[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-deployment] branch master updated (98b47ba -> 15c9c6
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-deployment] branch master updated (98b47ba -> 15c9c66) |
|
Date: |
Sat, 04 Aug 2018 10:10:36 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a change to branch master
in repository deployment.
from 98b47ba guix: Add a service for /etc/aliases
new d7d326a Add dold to guix/keys/ssh/
new b0b5e7e guix
new 15c9c66 guix: initial services module draft, partly from guix' own
maintenance repo
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
guix/config.scm | 110 ++++++++++++----------------
guix/keys/ssh/dold.pub | 1 +
guix/modules/sysadmin/services.scm | 143 +++++++++++++++++++++++++++++++++++++
3 files changed, 188 insertions(+), 66 deletions(-)
create mode 100644 guix/keys/ssh/dold.pub
create mode 100644 guix/modules/sysadmin/services.scm
diff --git a/guix/config.scm b/guix/config.scm
index baef731..eb3eafa 100644
--- a/guix/config.scm
+++ b/guix/config.scm
@@ -2,10 +2,11 @@
(use-modules (gnu)
(guix)
- (sysadmin people))
+ (sysadmin people)
+ (sysadmin services))
(use-service-modules base networking mcron ssh mail
version-control databases admin
- web certbot)
+ web certbot cgit)
(use-package-modules admin linux ssh tls vim zile wget
ntp version-control)
@@ -13,39 +14,55 @@
;; FIXME: Create jobs.
(define %sysadmins
- ;; The sys-admins. TODO: More.
(list (sysadmin (name "gillmann")
(full-name "Nils Gillmann")
(ssh-public-key (local-file "keys/ssh/ng0.pub")))
+ (sysadmin (name "dold")
+ (ssh-public-key (local-file "keys/ssh/dold.pub")))
+ (sysadmin (name "stanisci")
+ (ssh-public-key (local-file "keys/ssh/stanisci.pub")))
(sysadmin (name "grothoff")
(full-name "Christian Grothoff")
(ssh-public-key (local-file "keys/ssh/grothoff.pub")))))
;;; /etc/aliases
-;; this takes the local (repository!) aliases file and copies it to
/etc/aliases
-;; in the resulting OS.
+;; Takes the local aliases file contained in this repository (../etc/aliases)
+;; and copy it to "/etc/aliases" in the OS resulting from this config.
(define %aliases-etc-service
(simple-service 'etc-/etc/aliases-init
+ activation-service-type
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(copy-file #$(local-file "../etc/aliases")
"/etc/aliases")))))
+;; TODO: Do we need more than this hook?
+(define %nginx-deploy-hook
+ (program-file "nginx-deploy-hook"
+ #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+ (kill pid SIGHUP))))
+
;;;
;;; The OS definition
;;;
(operating-system
- (host-name "bfh.taler.net")
+ ;; TODO: Hostname should be loaded from external file and be substituted,
+ ;; same for some other basic values.
+ (host-name "bfh.taler.net")
(timezone "Europe/Berlin")
(locale "en_US.UTF-8")
;; bootloader
- (bootloader (grub-configuration (target "/dev/sda")
- (terminal-outputs '(console))))
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (target "/dev/sda")
+ (terminal-outputs '(console))))
;; file-systems
+ ;; TODO: Write functions for Hardware RAID
+ ;; TODO: /home should be on luks encrypted device
;; single-disk configuration.
(file-systems (cons* (file-system
(device "my-root")
@@ -58,51 +75,41 @@
(mount-point "/home")
(type "ext4"))
%base-file-systems))
- ;; FIXME: RAID? -> mapped-devices
- ;; FIXME: RAID? -> Add kernel module!
- ;; FIXME: /home should be on luks encrypted device
-
- ;; Local admin account
- ;; FIXME: Do we really need this?
- ;; (users (cons (user-account
- ;; (name "local-admin")
- ;; (comment "Local admin")
- ;; (group "users")
- ;; (supplementary-groups '("wheel"))
- ;; (home-directory "/home/local-admin"))
- ;; %base-user-accounts))
-
- (packages (append (map specification->package '("nvi" "mg" ;editors
+
+ (packages (append (map specification->package '("nvi" "mg" "emacs-no-x"
"openssh"
- ;; GNUnet core dependencies
- ;; FIXME: better would be to
read gnunet-inputs and -native-inputs.
- "curl" "libmicrohttpd"
"gnutls/dane"
+ "curl" "libmicrohttpd"
"gnutls-dane"
"sqlite" "jansson" "nss"
"gmp"
"bluez" "glib" "libogg"
"python2"
- "perl" "doxygen" ; FIXME: is
perl necessary?
- "opus" "pulseaudio" ;PA on
server, for building?
