diff options
author | jdlugosz963 <jdlugosz963@gmail.com> | 2023-12-19 23:12:40 +0100 |
---|---|---|
committer | jdlugosz963 <jdlugosz963@gmail.com> | 2023-12-19 23:13:54 +0100 |
commit | 2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a (patch) | |
tree | 9c46b58740522a2707173e58ccacb988a00a96c3 | |
parent | 5fb8e261507cde427ab7c59400823991ba9b2ef0 (diff) | |
download | hipis-system-2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a.tar.gz hipis-system-2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a.zip |
Add fail2ban service and remove custom unsafe pattern for gitolite service.
-rwxr-xr-x | hipis/hipis.scm | 242 |
1 files changed, 125 insertions, 117 deletions
diff --git a/hipis/hipis.scm b/hipis/hipis.scm index 217eadb..3660782 100755 --- a/hipis/hipis.scm +++ b/hipis/hipis.scm | |||
@@ -4,12 +4,15 @@ | |||
4 | #:use-module (gnu system) | 4 | #:use-module (gnu system) |
5 | #:use-module (gnu packages version-control) | 5 | #:use-module (gnu packages version-control) |
6 | #:use-module (gnu services) | 6 | #:use-module (gnu services) |
7 | #:use-module (gnu services security) | ||
7 | #:use-module (gnu services networking) | 8 | #:use-module (gnu services networking) |
8 | #:use-module (gnu services ssh) | 9 | #:use-module (gnu services ssh) |
9 | #:use-module (gnu services cgit) | 10 | #:use-module (gnu services cgit) |
10 | #:use-module (gnu services version-control) | 11 | #:use-module (gnu services version-control) |
11 | #:use-module (gnu services certbot) | 12 | #:use-module (gnu services certbot) |
12 | #:use-module (gnu services web)) | 13 | #:use-module (gnu services web) |
14 | |||
15 | #:use-module (hipis services web)) | ||
13 | 16 | ||
14 | (define jdlugosz-ssh-pub | 17 | (define jdlugosz-ssh-pub |
15 | (local-file "./jdlugosz.pub")) | 18 | (local-file "./jdlugosz.pub")) |
@@ -28,23 +31,23 @@ | |||
28 | 31 | ||
29 | (define hipis | 32 | (define hipis |
30 | (operating-system | 33 | (operating-system |
31 | (locale "en_US.utf8") | 34 | (locale "en_US.utf8") |
32 | (timezone "Europe/Warsaw") | 35 | (timezone "Europe/Warsaw") |
33 | (keyboard-layout (keyboard-layout "pl")) | 36 | (keyboard-layout (keyboard-layout "pl")) |
34 | (host-name "hipis") | 37 | (host-name "hipis") |
35 | 38 | ||
36 | (users (cons* | 39 | (users (cons* |
37 | (user-account | 40 | (user-account |
38 | (name "jakub") | 41 | (name "jakub") |
39 | (comment "Jakub Dlugosz") | 42 | (comment "Jakub Dlugosz") |
40 | (group "users") | 43 | (group "users") |
41 | (home-directory "/home/jakub") | 44 | (home-directory "/home/jakub") |
42 | (password (crypt "Init14ll-p455w0rd#$" "$6$abc")) | 45 | (password (crypt "Init14ll-p455w0rd#$" "$6$abc")) |
43 | (supplementary-groups '("wheel" ;; sudo | 46 | (supplementary-groups '("wheel" ;; sudo |
44 | "netdev" ;; network devices | 47 | "netdev" ;; network devices |
45 | "tty" | 48 | "tty" |
46 | "input"))) | 49 | "input"))) |
47 | %base-user-accounts)) | 50 | %base-user-accounts)) |
48 | 51 | ||
49 | (packages (append | 52 | (packages (append |
50 | (specifications->packages '("emacs-no-x-toolkit" | 53 | (specifications->packages '("emacs-no-x-toolkit" |
@@ -55,40 +58,45 @@ | |||
55 | "curl")) | 58 | "curl")) |
56 | %base-packages)) | 59 | %base-packages)) |
57 | 60 | ||
58 | (services (cons* | 61 | (services (cons* |
59 | (service openssh-service-type | 62 | (service fail2ban-service-type |
60 | (openssh-configuration | 63 | (fail2ban-configuration |
61 | (permit-root-login 'prohibit-password) | 64 | (extra-jails |
62 | (allow-empty-passwords? #f) | 65 | (list |
63 | (password-authentication? #f) | 66 | (fail2ban-jail-configuration |
64 | (authorized-keys | 67 | (name "sshd") |
