Ma configuration

par Julien Lepiller — sam. 02 septembre 2017

(use-modules (gnu) (gnu services) (gnu system locale))
(use-service-modules certbot dns mail networking ssh shepherd web)
(use-package-modules admin certs linux ssh tls tmux vim)

;; Import some secrets from /etc/config/secrets.scm (only readable by root)
;; Well, they will be readable from the generated configs in the store, so not
;; so secret :p
(add-to-load-path "/etc/config")
(use-modules (secrets))

;; Definition of our DNS zone
;; Name       TTL Class Type Data
  ("@"        ""  "IN"  "A"     "")
  ("@"        ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("rennes"   ""  "IN"  "A"     "")
  ("telos"    ""  "IN"  "A"     "")
  ("www"      ""  "IN"  "CNAME" "")
  ("push"     ""  "IN"  "CNAME" "")
  ("avatar"   ""  "IN"  "CNAME" "rennes")
  ("books"    ""  "IN"  "CNAME" "rennes")
  ("sg"       ""  "IN"  "CNAME" "rennes")
  ("webmail"  ""  "IN"  "CNAME" "rennes")
  ("@"        ""  "IN"  "NS"    "ns")
  ("@"        ""  "IN"  "NS"    "ns2")
  ("@"        ""  "IN"  "MX"    "10 courriel")
  ("@"        ""  "IN"  "MX"    "50 b.courriel")
  ("ns"       ""  "IN"  "A"     "")
  ("ns"       ""  "IN"  "AAAA"  "2a00:5884:8208::1")
  ("ns2"      ""  "IN"  "A"     "")
  ("courriel" ""  "IN"  "A"     "")
  ("b.courriel" "" "IN" "A"     "")
  ("b.courriel" "" "IN" "AAAA"  "2a00:5884:8208::1")
  ("lfs"      ""  "IN"  "CNAME" "")
  ("smtp"     ""  "IN"  "CNAME" "")
  ("imap"     ""  "IN"  "CNAME" "courriel")
  ("@"        ""  "IN"  "TXT"   "v=spf1 mx a ~all")
  ("@"        ""  "IN"  "SPF"   "v=spf1 mx a ~all"))

  ("@" "" "IN" "PTR" ""))

  ("" "" "IN" "PTR" ""))

(define lepiller-zone
    (domain "")
    (dnssec-policy "default")
    (zone (zone-file
            (origin "")
            (serial 2017121201)))))

(define ipv6-reverse-zone
    (domain "")
    (zone (zone-file
            (origin "")
            (ns "")
            (mail "")
            (serial 1)))))

(define ipv4-reverse-zone
    (domain "")
    (zone (zone-file
            (origin "")
            (ns "")
            (mail "")
            (serial 1)))))

;; A weird hack to get static networking for IPv4 and IPv6.
(define (iproute2-shepherd-service config)
  (list (shepherd-service
          (documentation "Run the iproute2 network service")
          (provision '(networking))
          (requirement '())
          (start #~(lambda _
                     (let ((ip (string-append #$iproute "/sbin/ip")))
                       (system* ip "a" "add" "" "dev" "ens18")
                       (system* ip "l" "set" "ens18" "up")
                       (system* ip "-6" "a" "add" "2a00:5884:8208::1/48" "dev" "ens18")
                       (system* ip "r" "add" "default" "via" "" "dev" "ens18")
                       (system* ip "-6" "r" "add" "default" "via" "fe80::204:92:100:1" "dev" "ens18"))))
          (stop #~(lambda _
                    (display "Cannot stop iproute2 service.\n"))))))

(define iproute2-service-type
  (service-type (name 'static-networking)
                    (service-extension shepherd-root-service-type
                (description "")))

(define opensmtpd-conf
  (plain-file "smtpd.conf" "
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki certificate \"/etc/letsencrypt/live/\"
pki key \"/etc/letsencrypt/live/\"

table passwd file:/etc/mail/passwd

# To accept external mail, replace with: listen on all
listen on ens18 port 25 tls pki
listen on ens18 port 587 tls-require pki auth <passwd>
listen on lo port 25 tls pki auth <passwd>
listen on lo port 587 tls pki auth <passwd>

