
+++ b/hydra/berlin.scm
@@ -1,8 +1,8 @@
;; OS configuration for "berlin", the frontend of the compile farm
;; hosted at the MDC.
-(use-modules (gnu) (guix) (sysadmin people))
-(use-service-modules base networking admin mcron shepherd ssh web cuirass)
+(use-modules (gnu) (guix) (sysadmin services) (sysadmin people))
+(use-service-modules base networking admin shepherd)
(use-package-modules admin certs emacs linux ssh tls vim package-management
web wget ci rsync)
@@ -19,69 +19,6 @@
(ssh-public-key (local-file "keys/ssh/andreas.pub")))))
-(define %gc-job
- ;; The garbage collection mcron job, once per day.
- #~(job '(next-hour '(4))
- (string-append #$guix "/bin/guix gc -F80G")))
-
-(define %certbot-job
- ;; Attempt to renew the Let's Encrypt certificate twice a week.
- #~(job (lambda (now)
- (next-day-from (next-hour-from now '(3))
- '(2 5)))
- (string-append #$certbot "/bin/certbot renew")))
-
-(define %guix-daemon-config
- (guix-configuration
- ;; Disable substitutes altogether.
- (use-substitutes? #f)
- (substitute-urls '())
- (authorized-keys '())
- (max-silent-time 7200)
- (timeout (* 4 max-silent-time))
- (log-compression 'gzip) ;be friendly to 'guix publish' users
-
- (extra-options '("--max-jobs=5" "--cores=4" ;we have 8 cores
- "--cache-failures"
- "--gc-keep-outputs" "--gc-keep-derivations"))))
-
-(define start-firewall
- ;; Rules to throttle malicious SSH connection attempts. This will allow at
- ;; most 3 connections per minute from any host, and will block the host for
- ;; another minute if this rate is exceeded. Taken from
- ;; <http://www.la-samhna.de/library/brutessh.html#3>.
- #~(let ((iptables
- (lambda (str)
- (zero? (apply system*
- #$(file-append iptables
- "/sbin/iptables")
- (string-tokenize str))))))
- (format #t "Installing iptables SSH rules...~%")
- (and (iptables "-A INPUT -p tcp --dport 22 -m state \
- --state NEW -m recent --set --name SSH -j ACCEPT")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl \
- --name SSH -j LOG --log-prefix SSH_brute_force")
- (iptables "-A INPUT -p tcp --dport 22 -m recent \
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
-
-(define firewall-service
- ;; The "firewall". Make it a Shepherd service because as an activation
- ;; script it might run too early, before the Netfilter modules can be
- ;; loaded for some reason.
- (simple-service 'firewall shepherd-root-service-type
- (list (shepherd-service
- (provision '(firewall))
- (requirement '())
- (start #~(lambda ()
- #$start-firewall))
- (respawn? #f)))))
-
-
-;;;
-;;; NGINX.
-;;;
-
(define %nginx-config
;; Our nginx configuration directory. It expects 'guix publish' to be
;; running on port 3000.
@@ -101,43 +38,6 @@
(("@WWWROOT@")
#$(local-file "nginx/html/berlin" #:recursive?
#t)))))))
-(define %nginx-mime-types
- ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
- (simple-service 'nginx-mime.types
- etc-service-type
- `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
-
-(define %nginx-cache-activation
- ;; Make sure /var/cache/nginx exists on the first run.
- (simple-service 'nginx-/var/cache/nginx
- activation-service-type
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (mkdir-p "/var/cache/nginx")))))
-
-
-;;;
-;;; Cuirass.
-;;;
-
-(define %cuirass-specs
- ;; Cuirass specifications to build Guix.
- #~(list `((#:name . "guix")
- ;; FIXME: The campus firewall blocks access to git://
- (#:url . "https://git.savannah.gnu.org/git/guix.git")
- (#:load-path . ".")
-
- ;; FIXME: Currently this must be an absolute file name because
- ;; the 'evaluate' command of Cuirass loads it with
- ;; 'primitive-load'.
- ;; Use our own variant of Cuirass' 'examples/gnu-system.scm'.
- (#:file . #$(local-file "cuirass-jobs.scm"))
- (#:no-compile? #t) ;don't try to run ./bootstrap etc.
