~abcdw/trop.in

110f0bc428029a20ba546e8e298e8798c2a3e9de — Andrew Tropin 1 year, 7 months ago 8e172b5
Replicate pinky config in separate module.
2 files changed, 282 insertions(+), 0 deletions(-)

A files/ssh.key
A src/tropin/machines.scm
A files/ssh.key => files/ssh.key +1 -0
@@ 0,0 1,1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoOUCeQaIcqCzLUq7W0QDrnDhZnWhwhDqRYZkpLWcsRZVTT2apalEO1Iq4FUjWpiDcAt2nfVY9XfztQDvblmO/KX5WPi86IIep7HtWrTtjcYkAqaqW7Jh7tTgDBVYZ05si0pzDRJZvjOEOccnH9zBIRLL6NGy/wHsvTCi2Tt2O36jOg50n3MrWLYe5GUa/7fxXFuJy9bM7ijMG9UJLT4KJjNxCvo41360p5ED8r8cUN95zVopEuj3lc1dBCur2iYKadeZSjm+W9Q1YxSw0pehwfsxLDzTLPkP52ffKFpsBCPIIcQr6LZ7IkThajgMvor1pbxNvdDFk4dHsO1xJ9H6EWJ2K/j11Z05GJcrEsHT8vFRtsm7QGONaa3EkeD0On2a0qhKXk/xPOHmWpOksrM/zd9dCiVVj9eTA8Hf7fRWNOscLhVOk6M0207++pRruDE+xWpOje6U3GqhZnBTqK/1KiTM9Zpfz7TKw83Fup5kyxM6s92AZfW3yiu1t8+qN3tmz/RZuLcPd/8dsP7XfU66seC+gSKd+SkMcFce6IB5K8FOsInZX0oLkJeu3QoH4a9aDxWRsvvHHVuc7inakpex6jE8KR9M4zfOOk7mvrnbv+kx382lScIZ82z32PmZ+E0iY72vCHg9BNISaUDH5QP/3fYN8obTcH06nntpFRUEeqQ== cardno:10 496 392

A src/tropin/machines.scm => src/tropin/machines.scm +281 -0
@@ 0,0 1,281 @@
(define-module (tropin machines))

(use-modules (gnu) (guix) (gnu machine) (gnu machine ssh)
             (gnu services) (gnu system) (gnu system pam))
(use-service-modules networking ssh web shepherd)
(use-package-modules bootloaders ssh web)

(define nginx-service
  (service
   nginx-service-type
   (nginx-configuration
    (modules
     (list
      (file-append nginx-rtmp-module "\
/etc/nginx/modules/ngx_rtmp_module.so")))
    (extra-content
     (format #f "\
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /srv/nginx/ssl/hundredrps.pem;
    ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
    ssl_protocols TLSv1.2;

    server_name guix.trop.in guix.ygg.trop.in;

    location / {
        proxy_pass https://guix.gnu.org;
        proxy_set_header HOST guix.gnu.org;
    }
}

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /srv/nginx/ssl/hundredrps.pem;
    ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
    ssl_protocols TLSv1.2;

    server_name issues.guix.trop.in issues.guix.ygg.trop.in;

    location / {
        proxy_pass https://issues.guix.gnu.org;
        proxy_set_header HOST issues.guix.gnu.org;
    }
}

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /srv/nginx/ssl/hundredrps.pem;
    ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
    ssl_protocols TLSv1.2;

    server_name ci.guix.trop.in ci.guix.ygg.trop.in;

    location / {
        proxy_pass https://ci.guix.gnu.org;
        proxy_set_header HOST ci.guix.gnu.org;
    }
}

server {
    listen 80;
    listen [::]:80;

    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate     /etc/letsencrypt/live/trop.in/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/trop.in/privkey.pem;
    ssl_protocols TLSv1.2;

    server_name trop.in *.trop.in;

    location / {
        root /srv/nginx/trop.in;
        if ($request_uri ~~ ^/(.*)\\.html(\\?|$)) {
            return 302 /$1;
        }
        try_files $uri $uri.html $uri/ =404;
    }

