2018-01-19 10:56:00 +01:00
|
|
|
|
;;; GNU Guix system administration tools.
|
|
|
|
|
;;;
|
|
|
|
|
;;; Copyright © 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
|
|
|
|
|
;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
|
|
|
|
|
;;;
|
|
|
|
|
;;; This program is free software: you can redistribute it and/or modify
|
|
|
|
|
;;; it under the terms of the GNU General Public License as published by
|
|
|
|
|
;;; the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
;;; (at your option) any later version.
|
|
|
|
|
;;;
|
|
|
|
|
;;; This program is distributed in the hope that it will be useful,
|
|
|
|
|
;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
;;;
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
;;; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
(define-module (sysadmin services)
|
|
|
|
|
#:use-module (guix gexp)
|
|
|
|
|
#:use-module (gnu services)
|
|
|
|
|
#:use-module (gnu services admin)
|
|
|
|
|
#:use-module (gnu services base)
|
|
|
|
|
#:use-module (gnu services cuirass)
|
|
|
|
|
#:use-module (gnu services mcron)
|
|
|
|
|
#:use-module (gnu services shepherd)
|
|
|
|
|
#:use-module (gnu services ssh)
|
|
|
|
|
#:use-module (gnu services web)
|
|
|
|
|
#:use-module (gnu packages linux)
|
|
|
|
|
#:use-module (gnu packages package-management)
|
|
|
|
|
#:use-module (gnu packages tls)
|
|
|
|
|
#:use-module (gnu packages web)
|
|
|
|
|
#:use-module (sysadmin people)
|
|
|
|
|
#:use-module (srfi srfi-1)
|
|
|
|
|
#:export (firewall-service
|
|
|
|
|
frontend-services))
|
|
|
|
|
|
|
|
|
|
(define %gc-job
|
|
|
|
|
;; The garbage collection mcron job, once per day.
|
|
|
|
|
#~(job '(next-hour '(4))
|
|
|
|
|
(string-append #$guix "/bin/guix gc -F80G")))
|
|
|
|
|
|
|
|
|
|
(define* (guix-daemon-config #:key (max-jobs 5) (cores 4))
|
|
|
|
|
(guix-configuration
|
|
|
|
|
;; Disable substitutes altogether.
|
|
|
|
|
(use-substitutes? #f)
|
|
|
|
|
(substitute-urls '())
|
|
|
|
|
(authorized-keys '())
|
|
|
|
|
(max-silent-time 7200)
|
|
|
|
|
(timeout (* 4 max-silent-time))
|
|
|
|
|
(log-compression 'gzip) ;be friendly to 'guix publish' users
|
|
|
|
|
|
2018-01-22 16:20:34 +01:00
|
|
|
|
(build-accounts (* 2 max-jobs))
|
2018-01-19 10:56:00 +01:00
|
|
|
|
(extra-options (list "--max-jobs" (number->string max-jobs)
|
|
|
|
|
"--cores" (number->string cores)
|
|
|
|
|
"--cache-failures"
|
|
|
|
|
"--gc-keep-outputs" "--gc-keep-derivations"))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;;;
|
|
|
|
|
;;; Cuirass.
|
|
|
|
|
;;;
|
|
|
|
|
|
2018-02-18 01:18:40 +01:00
|
|
|
|
(define (cuirass-specs systems)
|
|
|
|
|
"Return the Cuirass specifications to build Guix for the given SYSTEMS."
|
2018-01-19 10:56:00 +01:00
|
|
|
|
#~(list `((#:name . "guix")
|
|
|
|
|
;; FIXME: The campus firewall blocks access to git://
|
|
|
|
|
(#:url . "https://git.savannah.gnu.org/git/guix.git")
|
|
|
|
|
(#:load-path . ".")
|
|
|
|
|
|
2018-02-18 01:18:40 +01:00
|
|
|
|
;; This file is loaded relative to the checkout.
