summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjdlugosz963 <jdlugosz963@gmail.com>2023-12-19 23:12:40 +0100
committerjdlugosz963 <jdlugosz963@gmail.com>2023-12-19 23:13:54 +0100
commit2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a (patch)
tree9c46b58740522a2707173e58ccacb988a00a96c3
parent5fb8e261507cde427ab7c59400823991ba9b2ef0 (diff)
downloadhipis-system-2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a.tar.gz
hipis-system-2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a.zip
Add fail2ban service and remove custom unsafe pattern for gitolite service.
-rwxr-xr-xhipis/hipis.scm242
1 files changed, 125 insertions, 117 deletions
diff --git a/hipis/hipis.scm b/hipis/hipis.scm
index 217eadb..3660782 100755
--- a/hipis/hipis.scm
+++ b/hipis/hipis.scm
@@ -4,12 +4,15 @@
4 #:use-module (gnu system) 4 #:use-module (gnu system)
5 #:use-module (gnu packages version-control) 5 #:use-module (gnu packages version-control)
6 #:use-module (gnu services) 6 #:use-module (gnu services)
7 #:use-module (gnu services security)
7 #:use-module (gnu services networking) 8 #:use-module (gnu services networking)
8 #:use-module (gnu services ssh) 9 #:use-module (gnu services ssh)
9 #:use-module (gnu services cgit) 10 #:use-module (gnu services cgit)
10 #:use-module (gnu services version-control) 11 #:use-module (gnu services version-control)
11 #:use-module (gnu services certbot) 12 #:use-module (gnu services certbot)
12 #:use-module (gnu services web)) 13 #:use-module (gnu services web)
14
15 #:use-module (hipis services web))
13 16
14(define jdlugosz-ssh-pub 17(define jdlugosz-ssh-pub
15 (local-file "./jdlugosz.pub")) 18 (local-file "./jdlugosz.pub"))
@@ -28,23 +31,23 @@
28 31
29(define hipis 32(define hipis
30 (operating-system 33 (operating-system
31 (locale "en_US.utf8") 34 (locale "en_US.utf8")
32 (timezone "Europe/Warsaw") 35 (timezone "Europe/Warsaw")
33 (keyboard-layout (keyboard-layout "pl")) 36 (keyboard-layout (keyboard-layout "pl"))
34 (host-name "hipis") 37 (host-name "hipis")
35 38
36 (users (cons* 39 (users (cons*
37 (user-account 40 (user-account
38 (name "jakub") 41 (name "jakub")
39 (comment "Jakub Dlugosz") 42 (comment "Jakub Dlugosz")
40 (group "users") 43 (group "users")
41 (home-directory "/home/jakub") 44 (home-directory "/home/jakub")
42 (password (crypt "Init14ll-p455w0rd#$" "$6$abc")) 45 (password (crypt "Init14ll-p455w0rd#$" "$6$abc"))
43 (supplementary-groups '("wheel" ;; sudo 46 (supplementary-groups '("wheel" ;; sudo
44 "netdev" ;; network devices 47 "netdev" ;; network devices
45 "tty" 48 "tty"
46 "input"))) 49 "input")))
47 %base-user-accounts)) 50 %base-user-accounts))
48 51
49 (packages (append 52 (packages (append
50 (specifications->packages '("emacs-no-x-toolkit" 53 (specifications->packages '("emacs-no-x-toolkit"
@@ -55,40 +58,45 @@
55 "curl")) 58 "curl"))
56 %base-packages)) 59 %base-packages))
57 60
58 (services (cons* 61 (services (cons*
59 (service openssh-service-type 62 (service fail2ban-service-type
60 (openssh-configuration 63 (fail2ban-configuration
61 (permit-root-login 'prohibit-password) 64 (extra-jails
62 (allow-empty-passwords? #f) 65 (list
63 (password-authentication? #f) 66 (fail2ban-jail-configuration
64 (authorized-keys 67 (name "sshd")
65 `(("jakub" ,jdlugosz-ssh-pub))))) 68 (enabled? #t))))))
66 69
67 (service static-networking-service-type 70 (service openssh-service-type
68 (list (static-networking 71 (openssh-configuration
69 (addresses 72 (permit-root-login 'prohibit-password)
70 (list (network-address 73 (allow-empty-passwords? #f)
71 (device "eth0") 74 (password-authentication? #f)
72 (value "193.200.51.92/27")))) 75 (authorized-keys
73 (routes 76 `(("jakub" ,jdlugosz-ssh-pub)))))
74 (list (network-route 77
75 (destination "default") 78 (service static-networking-service-type
76 (gateway "193.200.51.89")))) 79 (list (static-networking
77 (name-servers '("195.74.91.4 " "193.200.50.51"))) 80 (addresses
78 81 (list (network-address
79 %loopback-static-networking)) 82 (device "eth0")
80 83 (value "193.200.51.92/27"))))
81 (service gitolite-service-type 84 (routes
82 (gitolite-configuration 85 (list (network-route
83 (admin-pubkey jdlugosz-ssh-pub) 86 (destination "default")
84 (group "fcgiwrap") 87 (gateway "193.200.51.89"))))
85 (rc-file 88 (name-servers '("195.74.91.4 " "193.200.50.51")))
86 (gitolite-rc-file (umask #o0027) 89
87 ;; Allow to set any configuration key 90 %loopback-static-networking))
88 (git-config-keys ".*") 91
89 ;; Allow any text as a valid configuration value 92 (service gitolite-service-type
90 (unsafe-pattern "^$") 93 (gitolite-configuration
91 )))) 94 (admin-pubkey jdlugosz-ssh-pub)
95 (group "fcgiwrap")
96 (rc-file
97 (gitolite-rc-file (umask #o0027)
98 ;; Allow to set any configuration key
99 (git-config-keys ".*")))))
92 100
93 ;;; Note to myself: 101 ;;; Note to myself:
94 ;;; 102 ;;;
@@ -101,74 +109,74 @@
101 ;;; /etc/letsencrypt/live/{domain} directory 109 ;;; /etc/letsencrypt/live/{domain} directory
102 ;;; now you can uncomment cgit and nginx service type 110 ;;; now you can uncomment cgit and nginx service type
103 ;;; and after system reconfigure everything should be up and running. 111 ;;; and after system reconfigure everything should be up and running.
