A files/ssh.key => files/ssh.key +1 -0
@@ 0,0 1,1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDoOUCeQaIcqCzLUq7W0QDrnDhZnWhwhDqRYZkpLWcsRZVTT2apalEO1Iq4FUjWpiDcAt2nfVY9XfztQDvblmO/KX5WPi86IIep7HtWrTtjcYkAqaqW7Jh7tTgDBVYZ05si0pzDRJZvjOEOccnH9zBIRLL6NGy/wHsvTCi2Tt2O36jOg50n3MrWLYe5GUa/7fxXFuJy9bM7ijMG9UJLT4KJjNxCvo41360p5ED8r8cUN95zVopEuj3lc1dBCur2iYKadeZSjm+W9Q1YxSw0pehwfsxLDzTLPkP52ffKFpsBCPIIcQr6LZ7IkThajgMvor1pbxNvdDFk4dHsO1xJ9H6EWJ2K/j11Z05GJcrEsHT8vFRtsm7QGONaa3EkeD0On2a0qhKXk/xPOHmWpOksrM/zd9dCiVVj9eTA8Hf7fRWNOscLhVOk6M0207++pRruDE+xWpOje6U3GqhZnBTqK/1KiTM9Zpfz7TKw83Fup5kyxM6s92AZfW3yiu1t8+qN3tmz/RZuLcPd/8dsP7XfU66seC+gSKd+SkMcFce6IB5K8FOsInZX0oLkJeu3QoH4a9aDxWRsvvHHVuc7inakpex6jE8KR9M4zfOOk7mvrnbv+kx382lScIZ82z32PmZ+E0iY72vCHg9BNISaUDH5QP/3fYN8obTcH06nntpFRUEeqQ== cardno:10 496 392
A src/tropin/machines.scm => src/tropin/machines.scm +281 -0
@@ 0,0 1,281 @@
+(define-module (tropin machines))
+
+(use-modules (gnu) (guix) (gnu machine) (gnu machine ssh)
+ (gnu services) (gnu system) (gnu system pam))
+(use-service-modules networking ssh web shepherd)
+(use-package-modules bootloaders ssh web)
+
+(define nginx-service
+ (service
+ nginx-service-type
+ (nginx-configuration
+ (modules
+ (list
+ (file-append nginx-rtmp-module "\
+/etc/nginx/modules/ngx_rtmp_module.so")))
+ (extra-content
+ (format #f "\
+server {
+ listen 80;
+ listen [::]:80;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ ssl_certificate /srv/nginx/ssl/hundredrps.pem;
+ ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
+ ssl_protocols TLSv1.2;
+
+ server_name guix.trop.in guix.ygg.trop.in;
+
+ location / {
+ proxy_pass https://guix.gnu.org;
+ proxy_set_header HOST guix.gnu.org;
+ }
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ ssl_certificate /srv/nginx/ssl/hundredrps.pem;
+ ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
+ ssl_protocols TLSv1.2;
+
+ server_name issues.guix.trop.in issues.guix.ygg.trop.in;
+
+ location / {
+ proxy_pass https://issues.guix.gnu.org;
+ proxy_set_header HOST issues.guix.gnu.org;
+ }
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ ssl_certificate /srv/nginx/ssl/hundredrps.pem;
+ ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
+ ssl_protocols TLSv1.2;
+
+ server_name ci.guix.trop.in ci.guix.ygg.trop.in;
+
+ location / {
+ proxy_pass https://ci.guix.gnu.org;
+ proxy_set_header HOST ci.guix.gnu.org;
+ }
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ ssl_certificate /etc/letsencrypt/live/trop.in/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/trop.in/privkey.pem;
+ ssl_protocols TLSv1.2;
+
+ server_name trop.in *.trop.in;
+
+ location / {
+ root /srv/nginx/trop.in;
+ if ($request_uri ~~ ^/(.*)\\.html(\\?|$)) {
+ return 302 /$1;
+ }
+ try_files $uri $uri.html $uri/ =404;
+ }
+
+ # rtmp stat
+ location /stat {
+ rtmp_stat all;
+ rtmp_stat_stylesheet stat.xsl;
+ }
+
+ location /stat.xsl {
+ root /var/www/html/rtmp;
+ }
+
+ # rtmp control
+ location /control {
+ rtmp_control all;
+ }
+
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name files.trop.in files.ygg.trop.in;
+ root /srv/nginx/public;
+ autoindex on;
+}
+
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name hundredrps.project.trop.in;
+ root /srv/nginx/public;
+ autoindex on;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name hundredrps.project.trop.in;
+ ssl_certificate /srv/nginx/ssl/hundredrps.pem;
+ ssl_certificate_key /srv/nginx/ssl/hundredrps.key;
+ ssl_protocols TLSv1.2;
+
+ location / {