+ "perl" "doxygen"
+ "opus" "pulseaudio"
"libunistring" "libltdl"
"zlib" "libgcrypt" "libextractor"
"gstreamer"
"gst-plugins-base" "libidn" "glpk"
- ;; -- end GNUnet core
dependencies.
"gitolite"
"nss-certs"
"wget" "openssl"
- "postgres"
+ "postgresql"
"certbot"))
%base-packages))
(services (cons*
+ (ntp-service)
(service sysadmin-service-type %sysadmins)
;; Log rotation
(service rottlog-service-type (rottlog-configuration))
- ;; CERTIFICATES
+ ;; certificates
(service certbot-service-type
(certbot-configuration
- ;; TODO: Any other (sub)domains?
- (hosts '(("taler.net")
- ("git.taler.net")))))
+ (email "address@hidden")
+ (certificates
+ (list
+ (certificate-configuration
+ (domains '("taler.net" "git.taler.net"))
+ (deploy-hook %nginx-deploy-hook))
+ (certificate-configuration
+ (domains '("2.taler.net")))))))
;; MAIL
;; FIXME: Policy is to just RECEIVE mail.
@@ -144,25 +151,14 @@
;; ;; Default portnumber, must be a NUMBER not a string.
;; (port 3306)))
;; TODO: PostgreSQL -> exact config: ???
- (swervice postgresql-service-type)
+ (service postgresql-service-type)
;; WEBSERVER
;;(service nginx-service-type)
(service nginx-service-type
(nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (listen '("443 ssl"))
- (server-name "git.taler.net")
- (ssl-certificate
- "/etc/letsencrypt/live/git.taler.net/fullchain.pem")
- (ssl-certificate-key
- "/etc/letsencrypt/live/git.taler.net/privkey.pem")
- (locations
- (list
- (git-http-nginx-location-configuration
- (git-http-configuration (uri-path "/"))))))))))
+ (file
+ (file-append %nginx-config "/bhf.conf"))))
;;(service fcgiwrap-service-type)
;; FIXME: Check cgit-service-type + gitolite options.
;; FIXME: Extend cgit service.
@@ -182,24 +178,6 @@
#:config (git-daemon-configuration
(user-path "git")))
- ;; SERVE GIT OVER HTTP:
- ;; FIXME: FAILING BUILD, USE WORKAROUND.
- ;; (service nginx-service-type
- ;; (nginx-configuration
- ;; (server-blocks
- ;; (list
- ;; (nginx-server-configuration
- ;; (http-port #f)
- ;; (server-name "git.gnunet.org")
- ;; (ssl-certificate
- ;;
"/etc/letsencrypt/live/git.gnunet.org/fullchain.pem")
- ;; (ssl-certificate-key
- ;;
"/etc/letsencrypt/live/git.gnunet.org/privkey.pem")
- ;; (locations
- ;; (list
- ;; (git-http-nginx-location-configuration
- ;; (git-http-configuration (uri-path "/"))))))))))
-
;; Networking
;; FIXME: Complete this
(static-networking-service
diff --git a/guix/keys/ssh/dold.pub b/guix/keys/ssh/dold.pub
new file mode 100644
index 0000000..2414541
--- /dev/null
+++ b/guix/keys/ssh/dold.pub
@@ -0,0 +1 @@
+ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDCwY5XSDyXVqobwR+UfQ0+lPJTVj8MchnOYAJWNC9xvks4s7ZapBkzbpxcnCi27hb31NBtXECgMCfbDI4HuaaphgbGZjOoIWQeMLn8yHCgo7WJT0KDm4o7nODl/6drgab9XmQKhobTtrzmM+MY+MPCSXNDGRk53rM8knT+8cuPsdafEUa67mTC0p/VQJOgX0JVUF45MfVUtl1914Uot22AMHChGGg+7EMPge9QV3z5ZlP9tzXLUkw28+dkeqkXhGgAtBu2alaAy+sxiRbVHVgedOQzYCmhfQZBly8wMBvlnnTNLK023jT9FAp6j2h9/mnfGaXncElzZqkqMTXTkLe1
dold
diff --git a/guix/modules/sysadmin/services.scm
b/guix/modules/sysadmin/services.scm
new file mode 100644
index 0000000..df2380d
--- /dev/null
+++ b/guix/modules/sysadmin/services.scm
@@ -0,0 +1,143 @@
+;;; GNU Guix system administration tools.
+;;;
+;;; Copyright (C) Nils Gillmann <address@hidden>
+;;; Parts and pieces initially taken from Guix' maintenance repository:
+;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <address@hidden>
+;;; Copyright © 2017, 2018 Ricardo Wurmus <address@hidden>
+;;;
+;;; This program is free software: you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation, either version 3 of the License, or
+;;; (at your option) any later version.
