(define-module (hipis)
  #:use-module (guix)
  #:use-module (gnu)
  #:use-module (gnu system)
  #:use-module (gnu packages version-control)
  #:use-module (gnu services)
  #:use-module (gnu services security)
  #:use-module (gnu services networking)
  #:use-module (gnu services ssh)
  #:use-module (gnu services cgit)
  #:use-module (gnu services version-control)
  #:use-module (gnu services certbot)
  #:use-module (gnu services web)

  #:use-module (hipis services web))

(define jdlugosz-ssh-pub
  (local-file "./jdlugosz.pub"))

(define %nginx-deploy-hook
  (program-file
   "nginx-deploy-hook"
   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
       (kill pid SIGHUP))))

(define (letsencrypt-certificate domain)
  (string-append "/etc/letsencrypt/live/" domain "/fullchain.pem"))

(define (letsencrypt-key domain)
  (string-append "/etc/letsencrypt/live/" domain "/privkey.pem"))

(define hipis
  (operating-system
   (locale "en_US.utf8")
   (timezone "Europe/Warsaw")
   (keyboard-layout (keyboard-layout "pl"))
   (host-name "hipis")

   (users (cons*
	   (user-account
	    (name "jakub")
	    (comment "Jakub Dlugosz")
	    (group "users")
	    (home-directory "/home/jakub")
	    (password (crypt "Init14ll-p455w0rd#$" "$6$abc"))
	    (supplementary-groups '("wheel"  ;; sudo
				    "netdev" ;; network devices
				    "tty"
				    "input")))
	   %base-user-accounts))

   (packages (append
	      (specifications->packages '("emacs-no-x-toolkit"
					  "exfat-utils"
					  "git"
					  "nss-certs"
					  "nmap"
					  "curl"))
	      %base-packages))

   (services (cons*
	      (service fail2ban-service-type
		       (fail2ban-configuration
			(extra-jails
			 (list
			  (fail2ban-jail-configuration
			   (name "sshd")
			   (enabled? #t))))))

	      (service openssh-service-type
		       (openssh-configuration
			(permit-root-login 'prohibit-password)
			(allow-empty-passwords? #f)
			(password-authentication? #f)
			(authorized-keys
			 `(("jakub" ,jdlugosz-ssh-pub)))))

	      (service static-networking-service-type
		       (list (static-networking
			      (addresses
			       (list (network-address
				      (device "eth0")
				      (value "193.200.51.92/27"))))
			      (routes
			       (list (network-route
				      (destination "default")
				      (gateway "193.200.51.89"))))
			      (name-servers '("195.74.91.4 " "193.200.50.51")))

			     %loopback-static-networking))

	      (service gitolite-service-type
		       (gitolite-configuration
			(admin-pubkey jdlugosz-ssh-pub)
			(group "fcgiwrap")
			(rc-file
			 (gitolite-rc-file (umask #o0027)
					   ;; Allow to set any configuration key
					   (git-config-keys ".*")))))

	       ;;; Note to myself:
	       ;;;
	       ;;; After fresh installation, nginx wont be working,
	       ;;; because the ssl certifications aren't generated yet,
	       ;;; you have to comment out the cgit and nginx service type
	       ;;; and after system reconfigure, run this script:
	       ;;; /var/lib/certbot/renew-certicates
	       ;;; after it, new certificates should appear in:
	       ;;; /etc/letsencrypt/live/{domain} directory
	       ;;; now you can uncomment cgit and nginx service type
	       ;;; and after system reconfigure everything should be up and running.
	      (service certbot-service-type
		       (certbot-configuration
			(email "me@jdlugosz.com")
			(certificates
			 (list
			  (certificate-configuration
			   (domains '("jdlugosz.com" "git.jdlugosz.com"))
			   (deploy-hook %nginx-deploy-hook))))))

	      (service cgit-service-type
		       (cgit-configuration
			(enable-commit-graph? #t)
			(enable-html-serving? #t)
			(remove-suffix? #t)
			(nocache? #t)
			(enable-log-filecount? #t)
			(enable-log-linecount? #t)
			(side-by-side-diffs? #t)
			(enable-git-config? #t)
			(section-from-path 1)
			(repository-directory "/var/lib/gitolite/repositories/public/")
			(source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py"))
			(about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh"))
			(max-stats "year")
			(snapshots '("tar.gz" "zip"))
			(readme "CGIT README")

			(nginx
			 (list
			  (nginx-server-configuration
			   (inherit %cgit-configuration-nginx)
			   (server-name '("git.jdlugosz.com"))
			   (listen '("443 ssl"))
			   (ssl-certificate (letsencrypt-certificate "jdlugosz.com"))
			   (ssl-certificate-key (letsencrypt-key "jdlugosz.com")))))))

	      (service nginx-service-type
		       (nginx-configuration
			(server-blocks
			 (list
			  (nginx-server-configuration
			   (server-name '("jdlugosz.com"))
			   (listen '("443 ssl"))
			   (ssl-certificate (letsencrypt-certificate "jdlugosz.com"))
			   (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))
			   (root "/srv/http/jdlugosz.com"))))))

	      (service hwp-service-type
		       (hwp-site-configuration
			(name "hwp-base")))

	      (modify-services %base-services
			       (delete static-networking-service-type))))

   (bootloader (bootloader-configuration
                (bootloader grub-bootloader)
                (targets (list "/dev/sda"))
                (keyboard-layout keyboard-layout)))
   (initrd-modules (append '("virtio_scsi") %base-initrd-modules))
   (swap-devices (list (swap-space
                        (target (uuid
                                 "1510f063-9936-494a-97ee-488fda7ff0fe")))))

   ;; The list of file systems that get "mounted".  The unique
   ;; file system identifiers there ("UUIDs") can be obtained
   ;; by running 'blkid' in a terminal.
   (file-systems (cons* (file-system
                         (mount-point "/")
                         (device (uuid
                                  "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230"
                                  'ext4))
                         (type "ext4")) %base-file-systems))))

hipis