~tieong/bootstrap-guix

8cd596caad14a7b95c9b7ec8ad95b706e388d614 — Thomas Ieong 11 months ago 8077178
Updated deploy.scm
1 files changed, 120 insertions(+), 64 deletions(-)

M deploy.scm
M deploy.scm => deploy.scm +120 -64
@@ 1,6 1,23 @@
(use-modules (gnu) (guix))
(use-service-modules networking ssh vpn virtualization sysctl admin mcron)
(use-package-modules ssh certs tls tmux vpn virtualization)
(use-service-modules
 networking
 ssh
 vpn
 virtualization
 sysctl
 admin
 mcron
 web
 certbot)
(use-package-modules
 ssh
 certs
 tls
 tmux
 vpn
 virtualization
 curl
 linux)

(define garbage-collector-job
  ;; Collect garbage 5 minutes after midnight every day.


@@ 8,6 25,12 @@
  #~(job "5 0 * * *"            ;Vixie cron syntax
	 "guix gc -F 1G"))

(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   (gexp (let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
	   (kill pid SIGHUP)))))

(define %system
  (operating-system
   (host-name "kimsufi")


@@ 47,13 70,18 @@ This is the GNU system at Kimsufi.  Welcome.\n")
			 (dependencies mapped-devices))
			%base-file-systems))

   (users (cons (user-account
		 (name "guix")
		 (comment "guix")
		 (group "users")
		 (supplementary-groups '("wheel" "libvirt" "kvm"))
		 (home-directory "/home/guix"))
		%base-user-accounts))
   (users (cons* (user-account
		  (name "guix")
		  (comment "guix")
		  (group "users")
		  (supplementary-groups '("wheel" "libvirt" "kvm"))
		  (home-directory "/home/guix"))
		 (user-account
		  (name "quentin")
		  (comment "quentin")
		  (group "users")
		  (home-directory "/home/quentin"))
		 %base-user-accounts))

   (sudoers-file
    (plain-file "sudoers" "\


@@ 63,7 91,7 @@ guix ALL=(ALL) NOPASSWD:ALL\n"))


   ;; Globally-installed packages.
   (packages (cons* tmux nss-certs gnutls wireguard-tools %base-packages))
   (packages (cons* tmux nss-certs gnutls wireguard-tools curl net-tools %base-packages))
   (services
    (cons*
     (service static-networking-service-type


@@ 78,63 106,87 @@ guix ALL=(ALL) NOPASSWD:ALL\n"))

     (service unattended-upgrade-service-type)

     ;; (service certbot-service-type
     ;;		      (certbot-configuration
     ;;		       (email "th.ieong@free.fr")
     ;;		       (certificates
     ;;			(list
     ;;			 (certificate-configuration
     ;;			  (domains '("kuril.xyz" "www.kuril.xyz"))
     ;;			  (deploy-hook %nginx-deploy-hook))))))

     (service nginx-service-type
	      (nginx-configuration
	       (server-blocks
		(list (nginx-server-configuration
		       (listen '("80 default_server"))
		       (server-name '("_"))
		       (raw-content (list "return 301 https://kuril.xyz$request_uri;")))

		      (nginx-server-configuration
		       (listen '("443 ssl http2"))
		       (server-name '("kuril.xyz"))
		       (ssl-certificate "/etc/letsencrypt/live/kuril.xyz/fullchain.pem")
		       (ssl-certificate-key "/etc/letsencrypt/live/kuril.xyz/privkey.pem")
		       (root "/srv/http/kuril.xyz"))))))

     (simple-service 'my-cron-jobs
		     mcron-service-type
		     (list garbage-collector-job))

     ;;    (service nftables-service-type
     ;;	    (nftables-configuration
     ;;	     (ruleset
     ;;	      (plain-file "nftables.nft"
     ;;			  "\
     ;; table ip nat {
     ;;	chain prerouting {
     ;;		type nat hook prerouting priority -100;
     ;;		tcp dport { http, https } dnat to 192.168.1.10:http
     ;;	}

