New experiments everyday

Ma configuration

par Julien Lepiller — sam. 02 septembre 2017

(use-modules (gnu) (gnu services))
(use-service-modules dns mail networking ssh shepherd web)
(use-package-modules admin certs linux ssh tls tmux vim)

;; Definition of our DNS zone
(define-zone-entries lepiller.eu.zone
;; Name       TTL Class Type Data
  ("@"        ""  "IN"  "A"     "")
  ("@"        ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("rennes"   ""  "IN"  "A"     "")
  ("www"      ""  "IN"  "CNAME" "lepiller.eu.")
  ("push"     ""  "IN"  "CNAME" "lepiller.eu.")
  ("avatar"   ""  "IN"  "CNAME" "rennes")
  ("books"    ""  "IN"  "CNAME" "rennes")
  ("sg"       ""  "IN"  "CNAME" "rennes")
  ("webmail"  ""  "IN"  "CNAME" "rennes")
  ("@"        ""  "IN"  "NS"    "ns")
  ("@"        ""  "IN"  "NS"    "ns2")
  ("@"        ""  "IN"  "MX"    "10 courriel")
  ("@"        ""  "IN"  "MX"    "50 b.courriel")
  ("ns"       ""  "IN"  "A"     "")
  ("ns"       ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("ns2"      ""  "IN"  "A"     "")
  ("courriel" ""  "IN"  "A"     "")
  ("b.courriel" "" "IN" "A"     "")
  ("b.courriel" "" "IN" "AAAA"  "2a00:5884:8208::1")
  ("lfs"      ""  "IN"  "CNAME" "lepiller.eu.")
  ("smtp"     ""  "IN"  "CNAME" "lepiller.eu.")
  ("imap"     ""  "IN"  "CNAME" "courriel")
  ("@"        ""  "IN"  "TXT"   "v=spf1 mx a ~all")
  ("@"        ""  "IN"  "SPF"   "v=spf1 mx a ~all"))

(define-zone-entries ipv4-reverse.zone
  ("@" "" "IN" "PTR" "lepiller.eu."))

(define-zone-entries ipv6-reverse.zone
  ("" "" "IN" "PTR" "lepiller.eu."))

(define lepiller-zone
    (domain "lepiller.eu")
    (zone (zone-file
            (origin "lepiller.eu")
            (entries lepiller.eu.zone)
            (serial 2017121201)))))

(define ipv6-reverse-zone
    (domain "")
    (zone (zone-file
            (origin "")
            (entries ipv6-reverse.zone)
            (ns "ns.lepiller.eu.")
            (mail "hostmaster.lepiller.eu.")
            (serial 1)))))

(define ipv4-reverse-zone
    (domain "")
    (zone (zone-file
            (origin "")
            (entries ipv4-reverse.zone)
            (ns "ns.lepiller.eu.")
            (mail "hostmaster.lepiller.eu.")
            (serial 1)))))

;; A weird hack to get static networking for IPv4 and IPv6.
(define (iproute2-shepherd-service config)
  (list (shepherd-service
          (documentation "Run the iproute2 network service")
          (provision '(networking))
          (requirement '())
          (start #~(lambda _
                     (let ((ip (string-append #$iproute "/sbin/ip")))
                       (system* ip "a" "add" "" "dev" "ens18")
                       (system* ip "l" "set" "ens18" "up")
                       (system* ip "-6" "a" "add" "2a00:5884:8208::1/48" "dev" "ens18")
                       (system* ip "r" "add" "" "dev" "ens18")
                       (system* ip "r" "add" "default" "via" "" "dev" "ens18")
                       (system* ip "-6" "r" "add" "default" "via" "fe80::204:92:100:1" "dev" "ens18"))))
          (stop #~(lambda _
                    (display "Cannot stop iproute2 service.\n"))))))

(define iproute2-service-type
  (service-type (name 'static-networking)
                    (service-extension shepherd-root-service-type
                (description "")))

(define opensmtpd-conf
  (plain-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki lepiller.eu certificate \"/etc/letsencrypt/live/lepiller.eu/fullchain.pem\"
pki lepiller.eu key \"/etc/letsencrypt/live/lepiller.eu/privkey.pem\"

table passwd file:/etc/mail/passwd

# To accept external mail, replace with: listen on all
listen on ens18 port 25 tls pki lepiller.eu
listen on ens18 port 587 tls-require pki lepiller.eu auth <passwd>
listen on lo port 25 tls pki lepiller.eu auth <passwd>
listen on lo port 587 tls pki lepiller.eu auth <passwd>

# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:/etc/aliases

table other-relays file:/etc/mail/other-relays
table blacklist file:/etc/mail/blacklist

accept for any authenticated relay #tagged authent relay
reject from ! source <other-relays> sender \"@lepiller.eu\" for any 
reject from any sender <blacklist> for any 
accept from any for domain \"lepiller.eu\" alias <aliases> deliver to maildir
accept for local alias <aliases> deliver to maildir

  (host-name "golobus")
  (timezone "Europe/Paris")
  (locale "fr_FR.UTF-8")
      (target "/dev/sda")
      (bootloader grub-bootloader)))
  (file-systems (cons (file-system
                        (mount-point "/")
                        (device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
                        (type "ext4"))
  (users (cons (user-account
                 (name "tyreunom")
                 (group "users")
                 (home-directory "/home/tyreunom"))
  ;; Again a weird hack to define our fully qualified domain
    (plain-file "hosts"
      (string-append " lepiller.eu localhost " host-name "\n"
                     "::1       lepiller.eu localhost " host-name "\n"
  (packages (cons* openssh tmux neovim nss-certs %base-packages))
      (service iproute2-service-type #t)
      (service openssh-service-type
      (service nginx-service-type
      (service knot-service-type
                 (zones (list lepiller-zone ipv4-reverse-zone ipv6-reverse-zone))))
      (service dovecot-service-type
                 (mail-location "maildir:~/Maildir")
                 (ssl-cert "</etc/letsencrypt/live/lepiller.eu/fullchain.pem")
                 (ssl-key "</etc/letsencrypt/live/lepiller.eu/privkey.pem")))
      (service opensmtpd-service-type
		 (config-file opensmtpd-conf)))
                 ;(local-file "/etc/smtpd.conf"))))
      (simple-service 'lepiller-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
		(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                (listen '("80" "443 ssl http2" "[::]:80" "[::]:443 ssl http2"))
		(server-name '("lepiller.eu"))
		(root "/srv/http/lepiller/site"))))
      (simple-service 'push-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
		(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                (listen '("80" "443 ssl http2" "[::]:80" "[::]:443 ssl http2"))
		(server-name '("i18n.lepiller.eu"))
		(root "/srv/http/i18n/site"))))
      (simple-service 'default-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
		(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                (listen '("80" "443 ssl http2" "[::]:80" "[::]:443 ssl http2"))
		(server-name '(default))
		(root "/srv/http/default"))))
      (modify-services %base-services
        (guix-service-type config =>
            (inherit config)
            (substitute-urls '("https://berlin.guixsd.org" "https://mirror.hydra.gnu.org"))))))))