-
- (#:proc . hydra-jobs)
- (#:arguments (subset . "all"))
- (#:branch . "master"))))
;;;
@@ -224,8 +124,6 @@ Happy hacking!\n"))
%base-packages))
(services (cons*
- (service sysadmin-service-type %sysadmins)
-
;; TODO: configure the second network interface once it's
;; hooked up to the switch.
(static-networking-service "enp6s4f0"
@@ -235,35 +133,12 @@ Happy hacking!\n"))
(static-networking-service "enp0s8"
"192.168.0.1"
#:netmask "255.255.255.0")
- (service openssh-service-type)
;; Allow login over serial console.
(agetty-service (agetty-configuration
(tty "ttyS1")
(baud-rate "9600")))
- ;; The Web service.
- (service guix-publish-service-type
- (guix-publish-configuration
- (port 3000)
- (cache "/var/cache/guix/publish")
- (ttl (* 45 24 3600))
- (compression-level 9)
- (workers 6)))
-
- (service nginx-service-type
- (nginx-configuration
- (file
- (file-append %nginx-config "/berlin.conf"))))
-
- %nginx-mime-types
- %nginx-cache-activation
-
- (service cuirass-service-type
- (cuirass-configuration
- (interval (* 5 60))
- (specifications %cuirass-specs)))
-
;; Make SSH and HTTP/HTTPS available over Tor.
(tor-hidden-service "http"
'((22 "127.0.0.1:22")
@@ -271,18 +146,7 @@ Happy hacking!\n"))
(443 "127.0.0.1:443")))
(tor-service)
- ;; Cron and log rotation.
- (service rottlog-service-type (rottlog-configuration))
- (service mcron-service-type
- (mcron-configuration
- (jobs (list %gc-job %certbot-job))))
-
- firewall-service
-
- (modify-services %base-services
- ;; Disable substitutes altogether.
- (guix-service-type config => %guix-daemon-config)
- (login-service-type
- config => (login-configuration
- (inherit config)
- (motd %motd)))))))
+ (frontend-services %sysadmins
+ #:motd %motd
+ #:nginx-config-file
+ (file-append %nginx-config "/berlin.conf")))))
diff --git a/hydra/modules/sysadmin/services.scm
b/hydra/modules/sysadmin/services.scm
new file mode 100644
index 0000000..fe242eb
--- /dev/null
+++ b/hydra/modules/sysadmin/services.scm
@@ -0,0 +1,217 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <address@hidden>
+;;; Copyright © 2017, 2018 Ricardo Wurmus <address@hidden>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin services)
+ #:use-module (guix gexp)
+ #:use-module (gnu services)
+ #:use-module (gnu services admin)
+ #:use-module (gnu services base)
+ #:use-module (gnu services cuirass)
+ #:use-module (gnu services mcron)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu services web)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages package-management)
+ #:use-module (gnu packages tls)
+ #:use-module (gnu packages web)
+ #:use-module (sysadmin people)
+ #:use-module (srfi srfi-1)
+ #:export (firewall-service
+ frontend-services))
+
+(define %gc-job
+ ;; The garbage collection mcron job, once per day.
+ #~(job '(next-hour '(4))
+ (string-append #$guix "/bin/guix gc -F80G")))
+
+(define* (guix-daemon-config #:key (max-jobs 5) (cores 4))
+ (guix-configuration
+ ;; Disable substitutes altogether.
+ (use-substitutes? #f)
+ (substitute-urls '())
+ (authorized-keys '())
+ (max-silent-time 7200)
+ (timeout (* 4 max-silent-time))
+ (log-compression 'gzip) ;be friendly to 'guix publish' users
+
+ (extra-options (list "--max-jobs" (number->string max-jobs)
+ "--cores" (number->string cores)
+ "--cache-failures"
+ "--gc-keep-outputs" "--gc-keep-derivations"))))
+
+
+;;;
+;;; Cuirass.
+;;;
+
+(define %cuirass-specs
+ ;; Cuirass specifications to build Guix.
+ #~(list `((#:name . "guix")
+ ;; FIXME: The campus firewall blocks access to git://
+ (#:url . "https://git.savannah.gnu.org/git/guix.git")
+ (#:load-path . ".")
+
+ ;; FIXME: Currently this must be an absolute file name because
+ ;; the 'evaluate' command of Cuirass loads it with
+ ;; 'primitive-load'.
+ ;; Use our own variant of Cuirass' 'examples/gnu-system.scm'.