|
|
|
|
|
(#:file . "build-aux/cuirass/gnu-system.scm")
|
|
|
|
|
|
2018-01-19 10:56:00 +01:00
|
|
|
|
(#:no-compile? #t) ;don't try to run ./bootstrap etc.
|
|
|
|
|
|
2018-02-18 01:18:40 +01:00
|
|
|
|
(#:proc . cuirass-jobs)
|
|
|
|
|
|
|
|
|
|
(#:arguments (subset . "all") (systems #$@systems))
|
2018-01-19 10:56:00 +01:00
|
|
|
|
(#:branch . "master"))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;;;
|
|
|
|
|
;;; Firewall.
|
|
|
|
|
;;;
|
|
|
|
|
|
|
|
|
|
(define start-firewall
|
|
|
|
|
;; Rules to throttle malicious SSH connection attempts. This will allow at
|
|
|
|
|
;; most 3 connections per minute from any host, and will block the host for
|
|
|
|
|
;; another minute if this rate is exceeded. Taken from
|
|
|
|
|
;; <http://www.la-samhna.de/library/brutessh.html#3>.
|
|
|
|
|
#~(let ((iptables
|
|
|
|
|
(lambda (str)
|
|
|
|
|
(zero? (apply system*
|
|
|
|
|
#$(file-append iptables
|
|
|
|
|
"/sbin/iptables")
|
|
|
|
|
(string-tokenize str))))))
|
|
|
|
|
(format #t "Installing iptables SSH rules...~%")
|
|
|
|
|
(and (iptables "-A INPUT -p tcp --dport 22 -m state \
|
|
|
|
|
--state NEW -m recent --set --name SSH -j ACCEPT")
|
|
|
|
|
(iptables "-A INPUT -p tcp --dport 22 -m recent \
|
|
|
|
|
--update --seconds 60 --hitcount 4 --rttl \
|
|
|
|
|
--name SSH -j LOG --log-prefix SSH_brute_force")
|
|
|
|
|
(iptables "-A INPUT -p tcp --dport 22 -m recent \
|
|
|
|
|
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP"))))
|
|
|
|
|
|
|
|
|
|
(define firewall-service
|
|
|
|
|
;; The "firewall". Make it a Shepherd service because as an activation
|
|
|
|
|
;; script it might run too early, before the Netfilter modules can be
|
|
|
|
|
;; loaded for some reason.
|
|
|
|
|
(simple-service 'firewall shepherd-root-service-type
|
|
|
|
|
(list (shepherd-service
|
|
|
|
|
(provision '(firewall))
|
|
|
|
|
(requirement '())
|
|
|
|
|
(start #~(lambda ()
|
|
|
|
|
#$start-firewall))
|
|
|
|
|
(respawn? #f)))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
;;;
|
|
|
|
|
;;; NGINX.
|
|
|
|
|
;;;
|
|
|
|
|
|
|
|
|
|
(define %nginx-config
|
|
|
|
|
;; Our nginx configuration directory. It expects 'guix publish' to be
|
|
|
|
|
;; running on port 3000.
|
|
|
|
|
(computed-file "nginx-config"
|
|
|
|
|
(with-imported-modules '((guix build utils))
|
|
|
|
|
#~(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
|
|
|
|
|
(mkdir #$output)
|
|
|
|
|
(chdir #$output)
|
|
|
|
|
(symlink #$(local-file "nginx/berlin.conf")
|
|
|
|
|
"berlin.conf")
|
|
|
|
|
(copy-file #$(local-file
|
|
|
|
|
"nginx/bayfront-locations.conf")
|
|
|
|
|
"berlin-locations.conf")
|
|
|
|
|
(substitute* "berlin-locations.conf"
|
|
|
|
|
(("@WWWROOT@")
|
|
|
|
|
#$(local-file "nginx/html/berlin" #:recursive? #t)))))))
|
|
|
|
|
|
|
|
|
|
(define %nginx-cache-activation
|
|
|
|
|
;; Make sure /var/cache/nginx exists on the first run.