104 (service certbot-service-type 112 (service certbot-service-type
105 (certbot-configuration 113 (certbot-configuration
106 (email "me@jdlugosz.com") 114 (email "me@jdlugosz.com")
107 (certificates 115 (certificates
108 (list 116 (list
109 (certificate-configuration 117 (certificate-configuration
110 (domains '("jdlugosz.com" "git.jdlugosz.com")) 118 (domains '("jdlugosz.com" "git.jdlugosz.com"))
111 (deploy-hook %nginx-deploy-hook)))))) 119 (deploy-hook %nginx-deploy-hook))))))
112 120
113 (service cgit-service-type 121 (service cgit-service-type
114 (cgit-configuration 122 (cgit-configuration
115 (enable-commit-graph? #t) 123 (enable-commit-graph? #t)
116 (enable-html-serving? #t) 124 (enable-html-serving? #t)
117 (remove-suffix? #t) 125 (remove-suffix? #t)
118 (nocache? #t) 126 (nocache? #t)
119 (enable-log-filecount? #t) 127 (enable-log-filecount? #t)
120 (enable-log-linecount? #t) 128 (enable-log-linecount? #t)
121 (side-by-side-diffs? #t) 129 (side-by-side-diffs? #t)
122 (enable-git-config? #t) 130 (enable-git-config? #t)
123 (section-from-path 1) 131 (section-from-path 1)
124 (repository-directory "/var/lib/gitolite/repositories/public/") 132 (repository-directory "/var/lib/gitolite/repositories/public/")
125 (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py")) 133 (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py"))
126 (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh")) 134 (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh"))
127 (max-stats "year") 135 (max-stats "year")
128 (snapshots '("tar.gz" "zip")) 136 (snapshots '("tar.gz" "zip"))
129 (readme "CGIT README") 137 (readme "CGIT README")
130 138
131 (nginx 139 (nginx
132 (list 140 (list
133 (nginx-server-configuration 141 (nginx-server-configuration
134 (inherit %cgit-configuration-nginx) 142 (inherit %cgit-configuration-nginx)
135 (server-name '("git.jdlugosz.com")) 143 (server-name '("git.jdlugosz.com"))
136 (listen '("443 ssl")) 144 (listen '("443 ssl"))
137 (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) 145 (ssl-certificate (letsencrypt-certificate "jdlugosz.com"))
138 (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))))))) 146 (ssl-certificate-key (letsencrypt-key "jdlugosz.com")))))))
139 147
140 (service nginx-service-type 148 (service nginx-service-type
141 (nginx-configuration 149 (nginx-configuration
142 (server-blocks 150 (server-blocks
143 (list 151 (list
144 (nginx-server-configuration 152 (nginx-server-configuration
145 (server-name '("jdlugosz.com")) 153 (server-name '("jdlugosz.com"))
146 (listen '("443 ssl")) 154 (listen '("443 ssl"))
147 (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) 155 (ssl-certificate (letsencrypt-certificate "jdlugosz.com"))
148 (ssl-certificate-key (letsencrypt-key "jdlugosz.com")) 156 (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))
149 (root "/srv/http/jdlugosz.com")))))) 157 (root "/srv/http/jdlugosz.com"))))))
150 158
151 (modify-services %base-services 159 (modify-services %base-services
152 (delete static-networking-service-type)))) 160 (delete static-networking-service-type))))
153 161
154 (bootloader (bootloader-configuration 162 (bootloader (bootloader-configuration
155 (bootloader grub-bootloader) 163 (bootloader grub-bootloader)
156 (targets (list "/dev/sda")) 164 (targets (list "/dev/sda"))
157 (keyboard-layout keyboard-layout))) 165 (keyboard-layout keyboard-layout)))
158 (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) 166 (initrd-modules (append '("virtio_scsi") %base-initrd-modules))
159 (swap-devices (list (swap-space 167 (swap-devices (list (swap-space
160 (target (uuid 168 (target (uuid
161 "1510f063-9936-494a-97ee-488fda7ff0fe"))))) 169 "1510f063-9936-494a-97ee-488fda7ff0fe")))))
162 170
163 ;; The list of file systems that get "mounted". The unique 171 ;; The list of file systems that get "mounted". The unique
164 ;; file system identifiers there ("UUIDs") can be obtained 172 ;; file system identifiers there ("UUIDs") can be obtained
165 ;; by running 'blkid' in a terminal. 173 ;; by running 'blkid' in a terminal.
166 (file-systems (cons* (file-system 174 (file-systems (cons* (file-system
167 (mount-point "/") 175 (mount-point "/")
168 (device (uuid 176 (device (uuid
169 "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230" 177 "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230"
170 'ext4)) 178 'ext4))
171 (type "ext4")) %base-file-systems)))) 179 (type "ext4")) %base-file-systems))))
172 180
173hipis 181hipis
174 182