indexblog

Ma configuration

par Julien Lepiller — sam. 02 septembre 2017

(use-modules (gnu) (gnu services))
(use-service-modules certbot dns mail networking ssh shepherd web)
(use-package-modules admin certs linux ssh tls tmux vim)

;; Import some secrets from /etc/config/secrets.scm (only readable by root)
;; Well, they will be readable from the generated configs in the store, so not
;; so secret :p
(add-to-load-path "/etc/config")
(use-modules (secrets))

;; Definition of our DNS zone
(define-zone-entries lepiller.eu.zone
;; Name       TTL Class Type Data
  ("@"        ""  "IN"  "A"     "89.234.186.109")
  ("@"        ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("rennes"   ""  "IN"  "A"     "176.182.42.79")
  ("telos"    ""  "IN"  "A"     "195.154.136.89")
  ("www"      ""  "IN"  "CNAME" "lepiller.eu.")
  ("push"     ""  "IN"  "CNAME" "lepiller.eu.")
  ("avatar"   ""  "IN"  "CNAME" "rennes")
  ("books"    ""  "IN"  "CNAME" "rennes")
  ("sg"       ""  "IN"  "CNAME" "rennes")
  ("webmail"  ""  "IN"  "CNAME" "rennes")
  ("@"        ""  "IN"  "NS"    "ns")
  ("@"        ""  "IN"  "NS"    "ns2")
  ("@"        ""  "IN"  "MX"    "10 courriel")
  ("@"        ""  "IN"  "MX"    "50 b.courriel")
  ("ns"       ""  "IN"  "A"     "89.234.186.109")
  ("ns"       ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("ns2"      ""  "IN"  "A"     "176.182.42.79")
  ("courriel" ""  "IN"  "A"     "176.182.42.79")
  ("b.courriel" "" "IN" "A"     "89.234.186.109")
  ("b.courriel" "" "IN" "AAAA"  "2a00:5884:8208::1")
  ("lfs"      ""  "IN"  "CNAME" "lepiller.eu.")
  ("smtp"     ""  "IN"  "CNAME" "lepiller.eu.")
  ("imap"     ""  "IN"  "CNAME" "courriel")
  ("@"        ""  "IN"  "TXT"   "v=spf1 mx a ~all")
  ("@"        ""  "IN"  "SPF"   "v=spf1 mx a ~all"))

(define-zone-entries ipv4-reverse.zone
  ("@" "" "IN" "PTR" "lepiller.eu."))

(define-zone-entries ipv6-reverse.zone
  ("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0" "" "IN" "PTR" "lepiller.eu."))

(define lepiller-zone
  (knot-zone-configuration
    (domain "lepiller.eu")
    (zone (zone-file
            (origin "lepiller.eu")
            (entries lepiller.eu.zone)
            (serial 2017121201)))))

(define ipv6-reverse-zone
  (knot-zone-configuration
    (domain "8.0.2.8.4.8.8.5.0.0.a.2.ip6.arpa")
    (zone (zone-file
            (origin "8.0.2.8.4.8.8.5.0.0.a.2.ip6.arpa")
            (entries ipv6-reverse.zone)
            (ns "ns.lepiller.eu.")
            (mail "hostmaster.lepiller.eu.")
            (serial 1)))))

(define ipv4-reverse-zone
  (knot-zone-configuration
    (domain "109.186.234.89.in-addr.arpa")
    (zone (zone-file
            (origin "109.186.234.89.in-addr.arpa")
            (entries ipv4-reverse.zone)
            (ns "ns.lepiller.eu.")
            (mail "hostmaster.lepiller.eu.")
            (serial 1)))))

;; A weird hack to get static networking for IPv4 and IPv6.
(define (iproute2-shepherd-service config)
  (list (shepherd-service
          (documentation "Run the iproute2 network service")
          (provision '(networking))
          (requirement '())
          (start #~(lambda _
                     (let ((ip (string-append #$iproute "/sbin/ip")))
                       (system* ip "a" "add" "89.234.186.109/32" "dev" "ens18")
                       (system* ip "l" "set" "ens18" "up")
                       (system* ip "-6" "a" "add" "2a00:5884:8208::1/48" "dev" "ens18")
                       (system* ip "r" "add" "89.234.186.1" "dev" "ens18")
                       (system* ip "r" "add" "default" "via" "89.234.186.1" "dev" "ens18")
                       (system* ip "-6" "r" "add" "default" "via" "fe80::204:92:100:1" "dev" "ens18"))))
          (stop #~(lambda _
                    (display "Cannot stop iproute2 service.\n"))))))