|
|
|
|
|
(simple-service 'nginx-/var/cache/nginx
|
|
|
|
|
activation-service-type
|
|
|
|
|
(with-imported-modules '((guix build utils))
|
|
|
|
|
#~(begin
|
|
|
|
|
(use-modules (guix build utils))
|
|
|
|
|
(mkdir-p "/var/cache/nginx")))))
|
|
|
|
|
|
|
|
|
|
(define %nginx-mime-types
|
|
|
|
|
;; Provide /etc/nginx/mime.types (and a bunch of other files.)
|
|
|
|
|
(simple-service 'nginx-mime.types
|
|
|
|
|
etc-service-type
|
|
|
|
|
`(("nginx" ,(file-append nginx "/share/nginx/conf")))))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define %certbot-job
|
|
|
|
|
;; Attempt to renew the Let's Encrypt certificate twice a week.
|
|
|
|
|
#~(job (lambda (now)
|
|
|
|
|
(next-day-from (next-hour-from now '(3))
|
|
|
|
|
'(2 5)))
|
|
|
|
|
(string-append #$certbot "/bin/certbot renew")))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(define %default-motd
|
|
|
|
|
(plain-file "motd"
|
|
|
|
|
"Welcome to the Guix build frontend!\n\n"))
|
|
|
|
|
|
|
|
|
|
(define* (frontend-services sysadmins #:key
|
|
|
|
|
nginx-config-file
|
|
|
|
|
(max-jobs 5)
|
|
|
|
|
(cores 4)
|
2018-02-18 01:18:40 +01:00
|
|
|
|
(systems '("x86_64-linux" "i686-linux"))
|
2018-01-19 10:56:00 +01:00
|
|
|
|
(motd %default-motd)
|
|
|
|
|
(nar-ttl (* 45 24 3600))
|
|
|
|
|
(publish-workers 6))
|
|
|
|
|
"Return the list of services for the build farm frontend."
|
|
|
|
|
(cons* (service rottlog-service-type (rottlog-configuration))
|
|
|
|
|
(service mcron-service-type
|
|
|
|
|
(mcron-configuration
|
|
|
|
|
(jobs (list %gc-job %certbot-job))))
|
|
|
|
|
|
|
|
|
|
firewall-service
|
|
|
|
|
|
|
|
|
|
;; The Web service.
|
|
|
|
|
(service guix-publish-service-type
|
|
|
|
|
(guix-publish-configuration
|
|
|
|
|
(port 3000)
|
|
|
|
|
(cache "/var/cache/guix/publish")
|
|
|
|
|
(ttl nar-ttl)
|
|
|
|
|
(compression-level 9)
|
|
|
|
|
(workers publish-workers)))
|
|
|
|
|
|
|
|
|
|
(service nginx-service-type
|
|
|
|
|
(nginx-configuration
|
|
|
|
|
(file nginx-config-file)))
|
|
|
|
|
|
|
|
|
|
%nginx-mime-types
|
|
|
|
|
%nginx-cache-activation
|
|
|
|
|
|
|
|
|
|
(service cuirass-service-type
|
|
|
|
|
(cuirass-configuration
|
|
|
|
|
(interval (* 5 60))
|
2018-02-18 01:18:40 +01:00
|
|
|
|
(specifications (cuirass-specs systems))))
|
2018-01-19 10:56:00 +01:00
|
|
|
|
|
|
|
|
|
(service openssh-service-type)
|
|
|
|
|
(service sysadmin-service-type sysadmins)
|
|
|
|
|
|
|
|
|
|
(modify-services %base-services
|
|
|
|
|
(guix-service-type config =>
|
|
|
|
|
(guix-daemon-config #:max-jobs max-jobs
|
|
|
|
|
#:cores cores))
|
|
|
|
|
(login-service-type
|
|
|
|
|
config => (login-configuration
|
|
|
|
|
(inherit config)
|
|
|
|
|
(motd motd))))))
|