(use-modules (gnu) ((gnu packages admin) #:select (htop nmap)) ((gnu packages curl) #:select (curl)) ((gnu packages dns) #:select (knot)) ((gnu packages linux) #:select (nftables)) ((gnu packages ssh) #:select (openssh-sans-x)) (gnu services dns) (gnu services networking) (gnu services ssh) (gnu services sysctl) (gnu services vpn) (gnu services web) (guix records)) (load "mugam-private.scm") (define %hrrol-wg-ip "192.168.2.12") (define %ragulkanth-wg-ip "192.168.2.4") (define %wireguard-peers (cons* (wireguard-peer (name 'ragulkanth) (public-key "2FSShF/tVYoPYmIjZQk3Uqv53QFKoXb78kD4vyLVVmM=") (allowed-ips (list (string-append %ragulkanth-wg-ip "/32")))) (wireguard-peer (name 'hrrol) (public-key "QfPQwNHMr6o6iqt/EzPm1JZOrZRik6LGRpdJOyIiK3g=") (allowed-ips (list (string-append %hrrol-wg-ip "/32")))) %wireguard-private-peers)) ;;; ;;; DNS Server ;;; (define %mugam-ip "188.166.169.68") (define (mugam-a-zone-entry name) (zone-entry (name name) (ttl "60") (data %mugam-ip))) (define (hrrol-cname-zone-entry name) (zone-entry (name name) (ttl "60") (type "CNAME") (data "hrrol.systemreboot.net."))) (define (caa-zone-entry name) (zone-entry (name name) (ttl "3600") (type "CAA") (data "128 issue \"letsencrypt.org\""))) ;; TODO: Export from (gnu services dns). (define knot-zone-configuration-zone (@@ (gnu services dns) knot-zone-configuration-zone)) ;; TODO: Export from (gnu services dns). (define zone-file-entries (@@ (gnu services dns) zone-file-entries)) (define (add-ns-zone-entries config) (knot-zone-configuration (inherit config) (zone (zone-file (inherit (knot-zone-configuration-zone config)) (entries (append (map (lambda (ns) (zone-entry (name "@") (ttl "3600") (type "NS") (data ns))) (list "ns1.systemreboot.net." "ns2.systemreboot.net.")) (zone-file-entries (knot-zone-configuration-zone config)))))))) (define arohonline.in-zone (knot-zone-configuration (domain "arohonline.in") (zone (zone-file (origin domain) (entries (list (mugam-a-zone-entry "@") (caa-zone-entry "@") (hrrol-cname-zone-entry "www"))))))) (define arohonline.org-zone (knot-zone-configuration (domain "arohonline.org") (zone (zone-file (origin domain) (entries (cons* (mugam-a-zone-entry "@") (caa-zone-entry "@") (hrrol-cname-zone-entry "www") (zone-entry (name "@") (ttl "3600") (type "TXT") (data "\"v=spf1 include:_spf.google.com ~all\"")) (zone-entry (name "_dmarc") (ttl "3600") (type "TXT") (data "\"v=DMARC1; p=none\"")) (zone-entry (name "google._domainkey") (ttl "3600") (type "TXT") (data "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJTz4BskFyqQYUHn/3xXqasYtPZtlcY9e8t0LiFDT28YoYinUB4YWA4Q7iHwH8L5Dd5EG401vDJBXz7/TK6zO1ZJMs6pStCmzs9AbRpA2hX4WRACB6aNk6DKSYNT/I7G839RxX1xx9SYrXFGM71c6C7iR1vuKJdROlAd+ZfKj6nBA69fiWbFr68krLnEHlq14k8NimT6XuCxjVLNO3yp36diKmej32BU9bi9ThIcv3QwufpQtt7ejPBhBDRzBKdcrS09FYC4HzSLbOiZDB4upEfnrWwAGOI/+L3qTlCzNe/7jZyNTYSB5g74E6t1O3TOdjzdN26AqEZN35k4KokRYQIDAQAB\"")) (map (lambda (data) (zone-entry (name "@") (ttl "3600") (type "MX") (data data))) (list "1 aspmx.l.google.com." "5 alt1.aspmx.l.google.com." "5 alt2.aspmx.l.google.com." "10 alt3.aspmx.l.google.com." "10 