andrew.scm (9496B)
1 (define-module (mt system andrew) 2 #:use-module (mt system andrew ci) 3 #:use-module (guix gexp) 4 #:use-module (guix packages) 5 #:use-module (guix modules) 6 #:use-module (guix git) 7 #:use-module (gnu bootloader) 8 #:use-module (gnu bootloader grub) 9 #:use-module (gnu services) 10 #:use-module (gnu services certbot) 11 #:use-module (gnu services networking) 12 #:use-module (gnu services version-control) 13 #:use-module (gnu services shepherd) 14 #:use-module (gnu services web) 15 #:use-module (gnu system) 16 #:use-module (gnu system keyboard) 17 #:use-module (gnu system shadow) 18 #:use-module (gnu packages rsync) 19 #:use-module (gnu packages version-control) 20 #:use-module (gnu packages wget) 21 #:use-module (nongnu packages linux) 22 #:use-module (nongnu system linux-initrd) 23 #:use-module (mt services) 24 #:use-module (mt services games) 25 #:use-module (mt services version-control) 26 #:use-module (mt system) 27 #:use-module (mt artwork) 28 #:use-module (mt utils) 29 #:export (andrew-os)) 30 31 ;;; 32 ;;; OS Configuration 33 ;;; 34 35 (define %issue " 36 Welcome to \"andrew\" the, first MonasTech server. 37 ") 38 39 (define %nftables-ruleset 40 (plain-file "nftables.conf" "\ 41 # A simple and safe firewall 42 table inet filter { 43 chain input { 44 type filter hook input priority 0; policy drop; 45 46 # early drop of invalid connections 47 ct state invalid drop 48 49 # allow established/related connections 50 ct state { established, related } accept 51 52 # allow from loopback 53 iif lo accept 54 # drop connections to lo not coming from lo 55 iif != lo ip daddr 127.0.0.1/8 drop 56 iif != lo ip6 daddr ::1/128 drop 57 58 # allow icmp 59 ip protocol icmp accept 60 ip6 nexthdr icmpv6 accept 61 62 # allow ssh 63 tcp dport ssh accept 64 65 # allow git 66 tcp dport 9418 accept 67 68 # allow ngninx 69 tcp dport { 80, 443 } accept 70 71 # allow minecraft / voice chat 72 th dport { 25565, 24454 } accept 73 74 # reject everything else 75 reject with icmpx type port-unreachable 76 } 77 chain forward { 78 type filter hook forward priority 0; policy drop; 79 } 80 chain output { 81 type filter hook output priority 0; policy accept; 82 } 83 } 84 ")) 85 86 (define %mod-list 87 '()) 88 89 (define andrew-os 90 (operating-system 91 (host-name "andrew") 92 (timezone "America/New_York") ;; Located in vinthill 93 (locale "en_US.utf8") 94 95 (issue %issue) 96 97 (keyboard-layout (keyboard-layout "us")) 98 99 (kernel linux-lts) 100 (initrd microcode-initrd) 101 (firmware (list linux-firmware)) 102 103 (bootloader (bootloader-configuration 104 (bootloader grub-efi-bootloader) 105 (targets '("/boot/efi")) 106 (keyboard-layout keyboard-layout))) 107 108 (swap-devices %mt-swap-devices) 109 110 (file-systems %mt-file-systems) 111 112 (users 113 (cons* 114 (user-account 115 (name "lukejw") 116 (comment "Luke Willis") 117 (group "users") 118 (home-directory "/home/lukejw") 119 (supplementary-groups '("wheel"))) 120 %base-user-accounts)) 121 122 (packages 123 (cons* 124 rsync 125 %mt-base-packages)) 126 127 (services 128 (append 129 (list (service nftables-service-type 130 (nftables-configuration 131 (ruleset %nftables-ruleset))) 132 (service bta-service-type 133 (bta-configuration 134 (properties `(("motd" . "MonasTech Private Server") 135 ("difficulty" . "3") 136 ("allow-flight" . "true") 137 ("white-list" . "true") 138 ("online-mode" . "false"))) 139 (ops '("1a68c56c-0bbc-413d-8fe1-10a2e4e04ad2")) 140 (mods %mod-list))) 141 (service update-channels-locked-service-type '()) 142 (service nginx-service-type 143 (nginx-configuration 144 (server-blocks 145 (list (nginx-server-configuration 146 (server-name '("monastech.xyz" "www.monastech.xyz")) 147 (listen '("443 ssl")) 148 (root "/var/www/monastech.xyz") 149 (ssl-certificate "/etc/dehydrated/certs/monastech.xyz/fullchain.pem") 150 (ssl-certificate-key "/etc/dehydrated/certs/monastech.xyz/privkey.pem")) 151 (nginx-server-configuration 152 (server-name '("git.monastech.xyz" "www.git.monastech.xyz")) 153 (listen '("443 ssl")) 