[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-deployment] branch master updated (f2fe2b6 -> f7a6ab
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-deployment] branch master updated (f2fe2b6 -> f7a6ab6) |
|
Date: |
Sat, 31 Mar 2018 15:04:42 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a change to branch master
in repository deployment.
from f2fe2b6 fix watched projects list.
new 55ac1b8 ignore *~
new f7a6ab6 initial commit of guix directory
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitignore | 1 +
guix/config.scm | 195 +++++++++++++++++++++++++++++++++++++++
guix/keys/ssh/grothoff.pub | 1 +
guix/keys/ssh/ng0.pub | 1 +
guix/modules/sysadmin/people.scm | 73 +++++++++++++++
5 files changed, 271 insertions(+)
create mode 100644 guix/config.scm
create mode 100644 guix/keys/ssh/grothoff.pub
create mode 100644 guix/keys/ssh/ng0.pub
create mode 100644 guix/modules/sysadmin/people.scm
diff --git a/.gitignore b/.gitignore
index cb2e452..2630939 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
doc/*
!doc/*.texi
!doc/*.txt
+*~
diff --git a/guix/config.scm b/guix/config.scm
new file mode 100644
index 0000000..dd16bf2
--- /dev/null
+++ b/guix/config.scm
@@ -0,0 +1,195 @@
+;; OS configuration for the taler.net server
+
+(use-modules (gnu)
+ (guix)
+ (sysadmin people))
+(use-service-modules base networking mcron ssh mail
+ version-control databases admin
+ web certbot)
+(use-package-modules admin linux ssh tls vim zile wget
+ ntp version-control)
+
+;;; Cron jobs
+;; FIXME: Create jobs.
+
+(define %sysadmins
+ ;; The sys-admins
+ (list (sysadmin (name "gillmann")
+ (full-name "Nils Gillmann")
+ (ssh-public-key (local-file "keys/ssh/ng0.pub")))
+ (sysadmin (name "grothoff")
+ (full-name "Christian Grothoff")
+ (ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
+
+;;;
+;;; The OS definition
+;;;
+
+(operating-system
+ (host-name "taler.net")
+ (timezone "Europe/Berlin")
+ (locale "en_US.UTF-8")
+
+ ;; bootloader
+ (bootloader (grub-configuration (target "/dev/sda")
+ (terminal-outputs '(console))))
+
+ ;; file-systems
+ ;; single-disk configuration.
+ (file-systems (cons* (file-system
+ (device "my-root")
+ (title 'label)
+ (mount-point "/")
+ (type "ext4"))
+ (file-system
+ (device "my-home")
+ (title 'label)
+ (mount-point "/home")
+ (type "ext4"))
+ %base-file-systems))
+ ;; FIXME: RAID? -> mapped-devices
+ ;; FIXME: RAID? -> Add kernel module!
+ ;; FIXME: /home should be on luks encrypted device
+
+ ;; Local admin account
+ ;; FIXME: Do we really need this?
+ (users (cons (user-account
+ (name "local-admin")
+ (comment "Local admin")
+ (group "users")
+ (supplementary-groups '("wheel"))
+ (home-directory "/home/local-admin"))
+ %base-user-accounts))
+
+ (packages (append (map specification->package '("nvi"
+ "mg"
+ "openssh"
+ "gitolite"
+ "nss-certs"
+ "wget"
+ "mysql"
+ "certbot"))
+ %base-packages))
+
+ (services (cons*
+ (service sysadmin-service-type %sysadmins)
+
+ ;; Log rotation
+ (service rottlog-service-type (rottlog-configuration))
+
+ ;; CERTIFICATES
+ (service certbot-service-type
+ (certbot-configuration
+ (hosts '(("taler.net")))))
+
+ ;; MAIL
+ ;; FIXME: Policy is to just receive mail.
