[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: hydra: Add configuration file for new Berlin coordination server.
From: |
Ricardo Wurmus |
Subject: |
01/01: hydra: Add configuration file for new Berlin coordination server. |
Date: |
Thu, 7 Dec 2017 11:00:08 -0500 (EST) |
rekado pushed a commit to branch master
in repository maintenance.
commit 0956328d3ec8e7a75e11585e7b69e7253898448b
Author: Ricardo Wurmus <address@hidden>
Date: Thu Dec 7 16:59:41 2017 +0100
hydra: Add configuration file for new Berlin coordination server.
* hydra/berlin-new.scm: New file.
---
hydra/berlin-new.scm | 288 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 288 insertions(+)
diff --git a/hydra/berlin-new.scm b/hydra/berlin-new.scm
new file mode 100644
index 0000000..7a33709
--- /dev/null
+++ b/hydra/berlin-new.scm
@@ -0,0 +1,288 @@
+;; OS configuration for a new Dell server that will silently replace
+;; "berlin", the frontend of the compile farm hosted at the MDC.
+
+(use-modules (gnu) (guix) (sysadmin people))
+(use-service-modules base networking admin mcron shepherd ssh web cuirass)
+(use-package-modules admin certs emacs linux ssh tls vim
+ package-management web wget ci rsync)
+
+(define %sysadmins
+ ;; The sysadmins.
+ (list (sysadmin (name "ludo")
+ (full-name "Ludovic Courtès")
+ (ssh-public-key (local-file "keys/ssh/ludo.pub")))
+ (sysadmin (name "rekado")
+ (full-name "Ricardo Wurmus")
+ (ssh-public-key (local-file "keys/ssh/rekado.pub")))
+ (sysadmin (name "andreas")
+ (full-name "Andreas Enge")
+ (ssh-public-key (local-file "keys/ssh/andreas.pub")))))
+
+
+(define %gc-job
+ ;; The garbage collection mcron job, once per day.
+ #~(job '(next-hour '(4))
+ (string-append #$guix "/bin/guix gc -F80G")))
+
+(define %certbot-job
+ ;; Attempt to renew the Let's Encrypt certificate twice a week.
+ #~(job (lambda (now)
+ (next-day-from (next-hour-from now '(3))
+ '(2 5)))
+ (string-append #$certbot "/bin/certbot renew")))
+
+(define %guix-daemon-config
+ (guix-configuration
+ ;; Disable substitutes altogether.
+ (use-substitutes? #f)
+ (substitute-urls '())
+ (authorized-keys '())
+ (max-silent-time 7200)
+ (timeout (* 4 max-silent-time))
+
+ (extra-options '("--max-jobs=5" "--cores=4" ;we have 8 cores
+ "--cache-failures"
+ "--gc-keep-outputs" "--gc-keep-derivations"))))
+
+(define start-firewall
+ ;; Rules to throttle malicious SSH connection attempts. This will allow at
+ ;; most 3 connections per minute from any host, and will block the host for
+ ;; another minute if this rate is exceeded. Taken from
+ ;; <http://www.la-samhna.de/library/brutessh.html#3>.
+ #~(let ((iptables
+ (lambda (str)
+ (zero? (apply system*
+ #$(file-append iptables
+ "/sbin/iptables")
+ (string-tokenize str))))))
+ (format #t "Installing iptables SSH rules...~%")
+ (and (iptables "-A INPUT -p tcp --dport 22 -m state \
+ --state NEW -m recent --set --name SSH -j ACCEPT")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl \
+ --name SSH -j LOG --log-prefix SSH_brute_force")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
+
+(define firewall-service
+ ;; The "firewall". Make it a Shepherd service because as an activation
+ ;; script it might run too early, before the Netfilter modules can be
+ ;; loaded for some reason.
+ (simple-service 'firewall shepherd-root-service-type
+ (list (shepherd-service
+ (provision '(firewall))
+ (requirement '())
+ (start #~(lambda ()
+ #$start-firewall))
+ (respawn? #f)))))
+
+
+;;;
+;;; NGINX.
+;;;
+
+(define %nginx-config
+ ;; Our nginx configuration directory. It expects 'guix publish' to be
+ ;; running on port 3000.
+ (computed-file "nginx-config"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (mkdir #$output)
+ (chdir #$output)
+ (symlink #$(local-file "nginx/berlin.conf")
+ "berlin.conf")
+ (copy-file #$(local-file
+ "nginx/berlin-locations.conf")
+ "berlin-locations.conf")
+ (substitute* "berlin-locations.conf"
+ (("@WWWROOT@")
+ #$(local-file "nginx/html/berlin" #:recursive?
#t)))))))
+
+(define %nginx-mime-types
+ ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
+ (simple-service 'nginx-mime.types
+ etc-service-type
+ `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+(define %nginx-cache-activation
+ ;; Make sure /var/cache/nginx exists on the first run.
+ (simple-service 'nginx-/var/cache/nginx
+ activation-service-type
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/cache/nginx")))))
+
+
+;;;
+;;; Cuirass.
+;;;
+
+(define %cuirass-specs
+ ;; Cuirass specifications to build Guix.
+ #~(list `((#:name . "guix")
+ ;; FIXME: The campus firewall blocks access to git://
+ (#:url . "https://git.savannah.gnu.org/git/guix.git")
+ (#:load-path . ".")
+
+ ;; FIXME: Currently this must be an absolute file name because
+ ;; the 'evaluate' command of Cuirass loads it with
+ ;; 'primitive-load'.