    # rtmp stat
    location /stat {
        rtmp_stat all;
        rtmp_stat_stylesheet stat.xsl;
    }

    location /stat.xsl {
        root /var/www/html/rtmp;
    }

    # rtmp control
    location /control {
        rtmp_control all;
    }

}

server {
    listen 80;
    listen [::]:80;

    server_name files.trop.in files.ygg.trop.in;
    root /srv/nginx/public;
    autoindex on;
}

server {
    listen 80;
    listen [::]:80;

    server_name hundredrps.project.trop.in;
    root /srv/nginx/public;
    autoindex on;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hundredrps.project.trop.in;
    ssl_certificate /srv/nginx/ssl/hundredrps.pem;
    ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
    ssl_protocols TLSv1.2;

    location / {
        proxy_pass http://localhost:50080;
    }
}

}
rtmp {
        server {
                listen 1935;
                chunk_size 4096;

                application live {
                        live on;
                        record off;
                        push rtmp://a.rtmp.youtube.com/live2/~a;
                        push rtmp://diode.zone:1935/live/~a;
                }
        }
"
             (getenv "YOUTUBE_RTMP_KEY")
             (getenv "PEERTUBE_RTMP_KEY"))))))

;; Operating system description
(define* (get-os #:key (user "bob"))
  (operating-system
   (host-name "pinky")
   (timezone "Europe/Amsterdam")
   ;; (timezone "Etc/UTC")
   (bootloader
    (bootloader-configuration
     (bootloader grub-bootloader)
     (targets '("/dev/vda"))))
   (mapped-devices
    (list (mapped-device
           (source
            (uuid "e4f3107f-110b-44ee-a93e-c5127296948c"))
           (target "cryptroot")
           (type luks-device-mapping))))
   (file-systems
    (cons* (file-system
            (mount-point "/")
            (device "/dev/mapper/cryptroot")
            (type "ext4")
            (dependencies mapped-devices))
           %base-file-systems))
  (users (cons* (user-account
                  (name user)
                  (comment "Bob")
                  (group "users")
                  (home-directory "/home/bob")
                  (supplementary-groups
                    '("wheel" "netdev" "audio" "video")))
                %base-user-accounts))
  (sudoers-file
   (plain-file "sudoers"
               (string-append (plain-file-content %sudoers-specification)
                              (format #f "~a ALL = NOPASSWD: ALL~%" user))))
  (packages
    (append
      (map specification->package '("nss-certs" "htop"))
      %base-packages))

   (services
    (append (list
             (service
              static-networking-service-type
              (list
               (static-networking
                (addresses (list (network-address
                                  (device "eth0")
                                  (value "23.137.249.202/24"))
                                 (network-address
                                  (device "eth0")
                                  (value "2602:fc24:11:541b:0:0:0:13/64"))))
                (routes (list (network-route
                               (destination "default")
                               (gateway "23.137.249.1"))
                              (network-route
                               (destination "2602:fc24:11::1/128")
                               (device "eth0"))
                              (network-route
                               (destination "default")
                               (gateway "2602:fc24:11::1"))))
                (name-servers '("2620:fe::fe"
                                "2620:fe::9"
                                ;; "9.9.9.9"
                                ;; "149.112.112.112"
                                )))))
             ;; nameserver 9.9.9.9
             ;; nameserver 149.112.112.112
             (service tor-service-type)
             (service yggdrasil-service-type
                      (yggdrasil-configuration
                       (json-config
                        '((IfName . "ygg0")
                          (NodeInfoPrivacy . #t)
                          (Peers . #("tls://ygg-nl.incognet.io:8884"
                                     "tls://ygg2.ezdomain.ru:11130"
                                     "tls://188.225.9.167:18227"))))))

             (service openssh-service-type
                      (openssh-configuration
                       (openssh openssh-sans-x)
                       (permit-root-login #f)
                       (password-authentication? #f)
                       (port-number 50621)
                       (authorized-keys
                        `((,user ,(local-file "../../files/ssh.key"))))))

             nginx-service)

            (modify-services %base-services
              (guix-service-type
               config =>
               (guix-configuration
                (inherit config)
                (authorized-keys
                 (append (list (local-file "/etc/guix/signing-key.pub"))
                         %default-authorized-guix-keys)))))))))

;;; my nginx config
;; TODO: Add gzip for big static files
;; TODO: Cache big files?
;; TODO: Image filter module for resizing images
;; TODO: Add expire directives to cache files on client side
;; TODO: Add monitoring https://github.com/vozlt/nginx-module-vts
;; https://www.nginx.com/resources/wiki/modules/

(define host "pinky")
(define user "bob")
(define os
  (get-os #:user user))

(define-public machines
  (list (machine
         (operating-system os)
         (environment managed-host-environment-type)
         (configuration (machine-ssh-configuration
                         (host-name host)
                         (allow-downgrades? #t)
                         (system "x86_64-linux")
                         (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vEutTS539N4LbxwxqOGepQRP3mkfnarQ1PBVj5O+v")
                         (user user))))))

machines