Paste number 344057: guix-potluck guix os definition

Index of paste annotations: 1 | 2

Paste number 344057: guix-potluck guix os definition
Pasted by: wingo
When:3 years, 1 month ago
Share:Tweet this! | http://paste.lisp.org/+7DH5
Channel:None
Paste contents:
Raw Source | XML | Display As
(use-modules (gnu))
(use-service-modules networking mcron ssh web)
(use-package-modules admin package-management tls web)

(define %gc-job
  ;; The garbage collection mcron job, once per day.
  #~(job '(next-hour '(4))
         (string-append #$guix "/bin/guix gc -F80G")))

(define %certbot-job
  ;; Attempt to renew the Let's Encrypt certificate twice a week.
  #~(job (lambda (now)
           (next-day-from (next-hour-from now '(3))
                          '(2 5)))
         (string-append #$certbot "/bin/certbot renew")))

;;;
;;; NGINX.
;;;

(define %nginx-config
  ;; Our nginx configuration directory.  It expects 'guix publish' to be
  ;; running on port 3000.
  (plain-file
   "nginx-config"
   "# This is the nginx config file for guix-potluck.org.

user nginx;
worker_processes 2;
pid /var/run/nginx.pid;
error_log  /var/log/nginx/error.log error;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip off;

    # We need to specify all these or nginx picks its own directory to
    # store them, which doesn't work because the store is read-only.
    client_body_temp_path /var/run/nginx/body;
    proxy_temp_path       /var/run/nginx/proxy;
    fastcgi_temp_path     /var/run/nginx/fastcgi;
    uwsgi_temp_path       /var/run/nginx/uwsgi;
    scgi_temp_path        /var/run/nginx/scgi;

    # Use HTTP 1.1 to talk to the backend so we benefit from
    # keep-alive connections and chunked transfer encoding.  The
    # latter allows us to make sure we do not cache partial downloads.
    proxy_http_version 1.1;

    server {
        listen 80;
        server_name guix-potluck.org;

        # For use by Certbot.
        location /.well-known { root /var/www; }

        # Otherwise redirect to HTTPS.
        location / { return 301 https://$host$request_uri; }
    }

    server {
        listen 443 ssl;
        server_name guix-potluck.org;

        ssl on;
        ssl_certificate     /etc/letsencrypt/live/guix-potluck.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guix-potluck.org/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1.2;
        ssl_ciphers \"HIGH:!DSS:!aNULL@STRENGTH\";
        ssl_prefer_server_ciphers on;

        location / { proxy_pass http://127.0.0.1:8080/; }
    }
}
"))

(define %nginx-mime-types
  ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
  (simple-service 'nginx-mime.types
                  etc-service-type
                  `(("nginx" ,(file-append nginx "/share/nginx/conf")))))

(define %nginx-cache-activation
  ;; Make sure /var/cache/nginx exists on the first run.
  (simple-service 'nginx-/var/cache/nginx
                  activation-service-type
                  (with-imported-modules '((guix build utils))
					 #~(begin
					     (use-modules (guix build utils))
					     (mkdir-p "/var/cache/nginx")))))

(operating-system
 (host-name "guix-potluck")
 (timezone "Europe/Berlin")
 (locale "en_US.UTF-8")

 ;; Assuming /dev/sdX is the target hard disk, and "my-root" is
 ;; the label of the target root file system.
 (bootloader (grub-configuration (device "/dev/vda")))
 (file-systems (cons (file-system
		      (device "/dev/vda1")
		      (mount-point "/")
		      (type "ext4"))
		     %base-file-systems))

 ;; This is where user accounts are specified.  The "root"
 ;; account is implicit, and is initially created with the
 ;; empty password.
 (users (cons (user-account
	       (name "wingo")
	       (group "users")
	       ;; Adding the account to the "wheel" group
	       ;; makes it a sudoer.
	       (supplementary-groups '("wheel"))
	       (home-directory "/home/wingo"))
	      %base-user-accounts))

 ;; Globally-installed packages.
 (packages (cons certbot %base-packages))

 (services (cons* (static-networking-service "eth0" "46.101.231.54"
					     #:netmask "255.255.192.0"
					     #:gateway "46.101.192.1"
					     #:name-servers '("8.8.8.8" "8.8.4.4"))
		  ;; FIXME: potluck host service.
		  (nginx-service #:config-file %nginx-config)
		  %nginx-mime-types
		  %nginx-cache-activation
		  (service openssh-service-type
			   (openssh-configuration
			    (permit-root-login 'without-password)))
		  (service mcron-service-type
			   (mcron-configuration
			    (jobs (list %gc-job %certbot-job))))
		  %base-services)))

Annotations for this paste:

