[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-deployment] 02/02: initial commit of guix directory
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-deployment] 02/02: initial commit of guix directory |
|
Date: |
Sat, 31 Mar 2018 15:04:44 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository deployment.
commit f7a6ab6cb6efe3af1a01d9c5054c0e2b75d7523e
Author: Nils Gillmann <address@hidden>
AuthorDate: Sat Mar 31 13:04:55 2018 +0000
initial commit of guix directory
Signed-off-by: Nils Gillmann <address@hidden>
---
guix/config.scm | 195 +++++++++++++++++++++++++++++++++++++++
guix/keys/ssh/grothoff.pub | 1 +
guix/keys/ssh/ng0.pub | 1 +
guix/modules/sysadmin/people.scm | 73 +++++++++++++++
4 files changed, 270 insertions(+)
diff --git a/guix/config.scm b/guix/config.scm
new file mode 100644
index 0000000..dd16bf2
--- /dev/null
+++ b/guix/config.scm
@@ -0,0 +1,195 @@
+;; OS configuration for the taler.net server
+
+(use-modules (gnu)
+ (guix)
+ (sysadmin people))
+(use-service-modules base networking mcron ssh mail
+ version-control databases admin
+ web certbot)
+(use-package-modules admin linux ssh tls vim zile wget
+ ntp version-control)
+
+;;; Cron jobs
+;; FIXME: Create jobs.
+
+(define %sysadmins
+ ;; The sys-admins
+ (list (sysadmin (name "gillmann")
+ (full-name "Nils Gillmann")
+ (ssh-public-key (local-file "keys/ssh/ng0.pub")))
+ (sysadmin (name "grothoff")
+ (full-name "Christian Grothoff")
+ (ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
+
+;;;
+;;; The OS definition
+;;;
+
+(operating-system
+ (host-name "taler.net")
+ (timezone "Europe/Berlin")
+ (locale "en_US.UTF-8")
+
+ ;; bootloader
+ (bootloader (grub-configuration (target "/dev/sda")
+ (terminal-outputs '(console))))
+
+ ;; file-systems
+ ;; single-disk configuration.
+ (file-systems (cons* (file-system
+ (device "my-root")
+ (title 'label)
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device "my-home")
+ (title 'label)
+ (mount-point "/home")
+ (type "ext4"))
+ %base-file-systems))
+ ;; FIXME: RAID? -> mapped-devices
+ ;; FIXME: RAID? -> Add kernel module!
+ ;; FIXME: /home should be on luks encrypted device
+
+ ;; Local admin account
+ ;; FIXME: Do we really need this?
+ (users (cons (user-account
+ (name "local-admin")
+ (comment "Local admin")
+ (group "users")
+ (supplementary-groups '("wheel"))
+ (home-directory "/home/local-admin"))
+ %base-user-accounts))
+
+ (packages (append (map specification->package '("nvi"
+ "mg"
+ "openssh"
+ "gitolite"
+ "nss-certs"
+ "wget"
+ "mysql"
+ "certbot"))
+ %base-packages))
+
+ (services (cons*
+ (service sysadmin-service-type %sysadmins)
+
+ ;; Log rotation
+ (service rottlog-service-type (rottlog-configuration))
+
+ ;; CERTIFICATES
+ (service certbot-service-type
+ (certbot-configuration
+ (hosts '(("taler.net")))))
+
+ ;; MAIL
+ ;; FIXME: Policy is to just receive mail.
+ ;; Produce the /etc/alias file:
+ (service mail-aliases-service-type
+ '(("mailer-daemon" "postmaster")
+ ("postmaster" "root")
+ ("nobody" "root")
+ ("hostmaster" "root")
+ ("usenet" "root")
+ ("news" "root")
+ ("webmaster" "root")
+ ("www" "root")
+ ("ftp" "root")
+ ("abuse" "root")
+ ("noc" "root")
+ ("security" "root")
+ ("root" "grothoff")
+ ("gnunet" "grothoff")
+ ("durner" "ndurner")
+ ("torsten" "grothoff" "krista")
+ ("cor" "grothoff")
+ ("ng0" "ng0")
+ ("translations" "grothoff")
+ ("translators" "grothoff")
+ ("website" "grothoff")
+ ("gns-data" "grothoff" "address@hidden"
"address@hidden")))
+ ;; Depending on the final server policies, adjust to
+ ;; not send email or send email:
+ ;; Dovecot
+ (dovecot-service #:config
+ (dovecot-configuration
+ (mail-location "maildir:~/Maildir")))
+ ;; OpenSMTPD:
+ (service opensmtpd-service-type
+ (opensmtpd-configuration
+ (config-file (local-file
"./opensmtpd/opensmtpd.conf"))))
+ ;; Extend the /etc-service. This creates the files OpenSMTPD
+ ;; wants and adds them to the /etc/ folder.