# If you edit the file, you have to run \"smtpctl update table aliases\"
table aliases file:/etc/aliases

table other-relays file:/etc/mail/other-relays
table blacklist file:/etc/mail/blacklist

accept for any authenticated relay #tagged authent relay
reject from ! source <other-relays> sender \"\" for any 
reject from any sender <blacklist> for any 
accept from any for domain \"\" virtual <aliases> deliver to maildir
accept for local alias <aliases> deliver to maildir

;; Find running nginx and reload its configuration (for certificates)
(define %nginx-deploy-hook
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))
           (cert-dir (getenv "RENEWED_LINEAGE")))
       (let ((privkey (string-append cert-dir "/privkey.pem")))
         ;; certbot private keys are world-readable by default, and smtpd complains
         ;; about that, refusing to start :/
         (chmod privkey #o600))
       (kill pid SIGHUP))))

  (host-name "golobus")
  (timezone "Europe/Paris")
  (locale "fr_FR.UTF-8")
      (target "/dev/sda")
      (bootloader grub-bootloader)))
  (file-systems (cons (file-system
                        (mount-point "/")
                        (device (uuid "27798665-5606-4fde-8da8-cc371e603892"))
                        (type "ext4"))
  (users (cons (user-account
                 (name "tyreunom")
                 (group "users")
                 (home-directory "/home/tyreunom"))
    (cons (locale-definition
          (name "eo.utf8") (source "eo"))
  ;; Again a weird hack to define our fully qualified domain
    (plain-file "hosts"
      (string-append " localhost " host-name "\n"
                     "::1 localhost " host-name "\n"
  (packages (cons* openssh tmux neovim nss-certs %base-packages))
      (service ntp-service-type)
      (service iproute2-service-type #t)
      (service openssh-service-type
      (service nginx-service-type
      (service knot-service-type
                 (zones (list lepiller-zone ipv4-reverse-zone ipv6-reverse-zone))))
      (service dovecot-service-type
                 (mail-location "maildir:~/Maildir")
                 (ssl-cert "</etc/letsencrypt/live/")
                 (ssl-key "</etc/letsencrypt/live/")))
      (service opensmtpd-service-type
		 (config-file opensmtpd-conf)))
      (service certbot-service-type
	  ;; This is why I need a secret file
          (email certbot-email)
	  (webroot "/srv/http/certbot")
	  (rsa-key-size 4096)
             (domains '("" "" ""))
             (deploy-hook %nginx-deploy-hook))))))
      (simple-service 'lepiller-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/")
		(ssl-certificate-key "/etc/letsencrypt/live/")
                (listen '("443 ssl http2" "[::]:443 ssl http2"))
		(server-name '(""))
		(root "/srv/http/lepiller/site")
                (index '("index.$language_suffix.html" "index.html"))
                (try-files '("$uri.$language_suffix.html" "$uri" "$uri/" "=404"))
                 '("# accept-language: en,en-US;q=0.8,ja;q=0.6"
                   "set $first_language $http_accept_language;"
                   "if ($http_accept_language ~* '(en|eo|fr)') {"
                   "    set $first_language $1;"
                   "set $language_suffix $first_language;"
                   "if ($cookie_language) {"
                   "    set $language_suffix $cookie_language;"
                   "if ($uri ~ \\.en.html$) {"
                   "    set $language_suffix 'en';"
                   "if ($uri ~ \\.eo.html$) {"
                   "    set $language_suffix 'eo';"
                   "if ($uri ~ \\.fr.html$) {"
                   "    set $language_suffix 'fr';"
                   "if ($uri ~ (.*).html) {"
                   "    set $my_uri $1.$language_suffix.html;"
                   "location ~ \\.html$ {"
                   "    add_header Set-Cookie language=$language_suffix;"
                   "    expires off;"
                   "    add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';"
                   "    try_files $my_uri $uri $uri/ =404;"
                   "error_page 404 /404;")))))
      (simple-service 'default-http-server nginx-service-type
        (list (nginx-server-configuration
		(ssl-certificate "/etc/letsencrypt/live/")
		(ssl-certificate-key "/etc/letsencrypt/live/")
                (listen '("443 ssl http2" "[::]:443 ssl http2"))
		(server-name '(default))
		(root "/srv/http/default"))))
      (modify-services %base-services
        (guix-service-type config =>
            (inherit config)
            (substitute-urls '("" ""))))))))