+ ;; Produce the /etc/alias file:
+ (service mail-aliases-service-type
+ '(("mailer-daemon" "postmaster")
+ ("postmaster" "root")
+ ("nobody" "root")
+ ("hostmaster" "root")
+ ("usenet" "root")
+ ("news" "root")
+ ("webmaster" "root")
+ ("www" "root")
+ ("ftp" "root")
+ ("abuse" "root")
+ ("noc" "root")
+ ("security" "root")
+ ("root" "grothoff")
+ ("gnunet" "grothoff")
+ ("durner" "ndurner")
+ ("torsten" "grothoff" "krista")
+ ("cor" "grothoff")
+ ("ng0" "ng0")
+ ("translations" "grothoff")
+ ("translators" "grothoff")
+ ("website" "grothoff")
+ ("gns-data" "grothoff" "address@hidden"
"address@hidden")))
+ ;; Depending on the final server policies, adjust to
+ ;; not send email or send email:
+ ;; Dovecot
+ (dovecot-service #:config
+ (dovecot-configuration
+ (mail-location "maildir:~/Maildir")))
+ ;; OpenSMTPD:
+ (service opensmtpd-service-type
+ (opensmtpd-configuration
+ (config-file (local-file
"./opensmtpd/opensmtpd.conf"))))
+ ;; Extend the /etc-service. This creates the files OpenSMTPD
+ ;; wants and adds them to the /etc/ folder.
+ ;; (service etc-service-type
+ ;; (list `("vdoms.conf"
+ ;; ,(plain-file "vdoms.conf"
+ ;; "gnunet.org\n"))
+ ;; `("vusers.conf"
+ ;; ,(plain-file "vusers.conf"
+ ;; "address@hidden grothoff"))))
+
+ ;; SSH
+ (service openssh-service-type
+ (openssh-configuration
+ (port-number 22)
+ (password-authentication? #f)))
+
+ ;; Databases
+ (mysql-service
+ #:config
+ (mysql-configuration
+ ;; Defaults to mariadb,
+ ;; read `info guix services`, section databases.
+ ;;(mysql "mysql")
+ ;; Default portnumber, must be a NUMBER not a string.
+ (port 3306)))
+
+ ;; WEBSERVER
+ ;;(service nginx-service-type)
+ ;;(service fcgiwrap-service-type)
+ ;; FIXME: Check cgit-service-type + gitolite options.
+ ;; FIXME: Extend cgit service.
+ ;;(service cgit-service-type)
+
+ ;; CGIT:
+ ;;(service nginx-service-type)
+ ;; (service fcgiwrap-service-type)
+ ;; (service cgit-service-type)
+
+ ;; GIT
+ ;; Defaults to base-folder "/srv/git/"
+ (git-daemon-service
+ #:config (git-daemon-configuration
+ (user-path "git")))
+
+ ;; SERVE GIT OVER HTTP:
+ ;; FIXME: FAILING BUILD, USE WORKAROUND.