+ (#:file . #$(local-file "../../cuirass-jobs.scm"))
+ (#:no-compile? #t) ;don't try to run ./bootstrap etc.
+
+ (#:proc . hydra-jobs)
+ (#:arguments (subset . "all"))
+ (#:branch . "master"))))
+
+
+;;;
+;;; Firewall.
+;;;
+
+(define start-firewall
+ ;; Rules to throttle malicious SSH connection attempts. This will allow at
+ ;; most 3 connections per minute from any host, and will block the host for
+ ;; another minute if this rate is exceeded. Taken from
+ ;; <http://www.la-samhna.de/library/brutessh.html#3>.
+ #~(let ((iptables
+ (lambda (str)
+ (zero? (apply system*
+ #$(file-append iptables
+ "/sbin/iptables")
+ (string-tokenize str))))))
+ (format #t "Installing iptables SSH rules...~%")
+ (and (iptables "-A INPUT -p tcp --dport 22 -m state \
+ --state NEW -m recent --set --name SSH -j ACCEPT")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl \
+ --name SSH -j LOG --log-prefix SSH_brute_force")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
+
+(define firewall-service
+ ;; The "firewall". Make it a Shepherd service because as an activation
+ ;; script it might run too early, before the Netfilter modules can be
+ ;; loaded for some reason.
+ (simple-service 'firewall shepherd-root-service-type
+ (list (shepherd-service
+ (provision '(firewall))
+ (requirement '())
+ (start #~(lambda ()
+ #$start-firewall))
+ (respawn? #f)))))
+
+
+;;;
+;;; NGINX.
+;;;
+
+(define %nginx-config
+ ;; Our nginx configuration directory. It expects 'guix publish' to be
+ ;; running on port 3000.
+ (computed-file "nginx-config"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (mkdir #$output)
+ (chdir #$output)
+ (symlink #$(local-file "nginx/berlin.conf")
+ "berlin.conf")
+ (copy-file #$(local-file
+ "nginx/bayfront-locations.conf")
+ "berlin-locations.conf")
+ (substitute* "berlin-locations.conf"
+ (("@WWWROOT@")
+ #$(local-file "nginx/html/berlin" #:recursive?
#t)))))))
+
+(define %nginx-cache-activation
+ ;; Make sure /var/cache/nginx exists on the first run.
+ (simple-service 'nginx-/var/cache/nginx
+ activation-service-type
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/cache/nginx")))))
+
+(define %nginx-mime-types
+ ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
+ (simple-service 'nginx-mime.types
+ etc-service-type
+ `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+
+(define %certbot-job
+ ;; Attempt to renew the Let's Encrypt certificate twice a week.
+ #~(job (lambda (now)
+ (next-day-from (next-hour-from now '(3))
+ '(2 5)))
+ (string-append #$certbot "/bin/certbot renew")))
+
+
+
+(define %default-motd
+ (plain-file "motd"
+ "Welcome to the Guix build frontend!\n\n"))
+
+(define* (frontend-services sysadmins #:key
+ nginx-config-file
+ (max-jobs 5)
+ (cores 4)
+ (motd %default-motd)
+ (nar-ttl (* 45 24 3600))
+ (publish-workers 6))
+ "Return the list of services for the build farm frontend."
+ (cons* (service rottlog-service-type (rottlog-configuration))
+ (service mcron-service-type
+ (mcron-configuration
+ (jobs (list %gc-job %certbot-job))))
+
+ firewall-service
+
+ ;; The Web service.
+ (service guix-publish-service-type
+ (guix-publish-configuration
+ (port 3000)
+ (cache "/var/cache/guix/publish")
+ (ttl nar-ttl)
+ (compression-level 9)
+ (workers publish-workers)))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (file nginx-config-file)))
+
+ %nginx-mime-types
+ %nginx-cache-activation
+
+ (service cuirass-service-type
+ (cuirass-configuration
+ (interval (* 5 60))
+ (specifications %cuirass-specs)))
+
+ (service openssh-service-type)
+ (service sysadmin-service-type sysadmins)
+
+ (modify-services %base-services
+ (guix-service-type config =>
+ (guix-daemon-config #:max-jobs max-jobs
+ #:cores cores))
+ (login-service-type
+ config => (login-configuration
+ (inherit config)
+ (motd motd))))))