diff options
Diffstat (limited to 'mugam.scm')
| -rw-r--r-- | mugam.scm | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/mugam.scm b/mugam.scm new file mode 100644 index 0000000..441f7cb --- /dev/null +++ b/mugam.scm @@ -0,0 +1,211 @@ +(use-modules (arunisaac powerdns) + (gnu) + ((gnu packages admin) #:select (nmap)) + ((gnu packages curl) #:select (curl)) + ((gnu packages dns) #:select (knot)) + ((gnu packages linux) #:select (nftables)) + ((gnu packages ssh) #:select (openssh-sans-x)) + (gnu services networking) + (gnu services ssh) + (gnu services sysctl) + (gnu services vpn) + (gnu services web) + (guix records)) + +(load "mugam-private.scm") + +(define %hrrol-wg-ip + "192.168.2.12") + +(define %ragulkanth-wg-ip + "192.168.2.4") + +(define %wireguard-peers + (cons* (wireguard-peer + (name 'ragulkanth) + (public-key "2FSShF/tVYoPYmIjZQk3Uqv53QFKoXb78kD4vyLVVmM=") + (allowed-ips (list (string-append %ragulkanth-wg-ip "/32")))) + (wireguard-peer + (name 'hrrol) + (public-key "QfPQwNHMr6o6iqt/EzPm1JZOrZRik6LGRpdJOyIiK3g=") + (allowed-ips (list (string-append %hrrol-wg-ip "/32")))) + %wireguard-private-peers)) + + +;;; +;;; DNS Server +;;; + +(define-record-type* <zone> + zone make-zone + zone? + (name zone-name) + (file zone-file)) + +;; TODO: Backup zone files. +(define %zones + (list (zone + (name "arohonline.in") + (file "/etc/powerdns/zones/arohonline.in")) + (zone + (name "arohonline.org") + (file "/etc/powerdns/zones/arohonline.org")) + (zone + (name "cosmobird.me") + (file "/etc/powerdns/zones/cosmobird.me")) + (zone + (name "issuesofconcern.in") + (file "/etc/powerdns/zones/issuesofconcern.in")) + (zone + (name "ragulkanth.dev") + (file "/etc/powerdns/zones/ragulkanth.dev")) + (zone + (name "solariiknight.org") + (file "/etc/powerdns/zones/solariiknight.org")) + (zone + (name "systemreboot.net") + (file "/etc/powerdns/zones/systemreboot.net")))) + +(define (named.conf-gexp zones) + "Return a G-expression that computes a named.conf with ZONES, a list +of <zone> records." + #~(begin + (call-with-output-file #$output + (lambda (port) + (for-each (lambda (name file) + (format port "zone ~s { + file ~s; +}; +" + name file)) + '#$(map zone-name zones) + '#$(map zone-file zones)))))) + + +;;; +;;; operating-system definition +;;; + +(operating-system + (host-name "mugam") + (timezone "Europe/London") + (locale "ta_IN.utf8") + (bootloader (bootloader-configuration + (bootloader grub-bootloader))) + (file-systems (cons (file-system + (mount-point "/") + (device "/dev/vda1") + (type "ext4")) + %base-file-systems)) + (users (cons* (user-account + (name "arunisaac") + (comment "Arun Isaac") + (group "users")) + (user-account + (name "cosmovpndns") + (comment "Ganesh") + (group "users")) + (user-account + (name "ragulkanth") + (comment "Ragulkanth") + (group "users")) + %base-user-accounts)) + (packages + (cons* curl + (list knot "tools") + nftables + nmap + %base-packages)) + (services + (cons* (service dhcpcd-service-type) + (service nftables-service-type + (nftables-configuration + (ruleset (mixed-text-file "mugam-nftables.conf" + "define hrrol = " %hrrol-wg-ip "\n" + "define ragulkanth = " %ragulkanth-wg-ip "\n" "\n" + "include \"" (local-file "mugam-nftables-rules.conf") "\"\n")))) + (service wireguard-service-type + (wireguard-configuration + (addresses (list "192.168.2.1/24")) + (peers %wireguard-peers))) + (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (password-authentication? #f) + (permit-root-login #t) + (allow-agent-forwarding? #f) + (authorized-keys + `(("root" ,(local-file "ssh-keys/arunisaac.pub")) + ("arunisaac" ,(local-file "ssh-keys/arunisaac.pub")) + ("cosmovpndns" ,(local-file "ssh-keys/cosmovpndns.pub")) + ("ragulkanth" ,(local-file "ssh-keys/ragulkanth.pub")))))) + (service powerdns-service-type + (powerdns-configuration + (backends (list "bind")) + (bind-config + (computed-file "named.conf" + (named.conf-gexp %zones))) + (bind-check-interval 60))) + (service nginx-service-type + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (listen (list "80")) + (server-name (list ".arohonline.in" + ".arohonline.org" + ".issuesofconcern.in" + ".solariiknight.org" + ".systemreboot.net")) + (locations + (list (nginx-location-configuration + (uri "/") + (body (list (string-append "proxy_pass http://" + %hrrol-wg-ip + ":8081;") + "proxy_set_header Host $http_host;")))))) + (nginx-server-configuration + (listen (list "80")) + (server-name (list ".dev-il.xyz" + ".ragulkanth.dev")) + (locations + (list (nginx-location-configuration + (uri "/") + (body (list (string-append "proxy_pass http://" + %ragulkanth-wg-ip + ";") + "proxy_set_header Host $http_host;")))))))) + (stream + (nginx-stream-configuration + (upstream-blocks + (list (nginx-upstream-configuration + (name "hrrol_https") + (servers (list (string-append %hrrol-wg-ip ":8080")))) + (nginx-upstream-configuration + (name "ragulkanth_https") + (servers (list (string-append %ragulkanth-wg-ip ":443")))))) + (server-blocks + (list (nginx-server-configuration + (listen (list "443")) + (raw-content (list "ssl_preread on;" + "proxy_pass $upstream;"))))) + (extra-content + (list "map $ssl_preread_server_name $upstream { + hostnames; + .arohonline.in hrrol_https; + .arohonline.org hrrol_https; + .issuesofconcern.in hrrol_https; + .solariiknight.org hrrol_https; + .systemreboot.net hrrol_https; + .dev-il.xyz ragulkanth_https; + .ragulkanth.dev ragulkanth_https; +} +")))))) + (modify-services %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (authorized-keys (cons (local-file "/etc/guix/signing-key.pub") + %default-authorized-guix-keys)))) + (sysctl-service-type + config => (sysctl-configuration + (settings '(("net.ipv4.ip_forward" . "1"))))))))) |