+ ;; (service nginx-service-type
+ ;; (nginx-configuration
+ ;; (server-blocks
+ ;; (list
+ ;; (nginx-server-configuration
+ ;; (http-port #f)
+ ;; (server-name "git.gnunet.org")
+ ;; (ssl-certificate
+ ;;
"/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
+ ;; (ssl-certificate-key
+ ;;
"/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
+ ;; (locations
+ ;; (list
+ ;; (git-http-nginx-location-configuration
+ ;; (git-http-configuration (uri-path "/"))))))))))
+
+ ;; Networking
+ ;; FIXME: Complete this
+ (static-networking-service
+ "eth0" "2001:4ca0:2001:42:225:90ff:fe6b:d60"
+ #:netmask ""
+ #:gateway "2001:4ca0:2001:42::1"
+ #:name-servers '("" "" ""))
+ (static-networking-service
+ "eth1" "131.159.74.67"
+ #:netmask "255.255.255.240"
+ #:gateway "131.159.74.78"
+ #:name-servers '("" "" ""))
+ %base-services)))
diff --git a/guix/keys/ssh/grothoff.pub b/guix/keys/ssh/grothoff.pub
new file mode 100644
index 0000000..6af38a5
--- /dev/null
+++ b/guix/keys/ssh/grothoff.pub
@@ -0,0 +1 @@
+ssh-dss
AAAAB3NzaC1kc3MAAAIBAPmoUwxO5VkAR2j7AJh1/UfySsvtqPJWlzZ4i33LoNis6KpaHn7JO9dEL/psg10ZAqqqFahcTvqFDeXjS5DBzOHWA/u0TgXj58i1rOO2TgmxKF3UatYfD51omlPvw3IcnTPIX+Dsiq/cDkJAHxBdAYo9KjFGu9hM090UN7rY/ykBP/VwKbA/9fg0ASPgGrRF7JRylpMu424c8CbvM/iMZCew2BeE21g1u6WgewJjLgWcdGH2r4GO2FPvHSUlVJJ/wXdCDweboPsB+CuiEmBVruKcbG+DJddRWe4L7aUnIHTL6/i85bNwyjQ/toS2PFBx0jp04OcMyF7PxcIeEYI1+cimH//XIo3eOESGjRWpOKJR+yWlxcg2rKTFuHDO1tTTgqC+e2Kcvp7XrQPf4RuBWtD2YRGUMtEhQhvt2+Qd7KDQuuYR8TPXhHEh/sh7pQkCR/I9ijkxiPTCINjw
[...]
diff --git a/guix/keys/ssh/ng0.pub b/guix/keys/ssh/ng0.pub
new file mode 100644
index 0000000..6d4c6e1
--- /dev/null
+++ b/guix/keys/ssh/ng0.pub
@@ -0,0 +1 @@
+ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIOBsKO/O2K6Q2sQ1a6EVzQkcnI1QbWeQ14uuxn+MplGG
address@hidden
diff --git a/guix/modules/sysadmin/people.scm b/guix/modules/sysadmin/people.scm
new file mode 100644
index 0000000..121c268
--- /dev/null
+++ b/guix/modules/sysadmin/people.scm
@@ -0,0 +1,73 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright © 2016, 2017 Ludovic Courtès <address@hidden>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin people)
+ #:use-module (guix gexp)
+ #:use-module (guix records)
+ #:use-module (gnu services)
+ #:use-module (gnu system shadow)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu packages base)
+ #:use-module (ice-9 match)
+ #:export (sysadmin?
+ sysadmin
+ sysadmin-service-type))
+
+;;; Commentary:
+;;;
+;;; Declaration of system administrator user accounts.
+;;;
+;;; Code:
+
+(define-record-type* <sysadmin> sysadmin make-sysadmin
+ sysadmin?
+ (name sysadmin-name)
+ (full-name sysadmin-full-name)
+ (ssh-public-key sysadmin-ssh-public-key)
+ (restricted? sysadmin-restricted? (default #f)))
+
+(define (sysadmin->account sysadmin)
+ "Return the user account for SYSADMIN."
+ (match sysadmin
+ (($ <sysadmin> name comment _ restricted?)
+ (user-account
+ (name name)
+ (comment comment)
+ (group "users")
+ (supplementary-groups (if restricted?
+ '()
+ '("wheel" "kvm"))) ;sudoer
+ (home-directory (string-append "/home/" name))))))
+
+(define (sysadmin->authorized-key sysadmin)
+ "Return an authorized key tuple for SYSADMIN."
+ (list (sysadmin-name sysadmin)
+ (sysadmin-ssh-public-key sysadmin)))
+
+(define sysadmin-service-type
+ ;; The service that initializes sysadmin accounts.
+ (service-type
+ (name 'sysadmin)
+ (extensions (list (service-extension account-service-type
+ (lambda (lst)
+ (map sysadmin->account lst)))
+ (service-extension openssh-service-type
+ (lambda (lst)
+ (map sysadmin->authorized-key
+ lst)))))))
+
+;;; people.scm ends here
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [taler-deployment] branch master updated (f2fe2b6 -> f7a6ab6),
gnunet <=