+;;;
+;;; This program is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (sysadmin services)
+ #:use-module (guix gexp)
+ #:use-module (gnu services)
+ #:use-module (gnu services admin)
+ #:use-module (gnu services base)
+ #:use-module (gnu services cuirass)
+ #:use-module (gnu services mcron)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu services web)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages package-management)
+ #:use-module (gnu packages tls)
+ #:use-module (gnu packages web)
+ #:use-module (sysadmin people)
+ #:use-module (srfi srfi-1)
+ #:export (firewall-service
+ default-services))
+
+(define start-firewall
+ ;; Rules to throttle malicious SSH connection attempts. This will allow at
+ ;; most 3 connections per minute from any host, and will block the host for
+ ;; another minute if this rate is exceeded. Taken from
+ ;; <http://www.la-samhna.de/library/brutessh.html#3>.
+ #~(let ((iptables
+ (lambda (str)
+ (zero? (apply system*
+ #$(file-append iptables
+ "/sbin/iptables")
+ (string-tokenize str))))))
+ (format #t "Installing iptables SSH rules...~%")
+ (and (iptables "-A INPUT -p tcp --dport 22 -m state \
+ --state NEW -m recent --set --name SSH -j ACCEPT")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl \
+ --name SSH -j LOG --log-prefix SSH_brute_force")
+ (iptables "-A INPUT -p tcp --dport 22 -m recent \
+ --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
+
+(define firewall-service
+ ;; The "firewall". Make it a Shepherd service because as an activation
+ ;; script it might run too early, before the Netfilter modules can be
+ ;; loaded for some reason.
+ (simple-service 'firewall shepherd-root-service-type
+ (list (shepherd-service
+ (provision '(firewall))
+ (requirement '())
+ (start #~(lambda ()
+ #$start-firewall))
+ (respawn? #f)))))
+
+(define %nginx-config
+ ;; Our nginx configuration directory. It expects 'guix publish' to be
+ ;; running on port 3000.
+ (computed-file "nginx-config"
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+
+ (mkdir #$output)
+ (chdir #$output)
+ (symlink #$(local-file "nginx/berlin.conf")
+ "berlin.conf")
+ (copy-file #$(local-file
+ "nginx/bayfront-locations.conf")
+ "berlin-locations.conf")
+ (substitute* "berlin-locations.conf"
+ (("@WWWROOT@")
+ #$(local-file "nginx/html/berlin" #:recursive?
#t)))))))
+
+(define %nginx-cache-activation
+ ;; Make sure /var/cache/nginx exists on the first run.
+ (simple-service 'nginx-/var/cache/nginx
+ activation-service-type
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/cache/nginx")))))
+
+(define %nginx-mime-types
+ ;; Provide /etc/nginx/mime.types (and a bunch of other files.)
+ (simple-service 'nginx-mime.types
+ etc-service-type
+ `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
+
+
+;; FIXME: Use certbot-service.
+;; Initial list of domains:
+;; taler.net www.taler.net api.taler.net lcov.taler.net git.taler.net
+;; gauger.taler.net buildbot.taler.net test.taler.net playground.test.taler.net
+;; auditor.test.taler.net auditor.demo.taler.net demo.taler.net
shop.test.taler.net
+;; shop.demo.taler.net survey.test.taler.net survey.demo.taler.net
+;; donations.demo.taler.net backend.test.taler.net backend.demo.taler.net
+;; bank.test.taler.net bank.demo.taler.net www.git.taler.net
+;; exchange.demo.taler.net exchange.test.taler.net env.taler.net
+;; envs.taler.net blog.demo.taler.net blog.test.taler.net
+;; donations.test.taler.net docs.taler.net intranet.taler.net
+;; stage.taler.net
+
+(define %certbot-job
+;; Attempt to renew the Let's Encrypt certificate twice a week.
+ #~(job (lambda (now
+ (next-day-from (next-hour-from now '(3))
+ '(2 5)))
+ (string-append #$certbot "/bin/certbot renew"))))
+
+(define* (default-services sysadmins #:key nginx-config-file)
+ "Return the list of default services."
+ (cons* (service rottlog-service-type (rottlog-configuration))
+ (service mcron-service-type
+ (mcron-configuration
+ (jobs (list %certbot-job))))
+ firewall-service
+
+ (service nginx-service-type
+ (nginx-configuration
+ (file nginx-config-file)))
+
+ %nginx-mime-type
+ %nginx-cache-activation
+
+ (service openssh-service-type)
+ (service sysadmin-service-type sysadmins)))
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [taler-deployment] branch master updated (98b47ba -> 15c9c66),
gnunet <=