Annotation number 1: updated with fgciwrap service
Pasted by: wingo
When:3 years, 1 month ago
Share:Tweet this! | http://paste.lisp.org/+7DH5/1
Paste contents:
Raw Source | Display As
(use-modules (ice-9 match) (gnu) (guix records))
(use-service-modules networking mcron shepherd ssh web)
(use-package-modules admin package-management tls version-control web)

(define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration
  make-fcgiwrap-configuration
  fcgiwrap-configuration?
  (package       fcgiwrap-configuration-package ;<package>
                 (default fcgiwrap))
  (socket        fcgiwrap-configuration-socket
                 (default "tcp:127.0.0.1:9000")))

(define %fcgiwrap-accounts
  (list (user-group
         (name "fcgiwrap")
         (system? #t))
        (user-account
         (name "fcgiwrap")
         (group "fcgiwrap")
         (system? #t)
         (comment "Fcgiwrap Daemon")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))

(define fcgiwrap-shepherd-service
  (match-lambda
    (($ <fcgiwrap-configuration> package socket)
     (list (shepherd-service
            (provision '(fcgiwrap))
            (documentation "Run the fcgiwrap daemon.")
            (requirement '(networking))
            (start #~(make-forkexec-constructor
                      '(#$(file-append package "/sbin/fcgiwrap")
			  "-s" #$socket)
		      #:user "fcgiwrap" #:group "fcgiwrap"))
            (stop #~(make-kill-destructor)))))))

(define fcgiwrap-service-type
  (service-type (name 'fcgiwrap)
                (extensions
                 (list (service-extension shepherd-root-service-type
                                          fcgiwrap-shepherd-service)
		       (service-extension account-service-type
					  (const %fcgiwrap-accounts))))))

(define %gc-job
  ;; The garbage collection mcron job, once per day.
  #~(job '(next-hour '(4))
         (string-append #$guix "/bin/guix gc -F80G")))

(define %certbot-job
  ;; Attempt to renew the Let's Encrypt certificate twice a week.
  #~(job (lambda (now)
           (next-day-from (next-hour-from now '(3))
                          '(2 5)))
         (string-append #$certbot "/bin/certbot renew")))

;;;
;;; NGINX.
;;;

(define %nginx-config
  ;; Our nginx configuration directory.  It expects 'guix publish' to be
  ;; running on port 3000.
  (computed-file
   "nginx-config"
   #~(call-with-output-file #$output
       (lambda (port)
	 (format port "
# This is the nginx config file for guix-potluck.org.

user nginx;
worker_processes 2;
pid /var/run/nginx.pid;
error_log  /var/log/nginx/error.log error;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip off;

    # We need to specify all these or nginx picks its own directory to
    # store them, which doesn't work because the store is read-only.
    client_body_temp_path /var/run/nginx/body;
    proxy_temp_path       /var/run/nginx/proxy;
    fastcgi_temp_path     /var/run/nginx/fastcgi;
    uwsgi_temp_path       /var/run/nginx/uwsgi;
    scgi_temp_path        /var/run/nginx/scgi;

    # Use HTTP 1.1 to talk to the backend so we benefit from
    # keep-alive connections and chunked transfer encoding.  The
    # latter allows us to make sure we do not cache partial downloads.
    proxy_http_version 1.1;

    server {
        listen 80;
        server_name guix-potluck.org;

        # For use by Certbot.
        location /.well-known { root /var/www; }

        # Otherwise redirect to HTTPS.
        location / { return 301 https://$host$request_uri; }
    }

    server {
        listen 443 ssl;
        server_name guix-potluck.org;

        ssl on;
        ssl_certificate     /etc/letsencrypt/live/guix-potluck.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guix-potluck.org/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1.2;
        ssl_ciphers \"HIGH:!DSS:!aNULL@STRENGTH\";
        ssl_prefer_server_ciphers on;

        location / { proxy_pass http://127.0.0.1:8080/; }

        location ~~ /git(/.*) {
	    fastcgi_pass  127.0.0.1:9000;

	    fastcgi_param SCRIPT_FILENAME ~a/libexec/git-core/git-http-backend;
	    fastcgi_param QUERY_STRING    $query_string;
	    fastcgi_param REQUEST_METHOD  $request_method;
	    fastcgi_param CONTENT_TYPE    $content_type;
	    fastcgi_param CONTENT_LENGTH  $content_length;
            fastcgi_param GIT_HTTP_EXPORT_ALL \"\";
            fastcgi_param GIT_PROJECT_ROOT    /srv/git;
            fastcgi_param PATH_INFO           $1;
        }
    }
}
" #$git)))))

(define %nginx-mime-types
  ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
  (simple-service 'nginx-mime.types
                  etc-service-type
                  `(("nginx" ,(file-append nginx "/share/nginx/conf")))))

(define %nginx-cache-activation
  ;; Make sure /var/cache/nginx exists on the first run.
  (simple-service 'nginx-/var/cache/nginx
                  activation-service-type
                  (with-imported-modules '((guix build utils))
					 #~(begin
					     (use-modules (guix build utils))
					     (mkdir-p "/var/cache/nginx")))))