65 | `(("jakub" ,jdlugosz-ssh-pub))))) | 68 | (enabled? #t)))))) |
66 | 69 | ||
67 | (service static-networking-service-type | 70 | (service openssh-service-type |
68 | (list (static-networking | 71 | (openssh-configuration |
69 | (addresses | 72 | (permit-root-login 'prohibit-password) |
70 | (list (network-address | 73 | (allow-empty-passwords? #f) |
71 | (device "eth0") | 74 | (password-authentication? #f) |
72 | (value "193.200.51.92/27")))) | 75 | (authorized-keys |
73 | (routes | 76 | `(("jakub" ,jdlugosz-ssh-pub))))) |
74 | (list (network-route | 77 | |
75 | (destination "default") | 78 | (service static-networking-service-type |
76 | (gateway "193.200.51.89")))) | 79 | (list (static-networking |
77 | (name-servers '("195.74.91.4 " "193.200.50.51"))) | 80 | (addresses |
78 | 81 | (list (network-address | |
79 | %loopback-static-networking)) | 82 | (device "eth0") |
80 | 83 | (value "193.200.51.92/27")))) | |
81 | (service gitolite-service-type | 84 | (routes |
82 | (gitolite-configuration | 85 | (list (network-route |
83 | (admin-pubkey jdlugosz-ssh-pub) | 86 | (destination "default") |
84 | (group "fcgiwrap") | 87 | (gateway "193.200.51.89")))) |
85 | (rc-file | 88 | (name-servers '("195.74.91.4 " "193.200.50.51"))) |
86 | (gitolite-rc-file (umask #o0027) | 89 | |
87 | ;; Allow to set any configuration key | 90 | %loopback-static-networking)) |
88 | (git-config-keys ".*") | 91 | |
89 | ;; Allow any text as a valid configuration value | 92 | (service gitolite-service-type |
90 | (unsafe-pattern "^$") | 93 | (gitolite-configuration |
91 | )))) | 94 | (admin-pubkey jdlugosz-ssh-pub) |
95 | (group "fcgiwrap") | ||
96 | (rc-file | ||
97 | (gitolite-rc-file (umask #o0027) | ||
98 | ;; Allow to set any configuration key | ||
99 | (git-config-keys ".*"))))) | ||
92 | 100 | ||
93 | ;;; Note to myself: | 101 | ;;; Note to myself: |
94 | ;;; | 102 | ;;; |
@@ -101,74 +109,74 @@ | |||
101 | ;;; /etc/letsencrypt/live/{domain} directory | 109 | ;;; /etc/letsencrypt/live/{domain} directory |
102 | ;;; now you can uncomment cgit and nginx service type | 110 | ;;; now you can uncomment cgit and nginx service type |
103 | ;;; and after system reconfigure everything should be up and running. | 111 | ;;; and after system reconfigure everything should be up and running. |
104 | (service certbot-service-type | 112 | (service certbot-service-type |
105 | (certbot-configuration | 113 | (certbot-configuration |
106 | (email "me@jdlugosz.com") | 114 | (email "me@jdlugosz.com") |
107 | (certificates | 115 | (certificates |
108 | (list | 116 | (list |
109 | (certificate-configuration | 117 | (certificate-configuration |
110 | (domains '("jdlugosz.com" "git.jdlugosz.com")) | 118 | (domains '("jdlugosz.com" "git.jdlugosz.com")) |
111 | (deploy-hook %nginx-deploy-hook)))))) | 119 | (deploy-hook %nginx-deploy-hook)))))) |
112 | 120 | ||
113 | (service cgit-service-type | 121 | (service cgit-service-type |
114 | (cgit-configuration | 122 | (cgit-configuration |
115 | (enable-commit-graph? #t) | 123 | (enable-commit-graph? #t) |
116 | (enable-html-serving? #t) | 124 | (enable-html-serving? #t) |
117 | (remove-suffix? #t) | 125 | (remove-suffix? #t) |
118 | (nocache? #t) | 126 | (nocache? #t) |
119 | (enable-log-filecount? #t) | 127 | (enable-log-filecount? #t) |
120 | (enable-log-linecount? #t) | 128 | (enable-log-linecount? #t) |
121 | (side-by-side-diffs? #t) | 129 | (side-by-side-diffs? #t) |
122 | (enable-git-config? #t) | 130 | (enable-git-config? #t) |
123 | (section-from-path 1) | 131 | (section-from-path 1) |
124 | (repository-directory "/var/lib/gitolite/repositories/public/") | 132 | (repository-directory "/var/lib/gitolite/repositories/public/") |