+ ;; (service etc-service-type
+ ;; (list `("vdoms.conf"
+ ;; ,(plain-file "vdoms.conf"
+ ;; "gnunet.org\n"))
+ ;; `("vusers.conf"
+ ;; ,(plain-file "vusers.conf"
+ ;; "address@hidden grothoff"))))
+
+ ;; SSH
+ (service openssh-service-type
+ (openssh-configuration
+ (port-number 22)
+ (password-authentication? #f)))
+
+ ;; Databases
+ (mysql-service
+ #:config
+ (mysql-configuration
+ ;; Defaults to mariadb,
+ ;; read `info guix services`, section databases.
+ ;;(mysql "mysql")
+ ;; Default portnumber, must be a NUMBER not a string.
+ (port 3306)))
+
+ ;; WEBSERVER
+ ;;(service nginx-service-type)
+ ;;(service fcgiwrap-service-type)
+ ;; FIXME: Check cgit-service-type + gitolite options.
+ ;; FIXME: Extend cgit service.
+ ;;(service cgit-service-type)
+
+ ;; CGIT:
+ ;;(service nginx-service-type)
+ ;; (service fcgiwrap-service-type)
+ ;; (service cgit-service-type)
+
+ ;; GIT
+ ;; Defaults to base-folder "/srv/git/"
+ (git-daemon-service
+ #:config (git-daemon-configuration
+ (user-path "git")))
+
+ ;; SERVE GIT OVER HTTP:
+ ;; FIXME: FAILING BUILD, USE WORKAROUND.
+ ;; (service nginx-service-type
+ ;; (nginx-configuration
+ ;; (server-blocks
+ ;; (list
+ ;; (nginx-server-configuration
+ ;; (http-port #f)
+ ;; (server-name "git.gnunet.org")
+ ;; (ssl-certificate
+ ;;
"/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
+ ;; (ssl-certificate-key
+ ;;
"/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
+ ;; (locations
+ ;; (list
+ ;; (git-http-nginx-location-configuration
+ ;; (git-http-configuration (uri-path "/"))))))))))
+
+ ;; Networking
+ ;; FIXME: Complete this
+ (static-networking-service
+ "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60"
+ #:netmask ""
+ #:gateway "2001:4ca0:2001:42::1"
+ #:name-servers '("" "" ""))
+ (static-networking-service
+ "eth1" "131.159.74.67"
+ #:netmask "255.255.255.240"
+ #:gateway "131.159.74.78"
+ #:name-servers '("" "" ""))
+ %base-services)))
diff --git a/guix/keys/ssh/grothoff.pub b/guix/keys/ssh/grothoff.pub
new file mode 100644
index 0000000..6af38a5
--- /dev/null
+++ b/guix/keys/ssh/grothoff.pub
@@ -0,0 +1 @@
+ssh-dss
AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjw
[...]
diff --git a/guix/keys/ssh/ng0.pub b/guix/keys/ssh/ng0.pub
new file mode 100644
index 0000000..6d4c6e1
--- /dev/null
+++ b/guix/keys/ssh/ng0.pub
@@ -0,0 +1 @@
+ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG
address@hidden
diff --git a/guix/modules/sysadmin/people.scm b/guix/modules/sysadmin/people.scm
new file mode 100644
index 0000000..121c268
--- /dev/null
+++ b/guix/modules/sysadmin/people.scm
@@ -0,0 +1,73 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2016, 2017 Ludovic Courtès <address@hidden>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin people)
+ #:use-module (guix gexp)
+ #:use-module (guix records)
+ #:use-module (gnu services)
+ #:use-module (gnu system shadow)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu packages base)
+ #:use-module (ice-9 match)
+ #:export (sysadmin?
+ sysadmin
+ sysadmin-service-type))
+
+;;; Commentary:
+;;;
+;;; Declaration of system administrator user accounts.
+;;;
+;;; Code:
+
+(define-record-type* <sysadmin> sysadmin make-sysadmin
+ sysadmin?
+ (name sysadmin-name)
+ (full-name sysadmin-full-name)
+ (ssh-public-key sysadmin-ssh-public-key)
+ (restricted? sysadmin-restricted? (default #f)))
+
+(define (sysadmin->account sysadmin)
+ "Return the user account for SYSADMIN."
+ (match sysadmin
+ (($ <sysadmin> name comment _ restricted?)
+ (user-account
+ (name name)
+ (comment comment)
+ (group "users")
+ (supplementary-groups (if restricted?
+ '()
+ '("wheel" "kvm"))) ;sudoer
+ (home-directory (string-append "/home/" name))))))
+
+(define (sysadmin->authorized-key sysadmin)
+ "Return an authorized key tuple for SYSADMIN."
+ (list (sysadmin-name sysadmin)
+ (sysadmin-ssh-public-key sysadmin)))
+
+(define sysadmin-service-type
+ ;; The service that initializes sysadmin accounts.
+ (service-type
+ (name 'sysadmin)
+ (extensions (list (service-extension account-service-type
+ (lambda (lst)
+ (map sysadmin->account lst)))
+ (service-extension openssh-service-type
+ (lambda (lst)
+ (map sysadmin->authorized-key
+ lst)))))))
+
+;;; people.scm ends here
--
To stop receiving notification emails like this one, please contact
address@hidden