angine

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs
commit 2ff71abbdb27f9353ac55f5f8c0572f8938b8e28
Author: Adriel Dumas--Jondeau <leirda@disroot.org>
Date:   Sun, 26 May 2024 17:37:29 +0200

Ajoute la config initiale d’un système préinstallé

Cette configuration n’est pas reproducible en l’état en raison de
l’absence des fichiers `angine' et `angine.pub' qui sont la paire de
clefs utilisées pour déployer le serveur.

Diffstat:

Aangine/system.scm | 110+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Adeploy.scm | 18++++++++++++++++++


2 files changed, 128 insertions(+), 0 deletions(-)

diff --git a/angine/system.scm b/angine/system.scm
@@ -0,0 +1,110 @@
+(define-module (angine system)
+  #:use-module (gnu)
+  #:use-module (gnu services certbot)
+  #:use-module (gnu services networking)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu services web)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages certs)
+  #:use-module (gnu packages ssh)
+  #:use-module (gnu packages rsync)
+  #:use-module (gnu packages version-control))
+
+(define %domain "duché-perché.fr")
+(define %puny-domain "xn--duch-perch-e7ag.fr")
+
+(define %forge-prefix "git")
+(define %forge (string-append %forge-prefix "." %domain))
+(define %puny-forge (string-append %forge-prefix "." %puny-domain))
+
+(define %ssl-dir "/etc/letsencrypt/live/")
+(define (ssl-cert domain)
+  (string-append %ssl-dir domain "/fullchain.pem"))
+(define (ssl-privkey domain)
+  (string-append %ssl-dir domain "/privkey.pem"))
+
+(define %certbot-nginx-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((fid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
+(define-public %angine-operating-system
+  (operating-system
+    (host-name "angine")
+    (timezone "Europe/Paris")
+    (locale "fr_FR.utf8")
+
+    (kernel-arguments
+     (list "console=tty0" "console=ttyS0,115200"))
+
+    (bootloader (bootloader-configuration
+		 (bootloader grub-bootloader)
+		 (targets (list "/dev/sda"))
+		 (terminal-outputs '(gfxterm serial))
+		 (terminal-inputs '(console serial))
+		 (serial-unit 0)
+		 (serial-speed 115200)))
+
+    (file-systems
+     (cons* (file-system
+	      (device (file-system-label "ROOT"))
+	      (mount-point "/")
+	      (type "btrfs")
+	      (options "compress-force=zstd,space_cache=v2"))
+	    %base-file-systems))
+
+    (packages
+     (cons* (make-glibc-utf8-locales glibc
+				     #:locales (list "fr_FR")
+				     #:name "glibc-french-utf8-locale")
+	    %base-packages))
+
+    (services
+     (cons* (service dhcp-client-service-type)
+	    (service ntp-service-type)
+	    (service openssh-service-type
+		     (openssh-configuration
+		      (openssh openssh-sans-x)
+		      (x11-forwarding? #f)
+		      (permit-root-login 'prohibit-password)
+		      (authorized-keys
+		       `(("root" ,(local-file "./angine.pub"))))))
+	    (extra-special-file "/usr/bin/rsync"
+				(file-append rsync "/bin/rsync"))
+
+	    (service nginx-service-type
+		     (nginx-configuration
+		      (server-blocks
+		       (list
+			(nginx-server-configuration
+			 (server-name (list %puny-domain))
+			 (listen (list "443 ssl"))
+			 (ssl-certificate (ssl-cert %puny-domain))
+			 (ssl-certificate-key
+			  (ssl-privkey %puny-domain))
+			 (raw-content
+			  `(("access_log /dev/null;")))
+			 (root (string-append "/srv/" %domain)))))))
+
+	    (service certbot-service-type
+		     (certbot-configuration
+		      (email "leirda@disroot.org")
+		      (webroot "/srv/letsencrypt")
+		      (certificates
+		       (list
+			(certificate-configuration
+			 (name %puny-domain)
+			 (domains (list %puny-domain %puny-forge))
+			 (deploy-hook %certbot-nginx-deploy-hook))))))
+
+	    (modify-services %base-services
+	      (guix-service-type
+	       config =>
+	       (guix-configuration
+		(inherit config)
+		(authorized-keys
+		 (cons* (local-file "/etc/guix/signing-key.pub")
+			%default-authorized-guix-keys)))))))))
+
+%angine-operating-system
diff --git a/deploy.scm b/deploy.scm
@@ -0,0 +1,18 @@
+(define-module (deploy)
+  #:use-module (angine system)
+
+  #:use-module (guix gexp)
+  #:use-module (gnu machine)
+  #:use-module (gnu machine ssh))
+
+(list (machine
+       (operating-system %angine-operating-system)
+       (environment managed-host-environment-type)
+       (configuration (machine-ssh-configuration
+		       (host-name "angine")
+		       (host-key "ssh-ed25519
+AAAAC3NzaC1lZDI1NTE5AAAAIPBuM9aMwCbek1vpJaDnsnToeq0lKqRa5rQoTppqOEIB")
+		       (authorize? #t)
+		       (system "x86_64-linux")
+		       (user "root")
+		       (identity "./angine/angine")))))