alt4.aspmx.l.google.com." "15 demr5wwt4lgi2mqctgimwbw4vmal3vdkhdbhp5577xgivbvl3xxa.mx-verification.google.com.")))))))) (define issuesofconcern.in-zone (knot-zone-configuration (domain "issuesofconcern.in") (zone (zone-file (origin domain) (entries (list (mugam-a-zone-entry "@") (caa-zone-entry "@") (hrrol-cname-zone-entry "www"))))))) (define ragulkanth.dev-zone (knot-zone-configuration (domain "ragulkanth.dev") (zone (zone-file (origin domain) (entries (cons* (mugam-a-zone-entry "@") (mugam-a-zone-entry "server") (append (map (lambda (name) (zone-entry (name name) (ttl "60") (type "CNAME") (data "server"))) (list "collabora" "files")) (map (lambda (name) (zone-entry (name name) (ttl "60") (data "103.109.44.157"))) (list "bazarr" "jellyfin" "lidarr" "portainer" "prowlarr" "qbittorrent" "radarr" "readarr" "sabnzbd" "sonarr"))))))))) (define solariiknight.org-zone (knot-zone-configuration (domain "solariiknight.org") (zone (zone-file (origin domain) (entries (list (mugam-a-zone-entry "@") (caa-zone-entry "@") (hrrol-cname-zone-entry "www"))))))) (define systemreboot.net-zone (knot-zone-configuration (domain "systemreboot.net") (zone (zone-file (origin domain) (entries (cons* (caa-zone-entry "@") (mugam-a-zone-entry "@") (zone-entry (name "_avatars-sec") (ttl "3600") (type "SRV") (data (string-append "0 0 443 avatars." origin "."))) (zone-entry (name "_dmarc") (ttl "3600") (type "TXT") (data "\"v=DMARC1; p=none\"")) (zone-entry (name "_xmpp-client._tcp") (ttl "3600") (type "SRV") (data (string-append "0 5 5222 xmpp." origin "."))) (zone-entry (name "_xmpp-server._tcp.conference") (ttl "3600") (type "SRV") (data (string-append "0 5 5269 xmpp." origin "."))) (zone-entry (name "_xmpp-server._tcp") (ttl "3600") (type "SRV") (data (string-append "0 5 5269 xmpp." origin "."))) (zone-entry (name "default._domainkey") (ttl "3600") (type "TXT") (data "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAquVdlx+0jHyN/lle1Mte41uOJ8fkmsCnPhxhBKq9axS2e45ZLJxCqZFWTIZddo+xbA4A95VW9utvX0ssbvfFFT34p0oZsF060Z/OvB/bnwPTalChVkntbuTx5i2HfH6c3uVMjUswPZU6EP2Rf32iNzd0S2DJKd1YFlXOewQniaC/CZeRekVkvDXLCEHDqM8QDvFsOGjoBlAn9d4isC8nEvvUaK3OTQo6tdGLTpcJWhsHm6q28fVmzc6Ba6cXbZ1vDGAntDbRT/xFeHeOTRRNBdjoQEeTYybyBCrhZidRJFuywz/i3Ht5E2Nq5M6fk9GxrzPgGud8HcvCyuKXDdY4SQIDAQAB\"")) (zone-entry (name "@") (ttl "3600") (type "MX") (data (string-append "10 mail." origin "."))) (zone-entry (name "@") (ttl "3600") (type "TXT") (data (string-append "\"v=spf1 mx a:mugam." origin " -all\""))) (append (map (lambda (name) (mugam-a-zone-entry name)) (list "hrrol" "ns1" "ns2")) (map (lambda (name) (hrrol-cname-zone-entry name)) (list "aruni" "avatars" "bridge" "ccwl" "ci" "ci.demo" "files" "forge" "git" "git.demo" "guile-email" "guile-xapian" "guix-forge" "klaus" "kolam" "lists" "mail" "mathjax" "meetfree" "mugam" "nardhini" "run64" "sale" "selfhost" "skribilo" "ta" "tamil" "tissue" "www" "xmpp"))))))))) ;;; ;;; operating-system definition ;;; (operating-system (host-name "mugam") (timezone "Europe/London") (locale "ta_IN.utf8") (bootloader (bootloader-configuration (bootloader grub-bootloader))) (file-systems (cons (file-system (mount-point "/") (device "/dev/vda1") (type "ext4")) %base-file-systems)) (users (cons* (user-account (name "arunisaac") (comment "Arun Isaac") (group "users")) (user-account (name "cosmovpndns") (comment "Ganesh") (group "users")) (user-account (name "ragulkanth") (comment "Ragulkanth") (group "users")) %base-user-accounts)) (packages (cons* curl htop (list knot "tools") nftables nmap %base-packages)) (services (cons* (service dhcpcd-service-type) (service nftables-service-type (nftables-configuration (ruleset (mixed-text-file "mugam-nftables.conf" "define hrrol = " %hrrol-wg-ip "\n" "define ragulkanth = " %ragulkanth-wg-ip "\n" "\n" "include \"" (local-file "mugam-nftables-rules.conf") "\"\n")))) (service wireguard-service-type (wireguard-configuration (addresses (list "192.168.2.1/24")) (peers %wireguard-peers))) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (password-authentication? #f) (permit-root-login #t) (allow-agent-forwarding? #f) (authorized-keys `(("root" ,(local-file "ssh-keys/arunisaac.pub")) ("arunisaac" ,(local-file "ssh-keys/arunisaac.pub")) ("cosmovpndns" ,(local-file "ssh-keys/cosmovpndns.pub")) ("ragulkanth" ,(local-file "ssh-keys/ragulkanth.pub")))))) (service knot-service-type (knot-configuration (zones (map add-ns-zone-entries (list arohonline.in-zone arohonline.org-zone issuesofconcern.in-zone ragulkanth.dev-zone solariiknight.org-zone systemreboot.net-zone))))) (service nginx-service-type (nginx-configuration (server-blocks (list (nginx-server-configuration (listen (list "80")) (server-name (list ".arohonline.in" ".arohonline.org" ".issuesofconcern.in" ".solariiknight.org" ".systemreboot.net")) (locations (list (nginx-location-configuration (uri "/") (body (list (string-append "proxy_pass http://" %hrrol-wg-ip ";") "proxy_set_header Host $http_host;")))))) (nginx-server-configuration (listen (list "80")) (server-name (list ".dev-il.xyz" ".ragulkanth.dev")) (locations (list (nginx-location-configuration (uri "/") (body (list (string-append "proxy_pass http://" %ragulkanth-wg-ip ";") "proxy_set_header Host $http_host;")))))))) (stream (nginx-stream-configuration (upstream-blocks (list (nginx-upstream-configuration (name "hrrol_https") (servers (list (string-append %hrrol-wg-ip ":443")))) (nginx-upstream-configuration (name "ragulkanth_https") (servers (list (string-append %ragulkanth-wg-ip ":443")))))) (server-blocks (list (nginx-server-configuration (listen (list "443")) (raw-content (list "ssl_preread on;" "proxy_pass $upstream;"))))) (extra-content (list "map $ssl_preread_server_name $upstream { hostnames; .arohonline.in hrrol_https; .arohonline.org hrrol_https; .issuesofconcern.in hrrol_https; .solariiknight.org hrrol_https; .systemreboot.net hrrol_https; .dev-il.xyz ragulkanth_https; .ragulkanth.dev ragulkanth_https; } ")))))) (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) (authorized-keys (cons (local-file "/etc/guix/signing-key.pub") %default-authorized-guix-keys)))) (sysctl-service-type config => (sysctl-configuration (settings '(("net.ipv4.ip_forward" . "1")))))))))