(define iproute2-service-type
  (service-type (name 'static-networking)
                (extensions
                  (list
                    (service-extension shepherd-root-service-type
                                       iproute2-shepherd-service)))
                (description "")))

(define opensmtpd-conf
  (plain-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki lepiller.eu certificate \"/etc/letsencrypt/live/lepiller.eu/fullchain.pem\"
pki lepiller.eu key \"/etc/letsencrypt/live/lepiller.eu/privkey.pem\"

table passwd file:/etc/mail/passwd

# To accept external mail, replace with: listen on all
listen on ens18 port 25 tls pki lepiller.eu
listen on ens18 port 587 tls-require pki lepiller.eu auth <passwd>
listen on lo port 25 tls pki lepiller.eu auth <passwd>
listen on lo port 587 tls pki lepiller.eu auth <passwd>

# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:/etc/aliases

table other-relays file:/etc/mail/other-relays
table blacklist file:/etc/mail/blacklist

accept for any authenticated relay #tagged authent relay
reject from ! source <other-relays> sender \"@lepiller.eu\" for any 
reject from any sender <blacklist> for any 
accept from any for domain \"lepiller.eu\" virtual <aliases> deliver to maildir
accept for local alias <aliases> deliver to maildir
"))

;; Find running nginx and reload its configuration (for certificates)
(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
       (kill pid SIGHUP))))

(operating-system
  (host-name "golobus")
  (timezone "Europe/Paris")
  (locale "fr_FR.UTF-8")
  (bootloader
    (bootloader-configuration
      (target "/dev/sda")
      (bootloader grub-bootloader)))
  (file-systems (cons (file-system
                        (mount-point "/")
                        (device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
                        (type "ext4"))
                      %base-file-systems))
  (users (cons (user-account
                 (name "tyreunom")
                 (group "users")
                 (home-directory "/home/tyreunom"))
               %base-user-accounts))
  ;; Again a weird hack to define our fully qualified domain
  (hosts-file
    (plain-file "hosts"
      (string-append "127.0.0.1 lepiller.eu localhost " host-name "\n"
                     "::1       lepiller.eu localhost " host-name "\n"
                     %facebook-host-aliases)))
  (packages (cons* openssh tmux neovim nss-certs %base-packages))
  (services
    (cons*
      (service iproute2-service-type #t)
      (service openssh-service-type
               (openssh-configuration))
      (service nginx-service-type
               (nginx-configuration))
      (service knot-service-type
               (knot-configuration
                 (zones (list lepiller-zone ipv4-reverse-zone ipv6-reverse-zone))))
      (service dovecot-service-type
               (dovecot-configuration
                 (mail-location "maildir:~/Maildir")
                 (ssl-cert "</etc/letsencrypt/live/lepiller.eu/fullchain.pem")
                 (ssl-key "</etc/letsencrypt/live/lepiller.eu/privkey.pem")))
      (service opensmtpd-service-type
               (opensmtpd-configuration
		 (config-file opensmtpd-conf)))
      (service certbot-service-type
         (certbot-configuration
	  ;; This is why I need a secret file
          (email certbot-email)
	  (webroot "/srv/http/certbot")
	  (rsa-key-size 4096)
          (certificates
           (list
            (certificate-configuration
             (domains '("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu"))
             (deploy-hook %nginx-deploy-hook))))))
      (simple-service 'lepiller-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
		(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                (listen '("443 ssl http2" "[::]:443 ssl http2"))
		(server-name '("lepiller.eu"))
		(root "/srv/http/lepiller/site"))))
      (simple-service 'default-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/lepiller.eu/fullchain.pem")
		(ssl-certificate-key "/etc/letsencrypt/live/lepiller.eu/privkey.pem")
                (listen '("443 ssl http2" "[::]:443 ssl http2"))
		(server-name '(default))
		(root "/srv/http/default"))))
      (modify-services %base-services
        (guix-service-type config =>
          (guix-configuration
            (inherit config)
            (substitute-urls '("https://berlin.guixsd.org" "https://mirror.hydra.gnu.org"))))))))