125 | (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py")) | 133 | (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py")) |
126 | (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh")) | 134 | (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh")) |
127 | (max-stats "year") | 135 | (max-stats "year") |
128 | (snapshots '("tar.gz" "zip")) | 136 | (snapshots '("tar.gz" "zip")) |
129 | (readme "CGIT README") | 137 | (readme "CGIT README") |
130 | 138 | ||
131 | (nginx | 139 | (nginx |
132 | (list | 140 | (list |
133 | (nginx-server-configuration | 141 | (nginx-server-configuration |
134 | (inherit %cgit-configuration-nginx) | 142 | (inherit %cgit-configuration-nginx) |
135 | (server-name '("git.jdlugosz.com")) | 143 | (server-name '("git.jdlugosz.com")) |
136 | (listen '("443 ssl")) | 144 | (listen '("443 ssl")) |
137 | (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) | 145 | (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) |
138 | (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))))))) | 146 | (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))))))) |
139 | 147 | ||
140 | (service nginx-service-type | 148 | (service nginx-service-type |
141 | (nginx-configuration | 149 | (nginx-configuration |
142 | (server-blocks | 150 | (server-blocks |
143 | (list | 151 | (list |
144 | (nginx-server-configuration | 152 | (nginx-server-configuration |
145 | (server-name '("jdlugosz.com")) | 153 | (server-name '("jdlugosz.com")) |
146 | (listen '("443 ssl")) | 154 | (listen '("443 ssl")) |
147 | (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) | 155 | (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) |
148 | (ssl-certificate-key (letsencrypt-key "jdlugosz.com")) | 156 | (ssl-certificate-key (letsencrypt-key "jdlugosz.com")) |
149 | (root "/srv/http/jdlugosz.com")))))) | 157 | (root "/srv/http/jdlugosz.com")))))) |
150 | 158 | ||
151 | (modify-services %base-services | 159 | (modify-services %base-services |
152 | (delete static-networking-service-type)))) | 160 | (delete static-networking-service-type)))) |
153 | 161 | ||
154 | (bootloader (bootloader-configuration | 162 | (bootloader (bootloader-configuration |
155 | (bootloader grub-bootloader) | 163 | (bootloader grub-bootloader) |
156 | (targets (list "/dev/sda")) | 164 | (targets (list "/dev/sda")) |
157 | (keyboard-layout keyboard-layout))) | 165 | (keyboard-layout keyboard-layout))) |
158 | (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) | 166 | (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) |
159 | (swap-devices (list (swap-space | 167 | (swap-devices (list (swap-space |
160 | (target (uuid | 168 | (target (uuid |
161 | "1510f063-9936-494a-97ee-488fda7ff0fe"))))) | 169 | "1510f063-9936-494a-97ee-488fda7ff0fe"))))) |
162 | 170 | ||
163 | ;; The list of file systems that get "mounted". The unique | 171 | ;; The list of file systems that get "mounted". The unique |
164 | ;; file system identifiers there ("UUIDs") can be obtained | 172 | ;; file system identifiers there ("UUIDs") can be obtained |
165 | ;; by running 'blkid' in a terminal. | 173 | ;; by running 'blkid' in a terminal. |
166 | (file-systems (cons* (file-system | 174 | (file-systems (cons* (file-system |
167 | (mount-point "/") | 175 | (mount-point "/") |
168 | (device (uuid | 176 | (device (uuid |
169 | "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230" | 177 | "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230" |
170 | 'ext4)) | 178 | 'ext4)) |
171 | (type "ext4")) %base-file-systems)))) | 179 | (type "ext4")) %base-file-systems)))) |
172 | 180 | ||
173 | hipis | 181 | hipis |
174 | 182 | ||