commit c870e27a489b3d69a4943cbad1ba651ec2b2e855
parent d74cd5bbdfb0b19b05730d0f136ae9a18bd5196f
Author: Adriel Dumas--Jondeau <leirda@disroot.org>
Date: Wed, 13 Nov 2024 16:52:59 +0100
Ajoute un serveur SFTP avec des autorisations
Diffstat:
7 files changed, 141 insertions(+), 101 deletions(-)
diff --git a/angine/adriel.pub b/angine/adriel.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkkzykp7YB60zStEmhrWZAYELNcjS7iv47N5ilflS2Z adriel@tel
diff --git a/angine/kat.pub b/angine/kat.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEgxglNPpsEqVKi9AoenKYvdQkpEB2IRRdwu0TQgfeC kat@tel
diff --git a/angine/louane.pub b/angine/louane.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEvSDYhK5nbz7GUdIDuWPk/SUGLRvmtGlrj4T5uyMNs louane@tel
diff --git a/angine/quentin.pub b/angine/quentin.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDv5oGuC5Co/H/vYI10A6rWk99hpoSfLbDpUiDKtA+mW quentin@tel
diff --git a/angine/remy.pub b/angine/remy.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKZ4b8ZNS1Ougf668T4GYj9rM7o9ujUR1pT/XhVYLzN rémy@tel
diff --git a/angine/system.scm b/angine/system.scm
@@ -5,8 +5,10 @@
#:use-module (gnu services ssh)
#:use-module (gnu services version-control)
#:use-module (gnu services web)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages base)
#:use-module (gnu packages certs)
+ #:use-module (gnu packages file-systems)
#:use-module (gnu packages ssh)
#:use-module (gnu packages rsync)
#:use-module (gnu packages version-control))
@@ -32,106 +34,138 @@
(define-public %angine-operating-system
(operating-system
- (host-name "angine")
- (timezone "Europe/Paris")
- (locale "fr_FR.utf8")
-
- (kernel-arguments
- (list "console=tty0" "console=ttyS0,115200"))
-
- (bootloader (bootloader-configuration
- (bootloader grub-bootloader)
- (targets (list "/dev/sda"))
- (terminal-outputs '(gfxterm serial))
- (terminal-inputs '(console serial))
- (serial-unit 0)
- (serial-speed 115200)))
-
- (file-systems
- (cons* (file-system
- (device (file-system-label "ROOT"))
- (mount-point "/")
- (type "btrfs")
- (options "compress-force=zstd,space_cache=v2"))
- %base-file-systems))
-
- (packages
- (cons* (make-glibc-utf8-locales glibc
- #:locales (list "fr_FR")
- #:name "glibc-french-utf8-locale")
- %base-packages))
-
- (services
- (cons* (service dhcp-client-service-type)
- (service ntp-service-type)
- (service openssh-service-type
- (openssh-configuration
- (openssh openssh-sans-x)
- (x11-forwarding? #f)
- (password-authentication? #f)
- (permit-root-login 'prohibit-password)
- (authorized-keys
- `(("root" ,(local-file "./angine.pub"))))))
- (extra-special-file "/usr/bin/rsync"
- (file-append rsync "/bin/rsync"))
-
- (service fcgiwrap-service-type
- (fcgiwrap-configuration
- (user "git")
- (group "git")))
-
- (service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name (list %puny-domain))
- (listen (list "443 ssl"))
- (ssl-certificate (ssl-cert %puny-domain))
- (ssl-certificate-key
- (ssl-privkey %puny-domain))
- (raw-content
- `(("access_log /dev/null;")))
- (root (string-append "/srv/" %domain)))
- (nginx-server-configuration
- (server-name (list %puny-forge))
- (listen (list "443 ssl"))
- (ssl-certificate (ssl-cert %puny-domain))
- (ssl-certificate-key
- (ssl-privkey %puny-domain))
- (raw-content
- `(("access_log /root/nginx-git.log;")))
- (root (string-append "/srv/" %forge))
- (locations
- (list
- (git-http-nginx-location-configuration
- (git-http-configuration
- (uri-path "git")
- (export-all? #t)
- (git-root "/var/lib/gitolite/repositories"))))))))))
-
- (service gitolite-service-type
- (gitolite-configuration
- (admin-pubkey (local-file "./angine.pub"))))
-
- (service certbot-service-type
- (certbot-configuration
- (email "leirda@disroot.org")
- (webroot "/srv/letsencrypt")
- (certificates
- (list
- (certificate-configuration
- (name %puny-domain)
- (domains (list %puny-domain %puny-forge))
- (deploy-hook %certbot-nginx-deploy-hook))))))
-
- (modify-services %base-services
- (guix-service-type
- config =>
- (guix-configuration
- (inherit config)
- (authorized-keys
- (cons* (local-file "/etc/guix/signing-key.pub")
- %default-authorized-guix-keys)))))))))
+ (host-name "angine")
+ (timezone "Europe/Paris")
+ (locale "fr_FR.utf8")
+
+ (kernel-arguments
+ (list "console=tty0" "console=ttyS0,115200"))
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/sda"))
+ (terminal-outputs '(gfxterm serial))
+ (terminal-inputs '(console serial))
+ (serial-unit 0)
+ (serial-speed 115200)))
+
+ (file-systems
+ (cons* (file-system
+ (device (file-system-label "ROOT"))
+ (mount-point "/")
+ (type "btrfs")
+ (options "compress-force=zstd,space_cache=v2"))
+ (file-system
+ (device "/dev/disk/by-partlabel/data")
+ (mount-point "/home")
+ (type "bcachefs"))
+ %base-file-systems))
+
+ (packages
+ (cons* (make-glibc-utf8-locales glibc
+ #:locales (list "fr_FR")
+ #:name "glibc-french-utf8-locale")
+ bcachefs-tools
+ %base-packages))
+
+ (users
+ (cons* (user-account
+ (name "membre")
+ (group "users")
+ (home-directory "/home/membre")
+ (shell (file-append shadow "/sbin/nologin"))
+ (comment "Les membres du bureau du duché perché.")