     ;;	chain postrouting {
     ;;		type nat hook postrouting priority 100;
     ;;		masquerade
     ;;	}
     ;; }

     ;; table inet filter {
     ;; chain input {
     ;;   type filter hook input priority 0; policy drop;

     ;;   # early drop of invalid connections
     ;;   ct state invalid drop

     ;;   # allow established/related connections
     ;;   ct state { established, related } accept

     ;;   # allow icmp
     ;;   ip protocol icmp accept
     ;;   ip6 nexthdr icmpv6 accept

     ;;   # allow from loopback
     ;;   iifname lo accept

     ;;   # added: make NAT from libvirt work
     ;;   iifname virbr0 accept

     ;;   # allow ssh,http
     ;;   tcp dport {http,https,53,67,2222} accept
     ;;   udp dport {53,67} accept

     ;;   # reject everything else
     ;;   reject with icmpx type port-unreachable
     ;; }
     ;; chain forward {
     ;;   type filter hook forward priority 0; policy drop;
     ;;   iifname virbr0 oifname enp3s0 accept
     ;;   iifname enp3s0 oifname virbr0 accept
     ;; }
     ;; chain output {
     ;;   type filter hook output priority 0; policy accept;
     ;; }
     ;; }"))))
     (service nftables-service-type
	      (nftables-configuration
	       (ruleset
		(plain-file "nftables.nft"
			    "\
table ip nat {
#chain prerouting {
#	type nat hook prerouting priority -100;
#	tcp dport { http, https } dnat to 192.168.1.10:http
#}

chain postrouting {
	type nat hook postrouting priority 100;
	masquerade
}
}

table inet filter {
chain input {
  type filter hook input priority 0; policy drop;

  # early drop of invalid connections
  ct state invalid drop

  # allow established/related connections
  ct state { established, related } accept

  # allow icmp
  ip protocol icmp accept
  ip6 nexthdr icmpv6 accept

  # allow from loopback
  iifname lo accept

  # added: make NAT from libvirt work
  iifname virbr0 accept

  # allow ssh,http
  tcp dport {http,https,53,67,2222} accept
  udp dport {53,67} accept

  # reject everything else
  reject with icmpx type port-unreachable
}
chain forward {
  type filter hook forward priority 0; policy drop;
  iifname virbr0 oifname enp3s0 accept
  iifname enp3s0 oifname virbr0 accept
}
chain output {
  type filter hook output priority 0; policy accept;
}
}"))))

     (service libvirt-service-type
	      (libvirt-configuration


@@ 152,7 204,8 @@ guix ALL=(ALL) NOPASSWD:ALL\n"))
	       (port-number 2222)
	       (authorized-keys
		(quasiquote
		 (("guix" (unquote (plain-file "kimsufi-infra.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYGq2Ryy8hnMkvK+3/ADzhH9WPmO8lvTKiC3Q8NHwqw user@linux"))))))))
		 (("guix" (unquote (plain-file "kimsufi-infra.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYGq2Ryy8hnMkvK+3/ADzhH9WPmO8lvTKiC3Q8NHwqw user@linux")))
		  ("quentin" (unquote (plain-file "quentin.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaKKmk7KqU7ZYZIGDLlvUxWhm1dOPR5jAO8HEq4EwwO"))))))))
     (modify-services %base-services
		      ;; See https://stumbles.id.au/getting-started-with-guix-deploy.html
		      (guix-service-type config =>


@@ 180,3 233,6 @@ guix ALL=(ALL) NOPASSWD:ALL\n"))
		       (port 2222)))))

;; Also see guix deploy -x -- <arbitrary-command>
;; Extend etc-service for deploying channels automatically?
;; Or simply specify channels in unattended-services
;; It seems like it takes the channels from the machine you guix deploy