+ ;; Use our own variant of Cuirass' 'examples/gnu-system.scm'.
+ (#:file . #$(local-file "cuirass-jobs.scm"))
+ (#:no-compile? #t) ;don't try to run ./bootstrap etc.
+
+ (#:proc . hydra-jobs)
+ (#:arguments (subset . "all"))
+ (#:branch . "master"))))
+
+
+;;;
+;;; Operating system.
+;;;
+
+(define %motd
+ ;; Message of the day!
+ (plain-file "motd"
+ "\
+ ░░░ ░░░
+ ░░▒▒░░░░░░░░░ ░░░░░░░░░▒▒░░
+ ░░▒▒▒▒▒░░░░░░░ ░░░░░░░▒▒▒▒▒░
+ ░▒▒▒░░▒▒▒▒▒ ░░░░░░░▒▒░
+ ░▒▒▒▒░ ░░░░░░
+ ▒▒▒▒▒ ░░░░░░
+ ▒▒▒▒▒ ░░░░░
+ ░▒▒▒▒▒ ░░░░░ Welcome to berlin!
+ ▒▒▒▒▒ ░░░░░
+ ▒▒▒▒▒ ░░░░░
+ ░▒▒▒▒▒░░░░░
+ ▒▒▒▒▒▒░░░
+ ▒▒▒▒▒▒░
+
+Best practices:
+
+ 1. Store everything in guix-maintenance.git.
+ 2. Use the Git checkouts of Guix and guix-maintenance in ~root.
+ 3. Notify address@hidden when reconfiguring.
+ 4. Notify address@hidden when something goes wrong.
+
+ 5. Notify address@hidden or address@hidden when the
+ machine doesn't respond. Only Ricardo has access to the serial console
+ to reset the machine.
+
+Happy hacking!\n"))
+
+
+(operating-system
+ (host-name "berlin.guixsd.org")
+ (timezone "Europe/Berlin")
+ (locale "en_US.utf8")
+
+ ;; Allow access through the serial console at 141.80.113.141; the
+ ;; management interface can only be accessed through selected
+ ;; servers within the MDC campus network.
+ (kernel-arguments '("console=tty0"
+ "console=ttyS1,115200n8"))
+
+ ;; The Dell server need these kernel modules for the
+ ;; RAID controller.
+ (initrd (lambda (fs . args)
+ (apply base-initrd fs
+ #:extra-modules
+ (list "megaraid_sas" "libsas" "scsi_transport_sas")
+ args)))
+
+ ;; Show the GRUB menu on the serial interface.
+ (bootloader (grub-configuration (device "/dev/sda")
+ (terminal-inputs '(serial))
+ (terminal-outputs '(serial))))
+
+ ;; Just a single disk, no RAID :-/
+ (file-systems (cons (file-system
+ (device "my-root")
+ (title 'label)
+ (mount-point "/")
+ (type "ext4"))
+ %base-file-systems))
+
+ ;; Local admin account for MDC maintenance.
+ (users (cons (user-account
+ (name "bi-admin")
+ (comment "Local admin")
+ (group "users")
+ (supplementary-groups '("wheel"))
+ (home-directory "/home/bi-admin"))
+ %base-user-accounts))
+
+ (packages (cons* certbot emacs wget iptables
+ jnettop openssh rsync
+ ;; This is needed to set GIT_SSL_CAINFO allowing
+ ;; Cuirass to fetch sources via HTTPS.
+ nss-certs
+ %base-packages))
+
+ (services (cons*
+ (service sysadmin-service-type %sysadmins)
+
+ ;; TODO: configure the second network interface once it's
+ ;; hooked up to the switch.
+ (static-networking-service "eno1"
+ "141.80.181.41"
+ #:netmask "255.255.255.0"
+ #:gateway "141.80.181.1")
+ (static-networking-service "eno3"
+ "141.80.167.131"
+ #:netmask "255.255.255.192")
+ (service openssh-service-type)
+
+ ;; Allow login over serial console.
+ (agetty-service (agetty-configuration
+ (tty "ttyS1")
+ (baud-rate "115200")))
+
+ ;; The Web service.
+ (service guix-publish-service-type
+ (guix-publish-configuration
+ (port 3000)
+ (cache "/var/cache/guix/publish")
+ (ttl (* 45 24 3600))
+ (compression-level 9)
+ (workers 6)))
+
+ (service nginx-service-type
+ (nginx-configuration
+ (file
+ (file-append %nginx-config "/berlin.conf"))))
+
+ %nginx-mime-types
+ %nginx-cache-activation
+
+ (service cuirass-service-type
+ (cuirass-configuration
+ (interval (* 5 60))
+ (specifications %cuirass-specs)))
+
+ ;; Make SSH and HTTP/HTTPS available over Tor.
+ (tor-hidden-service "http"
+ '((22 "127.0.0.1:22")
+ (80 "127.0.0.1:80")
+ (443 "127.0.0.1:443")))
+ (tor-service)
+
+ ;; Cron and log rotation.
+ (service rottlog-service-type (rottlog-configuration))
+ (service mcron-service-type
+ (mcron-configuration
+ (jobs (list %gc-job %certbot-job))))
+
+ firewall-service
+
+ (modify-services %base-services
+ ;; Disable substitutes altogether.
+ (guix-service-type config => %guix-daemon-config)
+ (login-service-type
+ config => (login-configuration
+ (inherit config)
+ (motd %motd)))))))