+ (supplementary-groups (list "sftp")))
+ %base-user-accounts))
+
+ (groups
+ (cons* (user-group (name "sftp"))
+ %base-groups))
+
+ (services
+ (cons* (service dhcp-client-service-type)
+ (service ntp-service-type)
+
+ (service openssh-service-type
+ (openssh-configuration
+ (openssh openssh-sans-x)
+ (x11-forwarding? #f)
+ (password-authentication? #f)
+ (permit-root-login 'prohibit-password)
+ (authorized-keys
+ `(("root" ,(local-file "./angine.pub"))
+ ("membre" ,(local-file "./adriel.pub"))
+ ("membre" ,(local-file "./kat.pub"))
+ ("membre" ,(local-file "./louane.pub"))
+ ("membre" ,(local-file "./quentin.pub"))
+ ("membre" ,(local-file "./remy.pub"))
+ ("membre" ,(local-file "./tristan.pub"))))
+ (extra-content "\
+Match Group sftp
+ ChrootDirectory /home
+ ForceCommand internal-sftp
+ AllowTcpForwarding no")))
+
+ (extra-special-file "/usr/bin/rsync"
+ (file-append rsync "/bin/rsync"))
+
+ (service fcgiwrap-service-type
+ (fcgiwrap-configuration
+ (user "git")
+ (group "git")))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (server-blocks
+ (list
+ (nginx-server-configuration
+ (server-name (list %puny-domain))
+ (listen (list "443 ssl"))
+ (ssl-certificate (ssl-cert %puny-domain))
+ (ssl-certificate-key
+ (ssl-privkey %puny-domain))
+ (raw-content
+ `(("access_log /dev/null;")))
+ (root (string-append "/srv/" %domain)))
+ (nginx-server-configuration
+ (server-name (list %puny-forge))
+ (listen (list "443 ssl"))
+ (ssl-certificate (ssl-cert %puny-domain))
+ (ssl-certificate-key
+ (ssl-privkey %puny-domain))
+ (raw-content
+ `(("access_log /root/nginx-git.log;")))
+ (root (string-append "/srv/" %forge))
+ (locations
+ (list
+ (git-http-nginx-location-configuration
+ (git-http-configuration
+ (uri-path "git")
+ (export-all? #t)
+ (git-root "/var/lib/gitolite/repositories"))))))))))
+
+ (service gitolite-service-type
+ (gitolite-configuration
+ (admin-pubkey (local-file "./angine.pub"))))
+
+ (service certbot-service-type
+ (certbot-configuration
+ (email "leirda@disroot.org")
+ (webroot "/srv/letsencrypt")
+ (certificates
+ (list
+ (certificate-configuration
+ (name %puny-domain)
+ (domains (list %puny-domain %puny-forge))
+ (deploy-hook %certbot-nginx-deploy-hook))))))
+
+ (modify-services %base-services
+ (guix-service-type
+ config =>
+ (guix-configuration
+ (inherit config)
+ (authorized-keys
+ (cons* (local-file "/etc/guix/signing-key.pub")
+ %default-authorized-guix-keys)))))))))
%angine-operating-system
diff --git a/angine/tristan.pub b/angine/tristan.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBjtIRgyBSW9vkPzbssq2dQC1F1t574BK2OWp3gWyuQ tristan@duché-perché.fr