+ proxy_pass http://localhost:50080;
+ }
+}
+
+}
+rtmp {
+ server {
+ listen 1935;
+ chunk_size 4096;
+
+ application live {
+ live on;
+ record off;
+ push rtmp://a.rtmp.youtube.com/live2/~a;
+ push rtmp://diode.zone:1935/live/~a;
+ }
+ }
+"
+ (getenv "YOUTUBE_RTMP_KEY")
+ (getenv "PEERTUBE_RTMP_KEY"))))))
+
+;; Operating system description
+(define* (get-os #:key (user "bob"))
+ (operating-system
+ (host-name "pinky")
+ (timezone "Europe/Amsterdam")
+ ;; (timezone "Etc/UTC")
+ (bootloader
+ (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets '("/dev/vda"))))
+ (mapped-devices
+ (list (mapped-device
+ (source
+ (uuid "e4f3107f-110b-44ee-a93e-c5127296948c"))
+ (target "cryptroot")
+ (type luks-device-mapping))))
+ (file-systems
+ (cons* (file-system
+ (mount-point "/")
+ (device "/dev/mapper/cryptroot")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+ (users (cons* (user-account
+ (name user)
+ (comment "Bob")
+ (group "users")
+ (home-directory "/home/bob")
+ (supplementary-groups
+ '("wheel" "netdev" "audio" "video")))
+ %base-user-accounts))
+ (sudoers-file
+ (plain-file "sudoers"
+ (string-append (plain-file-content %sudoers-specification)
+ (format #f "~a ALL = NOPASSWD: ALL~%" user))))
+ (packages
+ (append
+ (map specification->package '("nss-certs" "htop"))
+ %base-packages))
+
+ (services
+ (append (list
+ (service
+ static-networking-service-type
+ (list
+ (static-networking
+ (addresses (list (network-address
+ (device "eth0")
+ (value "23.137.249.202/24"))
+ (network-address
+ (device "eth0")
+ (value "2602:fc24:11:541b:0:0:0:13/64"))))
+ (routes (list (network-route
+ (destination "default")
+ (gateway "23.137.249.1"))
+ (network-route
+ (destination "2602:fc24:11::1/128")
+ (device "eth0"))
+ (network-route
+ (destination "default")
+ (gateway "2602:fc24:11::1"))))
+ (name-servers '("2620:fe::fe"
+ "2620:fe::9"
+ ;; "9.9.9.9"
+ ;; "149.112.112.112"
+ )))))
+ ;; nameserver 9.9.9.9
+ ;; nameserver 149.112.112.112
+ (service tor-service-type)
+ (service yggdrasil-service-type
+ (yggdrasil-configuration
+ (json-config
+ '((IfName . "ygg0")
+ (NodeInfoPrivacy . #t)
+ (Peers . #("tls://ygg-nl.incognet.io:8884"
+ "tls://ygg2.ezdomain.ru:11130"
+ "tls://188.225.9.167:18227"))))))
+
+ (service openssh-service-type
+ (openssh-configuration
+ (openssh openssh-sans-x)
+ (permit-root-login #f)
+ (password-authentication? #f)
+ (port-number 50621)
+ (authorized-keys
+ `((,user ,(local-file "../../files/ssh.key"))))))
+
+ nginx-service)
+
+ (modify-services %base-services
+ (guix-service-type
+ config =>
+ (guix-configuration
+ (inherit config)
+ (authorized-keys
+ (append (list (local-file "/etc/guix/signing-key.pub"))
+ %default-authorized-guix-keys)))))))))
+
+;;; my nginx config
+;; TODO: Add gzip for big static files
+;; TODO: Cache big files?
+;; TODO: Image filter module for resizing images
+;; TODO: Add expire directives to cache files on client side
+;; TODO: Add monitoring https://github.com/vozlt/nginx-module-vts
+;; https://www.nginx.com/resources/wiki/modules/
+
+(define host "pinky")
+(define user "bob")
+(define os
+ (get-os #:user user))
+
+(define-public machines
+ (list (machine
+ (operating-system os)
+ (environment managed-host-environment-type)
+ (configuration (machine-ssh-configuration
+ (host-name host)
+ (allow-downgrades? #t)
+ (system "x86_64-linux")
+ (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vEutTS539N4LbxwxqOGepQRP3mkfnarQ1PBVj5O+v")
+ (user user))))))
+
+machines