(operating-system
 (host-name "guix-potluck")
 (timezone "Europe/Berlin")
 (locale "en_US.UTF-8")

 ;; Assuming /dev/sdX is the target hard disk, and "my-root" is
 ;; the label of the target root file system.
 (bootloader (grub-configuration (device "/dev/vda")))
 (file-systems (cons (file-system
		      (device "/dev/vda1")
		      (mount-point "/")
		      (type "ext4"))
		     %base-file-systems))

 ;; This is where user accounts are specified.  The "root"
 ;; account is implicit, and is initially created with the
 ;; empty password.
 (users (cons (user-account
	       (name "wingo")
	       (group "users")
	       ;; Adding the account to the "wheel" group
	       ;; makes it a sudoer.
	       (supplementary-groups '("wheel"))
	       (home-directory "/home/wingo"))
	      %base-user-accounts))

 ;; Globally-installed packages.
 (packages (cons certbot %base-packages))

 (services (cons* (static-networking-service "eth0" "46.101.231.54"
					     #:netmask "255.255.192.0"
					     #:gateway "46.101.192.1"
					     #:name-servers '("8.8.8.8" "8.8.4.4"))
		  ;; FIXME: potluck host service.
		  (nginx-service #:config-file %nginx-config)
		  %nginx-mime-types
		  %nginx-cache-activation
		  (service fcgiwrap-service-type
			   (fcgiwrap-configuration))
		  (service openssh-service-type
			   (openssh-configuration
			    (permit-root-login 'without-password)))
		  (service mcron-service-type
			   (mcron-configuration
			    (jobs (list %gc-job %certbot-job))))
		  %base-services)))

Annotation number 2: update to use certbot service etc; potluck disabled
Pasted by: wingo
When:3 years, 1 month ago
Share:Tweet this! | http://paste.lisp.org/+7DH5/2
Paste contents:
Raw Source | Display As
(use-modules (gnu))
(use-service-modules certbot
                     mcron
                     networking
                     #;potluck
                     shepherd
                     ssh
                     version-control
                     web)
(use-package-modules certs
                     commencement ;; for canonical-package
                     guile
                     package-management
                     ssh
                     tls
                     version-control)

;; Disabled while we are still in development phase.
;;
;; (define %gc-job
;;   ;; The garbage collection mcron job, once per day.
;;   #~(job '(next-hour '(4))
;;          (string-append #$guix "/bin/guix gc -F80G")))

(operating-system
 (host-name "guix-potluck")
 (timezone "Europe/Berlin")
 (locale "en_US.UTF-8")

 (bootloader (grub-configuration (device "/dev/vda")))
 (file-systems (cons (file-system
		      (device "/dev/vda1")
		      (mount-point "/")
		      (type "ext4"))
		     %base-file-systems))

 (users (cons (user-account
	       (name "wingo")
	       (group "users")
	       ;; Adding the account to the "wheel" group
	       ;; makes it a sudoer.
	       (supplementary-groups '("wheel"))
	       (home-directory "/home/wingo"))
	      %base-user-accounts))

 ;; Globally-installed packages.  Delete Guile so that users don't
 ;; inherit load-path flags from whatever is the installed Guile.
 (packages (cons* git openssh gnutls certbot nss-certs
                  (delq (canonical-package guile-2.0) %base-packages)))

 (services
  (cons* (static-networking-service "eth0" "46.101.231.54"
                                    #:netmask "255.255.192.0"
                                    #:gateway "46.101.192.1"
                                    #:name-servers '("8.8.8.8" "8.8.4.4"))
         (service nginx-service-type
                  (nginx-configuration
                   (server-blocks
                    (list
                     (nginx-server-configuration
                      (http-port #f)
                      (server-name '("guix-potluck.org"))
                      (ssl-certificate
                       "/etc/letsencrypt/live/guix-potluck.org/fullchain.pem")
                      (ssl-certificate-key
                       "/etc/letsencrypt/live/guix-potluck.org/privkey.pem")
                      (locations
                       (list
                        (git-http-nginx-location-configuration)
                        (nginx-location-configuration
                         (uri "/")
                         (body '("proxy_pass http://127.0.0.1:8080/;"))))))))))
         (service fcgiwrap-service-type)
         (service certbot-service-type
                  (certbot-configuration
                   (hosts '("guix-potluck.org"))))
         #;
         (service potluck-service-type)
         (service openssh-service-type
                  (openssh-configuration
                   (permit-root-login 'without-password)))
         (service mcron-service-type
                  #;
                  (mcron-configuration (jobs (list %gc-job)))
                  )
         %base-services)))

Colorize as:
Show Line Numbers

Lisppaste pastes can be made by anyone at any time. Imagine a fearsomely comprehensive disclaimer of liability. Now fear, comprehensively.