154 (root "/var/www/git.monastech.xyz") 155 (ssl-certificate "/etc/dehydrated/certs/monastech.xyz/fullchain.pem") 156 (ssl-certificate-key "/etc/dehydrated/certs/monastech.xyz/privkey.pem")) 157 (nginx-server-configuration 158 (server-name '("loquat.dev" "www.loquat.dev")) 159 (listen '("443 ssl")) 160 (root "/var/www/loquat.dev") 161 (ssl-certificate "/etc/dehydrated/certs/loquat.dev/fullchain.pem") 162 (ssl-certificate-key "/etc/dehydrated/certs/loquat.dev/privkey.pem")) 163 (nginx-server-configuration 164 (server-name '("orthodox.kitchen" "www.orthodox.kitchen")) 165 (listen '("443 ssl")) 166 (root "/var/www/orthodox.kitchen") 167 (ssl-certificate "/etc/dehydrated/certs/orthodox.kitchen/fullchain.pem") 168 (ssl-certificate-key "/etc/dehydrated/certs/orthodox.kitchen/privkey.pem")) 169 (nginx-server-configuration 170 (server-name '("substitutes.monastech.xyz")) 171 (listen '("443 ssl")) 172 (ssl-certificate "/etc/dehydrated/certs/monastech.xyz/fullchain.pem") 173 (ssl-certificate-key "/etc/dehydrated/certs/monastech.xyz/privkey.pem") 174 (locations 175 (list (nginx-location-configuration 176 (uri "/") 177 (body (list "proxy_pass http://127.0.0.1:8080;")))))) 178 ;; Default HTTP server 179 (nginx-server-configuration 180 (server-name '("_")) 181 (listen '("80 default_server")) 182 (root "/var/www/monastech.xyz") 183 (locations 184 (list ;; Serve ACME challenges 185 (nginx-location-configuration 186 (uri "^~ /.well-known/acme-challenge") 187 (body (list "alias /var/www/dehydrated;"))) 188 ;; Redirect to HTTPS 189 (nginx-location-configuration 190 (uri "/") 191 (body (list "return 301 https://$host$request_uri;"))))))))))) 192 (stagit-services 193 (stagit-configuration 194 (admin-pubkey (plain-file 195 "lukejw.pub" 196 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ2qcwpwPdMmrXNrrqjqtuBw8lG9gxlAE+vwcZAHM3L lukejw@moses")) 197 (www-home "/var/www/git.monastech.xyz") 198 (clone-domain "monastech.xyz") 199 (logo (file-append %mt-artwork "/logo-dynamic.svg")) 200 (stylesheet (plain-file "stylesheet.css" "\ 201 :root { 202 --bg: #FFFCF0; 203 --bg-2: #F2F0E5; 204 --ui: #E6E4D9; 205 --ui-2: #DAD8CE; 206 --ui-3: #CECDC3; 207 --tx: #100F0F; 208 --tx-2: #6F6E69; 209 --ye: #AD8301; 210 --ye-2: #D0A215; 211 --cy: #24837B; 212 --cy-2: #3AA99F; 213 } 214 215 @media (prefers-color-scheme: dark) { 216 :root { 217 --bg: #100F0F; 218 --bg-2: #1C1B1A; 219 --ui: #282726; 220 --ui-2: #343331; 221 --ui-3: #403E3C; 222 --tx: #CECDC3; 223 --tx-2: #878580; 224 --ye: #D0A215; 225 --ye-2: #AD8301; 226 --cy: #3AA99F; 227 --cy-2: #24837B; 228 } 229 } 230 231 html { 232 background-color: var(--bg); 233 color: var(--tx); 234 font-family: serif; 235 } 236 237 body { 238 width: 100%; 239 max-width: 72rem; 240 margin-inline: auto; 241 } 242 243 #header { 244 margin-inline: 1rem; 245 } 246 247 hr { 248 border: 0.1rem solid var(--ui); 249 margin-inline: 1rem; 250 } 251 252 #content { 253 margin-inline: 1rem; 254 } 255 256 a { 257 color: var(--cy); 258 text-decoration: none; 259 } 260 261 a:hover { 262 color: var(--cy-2); 263 text-decoration: underline; 264 } 265 266 #header img { 267 width: 6.75rem; 268 height: 4.5rem; 269 } 270 271 #header h1 { 272 margin: 0 0 0.5rem 0; 273 font-size: 2rem; 274 font-weight: normal; 275 border-bottom: 2px solid var(--ui); 276 } 277 278 #header .desc { 279 color: var(--tx-2); 280 } 281 282 #header tbody tr:last-child td { 283 padding-top: 0.4rem; 284 } 285 286 #header .url > td:nth-child(2) { 287 font-family: monospace; 288 padding: 0.2rem 0.6rem; 289 border-radius: 0.5rem; 290 background-color: var(--bg-2); 291 } 292 293 #files tbody { 294 font-family: monospace; 295 } 296 297 #files tbody > tr td:first-child { 298 width: 0; 299 white-space: nowrap; 300 padding-right: 1rem; 301 } 302 303 #content table { 304 width: 100%; 305 border-collapse: collapse; 306 } 307 308 #content td { 309 padding: 1rem; 310 } 311 312 #content tbody tr:hover { 313 background: var(--bg-2); 314 } 315 316 #content td { 317 padding: 0.3rem; 318 } 319 ")))) 320 %mt-bishop-services)))) 321 322 andrew-os