;; OS configuration for bayfront (use-modules (gnu) (guix) (guix packages) (guix git) (sysadmin people) (sysadmin services) (sysadmin dns) (sysadmin web)) (use-service-modules admin avahi base certbot databases dns monitoring networking shepherd ssh web mcron guix) (use-package-modules admin certs ci databases linux ssh tls vim package-management web wget) (define %sysadmins ;; The sysadmins. (list (sysadmin (name "andreas") (full-name "Andreas Enge") (ssh-public-key (local-file "keys/ssh/andreas.pub"))) (sysadmin (name "marusich") (full-name "Chris Marusich") (ssh-public-key (local-file "keys/ssh/marusich.pub")) (restricted? #t)) (sysadmin (name "cbaines") (full-name "Christopher Baines") (ssh-public-key (local-file "keys/ssh/cbaines.pub"))) (sysadmin (name "dannym") (full-name "Danny Milosavljevic") (ssh-public-key (local-file "keys/ssh/dannym.pub")) (restricted? #t)) (sysadmin (name "efraim") (full-name "Efraim Flashner") (ssh-public-key (local-file "keys/ssh/efraim.pub")) (restricted? #t)) (sysadmin (name "kuba") (full-name "Jakub Kądziołka") (ssh-public-key (local-file "keys/ssh/kuba.pub")) (restricted? #t)) (sysadmin (name "roptat") (full-name "Julien Lepiller") (ssh-public-key (local-file "keys/ssh/roptat.pub")) (restricted? #t)) (sysadmin (name "ludo") (full-name "Ludovic Courtès") (ssh-public-key (local-file "keys/ssh/ludo.pub"))) (sysadmin (name "rekado") (full-name "Ricardo Wurmus") (ssh-public-key (local-file "keys/ssh/rekado.pub"))) (sysadmin (name "mathieu") (full-name "Mathieu Othacehe") (ssh-public-key (local-file "keys/ssh/mathieu.pub"))) ;; Not a sysadmin in any sense, but has access for the length of their ;; Outreachy internship to speed up their work. nckx will help them. (sysadmin (name "raghavgururajan") (full-name "Raghav Gururajan") (ssh-public-key (local-file "keys/ssh/raghavgururajan.pub")) (restricted? #t)) (sysadmin (name "nckx") (full-name "Tobias Geerinckx-Rice") (ssh-public-key (local-file "keys/ssh/nckx.pub"))))) (define %nginx-deploy-hook ;; Hook that restarts nginx when a new certificate is deployed. (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (define %certbot-configuration (certbot-configuration (webroot "/var/www") (email "ludovic.courtes@inria.fr") (certificates (list (certificate-configuration (domains '("bayfront.guix.gnu.org" "logs.guix.gnu.org" "bayfront.guix.info" "hpc.guix.info" "guix-hpc.bordeaux.inria.fr" "coordinator.bayfront.guix.gnu.org")) (deploy-hook %nginx-deploy-hook)))))) (define guix-hpc-web-site (static-web-site-configuration (git-url "https://gitlab.inria.fr/guix-hpc/website.git") (directory "/srv/guix-hpc-web"))) (define %motd (plain-file "motd" "\ ░░░ ░░░ ░░▒▒░░░░░░░░░ ░░░░░░░░░▒▒░░ ░░▒▒▒▒▒░░░░░░░ ░░░░░░░▒▒▒▒▒░ ░▒▒▒░░▒▒▒▒▒ ░░░░░░░▒▒░ ░▒▒▒▒░ ░░░░░░ ▒▒▒▒▒ ░░░░░░ ▒▒▒▒▒ ░░░░░ ░▒▒▒▒▒ ░░░░░ Welcome to bayfront! ▒▒▒▒▒ ░░░░░ ▒▒▒▒▒ ░░░░░ ░▒▒▒▒▒░░░░░ ▒▒▒▒▒▒░░░ ▒▒▒▒▒▒░ Best practices: 1. Store everything in guix-maintenance.git. 2. Use the Git checkouts of Guix and guix-maintenance in ~root. 3. Notify guix-sysadmin@gnu.org when reconfiguring. 4. Notify guix-sysadmin@gnu.org when something goes wrong. Happy hacking!\n")) (define gnu-ns1-ip4 ;; IPv4 address of "ns1.gnu.org". "209.51.188.164") (define %build-node-keys ;; Signing keys of the build nodes. (list (local-file "keys/guix/harbourfront.guix.info-export.pub") (local-file "keys/guix/milano-guix-1.di.unimi.it-export.pub"))) (define %hpcguix-web-channels ;; Channels picked up and displayed by hpcguix-web. #~(append %default-channels (list (channel (name 'guix-hpc) (url "https://gitlab.inria.fr/guix-hpc/guix-hpc.git")) (channel (name 'guix-past) (url "https://gitlab.inria.fr/guix-hpc/guix-past") (introduction (make-channel-introduction "0c119db2ea86a389769f4d2b9c6f5c41c027e336" (openpgp-fingerprint "3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5")))) (channel (name 'guix-science) (url "https://github.com/guix-science/guix-science.git") (introduction (make-channel-introduction "b1fe5aaff3ab48e798a4cce02f0212bc91f423dc" (openpgp-fingerprint "CA4F 8CF4 37D7 478F DA05 5FD4 4213 7701 1A37 8446"))))))) (define %bayfront-nginx-service-extra-config " sendfile on; # Maximum chunk size to send. Partly this is a workaround # for , but also the nginx docs # mention that \"Without the limit, one fast connection may # seize the worker process entirely.\" # sendfile_max_chunk 1m; keepalive_timeout 65; # Use HTTP 1.1 to talk to the backend so we benefit from # keep-alive connections and chunked transfer encoding. The # latter allows us to make sure we do not cache partial downloads. proxy_http_version 1.1; # The 'inactive' parameter for caching is not very useful in our # case: all that matters is that LRU sweeping happens when # 'max_size' is hit. # cache for nar files proxy_cache_path /var/cache/nginx/nar levels=2 inactive=8d # inactive keys removed after 8d keys_zone=nar:4m # nar cache meta data: ~32K keys max_size=10g; # total cache data size max # cache for content-addressed files proxy_cache_path /var/cache/nginx/cas levels=2 inactive=180d # inactive keys removed after 180d keys_zone=cas:8m # nar cache meta data: ~64K keys max_size=50g; # total cache data size max # cache for build logs proxy_cache_path /var/cache/nginx/logs levels=2 inactive=60d # inactive keys removed after 60d keys_zone=logs:8m # narinfo meta data: ~64K keys max_size=4g; # total cache data size max # cache for static data proxy_cache_path /var/cache/nginx/static levels=1 inactive=10d # inactive keys removed after 10d keys_zone=static:1m # nar cache meta data: ~8K keys max_size=200m; # total cache data size max # If Hydra cannot honor these delays, then something is wrong and # we'd better drop the connection and return 504. proxy_connect_timeout 7s; proxy_read_timeout 10s; proxy_send_timeout 10s; # Cache timeouts for a little while to avoid increasing pressure. proxy_cache_valid 504 30s;") (define %hpc.guix.info-nginx-servers (let ((common-locations (list (nginx-location-configuration (uri "/") (body '("root /srv/guix-hpc-web;"))) ;; For the package browsing interface (nginx-named-location-configuration (name "gnupackages") (body '( "return 307 https://www.gnu.org/software/guix/packages/;"))) (nginx-location-configuration (uri "/browse") (body '("proxy_pass http://localhost:5000; rewrite .* / break; proxy_connect_timeout 3s; proxy_read_timeout 2s; error_page 500 502 503 504 = @gnupackages;"))) (nginx-location-configuration (uri "/package") (body '("proxy_pass http://localhost:5000; proxy_connect_timeout 3s; proxy_read_timeout 2s; error_page 500 502 503 504 = @gnupackages;"))) ;; JS for hpcguix-web (nginx-location-configuration (uri "~ /static/.*\\.js") (body '("proxy_pass http://localhost:5000;"))) ;; Licensing info for hpcguix-web JS code (nginx-location-configuration (uri "/javascript") (body '("proxy_pass http://localhost:5000;"))) (nginx-location-configuration (uri "~ /static/images/sort_.*\\.png") (body '("proxy_pass http://localhost:5000;"))) (nginx-location-configuration ; Videos (uri "/static/videos") (body '("root /srv/guix-hpc-videos;")))))) (list (nginx-server-configuration (server-name '("hpc.guix.info")) (listen '("80")) (raw-content '(" access_log /var/log/nginx/guix-hpc.access.log;")) (locations (append common-locations (list (nginx-location-configuration ; For use by Certbot (uri "/.well-known") (body '("root /var/www;"))))))) (nginx-server-configuration (server-name '("hpc.guix.info")) (listen '("443 ssl")) (ssl-certificate "/etc/letsencrypt/live/hpc.guix.info/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/hpc.guix.info/privkey.pem") (root "/srv/guix-hpc-web") (raw-content '(" # Make sure SSL is disabled. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Disable weak cipher suites. ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Use our own DH parameters created with: # openssl dhparam -out dhparams.pem 2048 # as suggested at . ssl_dhparam /etc/dhparams.pem; access_log /var/log/nginx/guix-hpc.access.log;")) (locations common-locations))))) (define %guix-hpc.bordeaux.inria.fr-nginx-servers (let ((common-locations (list (nginx-location-configuration (uri "~ ^/nix-cache-info$") (body '("return 301 $scheme://guix.bordeaux.inria.fr/nix-cache-info;"))) (nginx-location-configuration (uri "~ /(.*\\.narinfo)") (body '("return 301 $scheme://guix.bordeaux.inria.fr/$1;"))) (nginx-location-configuration (uri "~ /nar/(.*)") (body '("return 301 $scheme://guix.bordeaux.inria.fr/nar/$1;"))) (nginx-location-configuration (uri "~ /(.*)") (body '("return 301 $scheme://hpc.guix.info/$1;")))))) (list (nginx-server-configuration (server-name '("guix-hpc.bordeaux.inria.fr")) (listen '("80")) (raw-content '(" access_log /var/log/nginx/guix-hpc.access.log;")) (locations (append common-locations (list (nginx-location-configuration ; For use by Certbot (uri "/.well-known") (body '("root /var/www;"))))))) (nginx-server-configuration (server-name '("guix-hpc.bordeaux.inria.fr")) (listen '("443 ssl")) (ssl-certificate "/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem") (raw-content '(" # Make sure SSL is disabled. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Disable weak cipher suites. ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Use our own DH parameters created with: # openssl dhparam -out dhparams.pem 2048 # as suggested at . ssl_dhparam /etc/dhparams.pem; access_log /var/log/nginx/guix-hpc.access.log;")) (locations common-locations))))) (define %logs.guix.gnu.org-nginx-servers (let ((common-locations (list (nginx-location-configuration (uri "/") (body '("proxy_pass http://localhost:3333/;")))))) (list (nginx-server-configuration (server-name '("logs.guix.gnu.org")) (listen '("80")) (raw-content '(" access_log /var/log/nginx/logs.access.log;")) (locations (append common-locations (list (nginx-location-configuration ; For use by Certbot (uri "/.well-known") (body '("root /var/www;"))))))) (nginx-server-configuration (server-name '("logs.guix.gnu.org")) (listen '("443 ssl")) (ssl-certificate "/etc/letsencrypt/live/logs.guix.gnu.org/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem") (raw-content '(" # Make sure SSL is disabled. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Disable weak cipher suites. ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Use our own DH parameters created with: # openssl dhparam -out dhparams.pem 2048 # as suggested at . ssl_dhparam /etc/dhparams.pem; access_log /var/log/nginx/logs.access.log;")) (locations common-locations))))) (define %coordinator.bayfront.guix.gnu.org-nginx-servers (list (nginx-server-configuration (server-name '("coordinator.bayfront.guix.gnu.org")) (listen '("80")) (locations (list (nginx-location-configuration ; For use by Certbot (uri "/.well-known") (body '(("root /var/www;"))))))) (nginx-server-configuration (server-name '("coordinator.bayfront.guix.gnu.org")) (listen '("443 ssl")) (ssl-certificate "/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem") (raw-content '(" # Make sure SSL is disabled. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Disable weak cipher suites. ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Use our own DH parameters created with: # openssl dhparam -out dhparams.pem 2048 # as suggested at . ssl_dhparam /etc/dhparams.pem; client_max_body_size 0; client_body_buffer_size 128K; access_log /var/log/nginx/coordinator.access.log; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")) (locations (list (nginx-location-configuration (uri "/") (body '("try_files $uri $uri/ @guix-build-coordinator;"))) (nginx-named-location-configuration (name "guix-build-coordinator") (body '("proxy_pass http://guix-build-coordinator-proxy;" "proxy_http_version 1.1;" "proxy_set_header Host $host;" "proxy_set_header X-Forwarded-For $remote_addr;" "proxy_request_buffering off;" "gzip on;" "gzip_types text/html application/json;" "gzip_proxied any;")))))))) (define %bayfront.guix.gnu.org-nginx-servers (let ((common-locations (list (nginx-location-configuration (uri "= /nix-cache-info") (body '(" return 200 'StoreDir: /gnu/store\nWantMassQuery: 0\nPriority: 100\n'; add_header Content-Type text/plain;"))) (nginx-location-configuration (uri "= /404") (body '(" return 404 '404'; add_header Content-Type text/plain;"))) (nginx-location-configuration (uri "~ \\.narinfo$") (body '(" root /var/lib/nars; error_page 404 /404; # For HTTP pipelining. This has a dramatic impact on performance. client_body_buffer_size 128k; # Narinfos requests are short, serve many of them on a connection. keepalive_requests 20000; add_header Content-Type text/plain; "))) (nginx-location-configuration (uri "/nar/") (body '(" root /var/lib/nars; error_page 404 /404; client_body_buffer_size 256k; # Nars are already compressed. gzip off; ")))))) (list (nginx-server-configuration (server-name '("bayfront.guix.gnu.org")) (listen '("80")) (raw-content '(" access_log /var/log/nginx/http.access.log; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")) (locations (append common-locations (list (nginx-location-configuration ; For use by Certbot (uri "/.well-known") (body '(("root /var/www;")))))))) (nginx-server-configuration (server-name '("bayfront.guix.gnu.org")) (listen '("443 ssl")) (ssl-certificate "/etc/letsencrypt/live/bayfront.guix.gnu.org/fullchain.pem") (ssl-certificate-key "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem") (raw-content '(" # Make sure SSL is disabled. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Disable weak cipher suites. ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Use our own DH parameters created with: # openssl dhparam -out dhparams.pem 2048 # as suggested at . ssl_dhparam /etc/dhparams.pem; access_log /var/log/nginx/https.access.log; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")) (locations common-locations))))) (define %guix-build-coordinator-configuration (let* ((data.guix.gnu.org-build-event-destination #~(string-append "https://data.guix.gnu.org" "/build-server/2/build-events?token=" (string-trim-right (call-with-input-file "/etc/guix-build-coordinator/data.guix.gnu.org-token" get-string-all)))) (data.guix-patches.cbaines.net-build-event-destination #~(string-append "https://data.guix-patches.cbaines.net" "/build-server/2/build-events?token=" (string-trim-right (call-with-input-file "/etc/guix-build-coordinator/data.guix-patches.cbaines.net-token" get-string-all)))) (publish-directory "/var/lib/nars") (recompress-log-file-hook #~(apply ((@ (guix-build-coordinator hooks) build-recompress-log-file-hook) #:recompress-to 'gzip) args))) (define (send-guix-data-service-event event-hook) #~(begin (use-modules (ice-9 textual-ports)) (apply ((@ (guix-build-coordinator hooks) #$event-hook) #$data.guix.gnu.org-build-event-destination) args) (apply ((@ (guix-build-coordinator hooks) #$event-hook) #$data.guix-patches.cbaines.net-build-event-destination) args))) (guix-build-coordinator-configuration (agent-communication-uri-string "http://127.0.0.1:8745") ; only listen locally (allocation-strategy #~derivation-ordered-build-allocation-strategy) (hooks `((build-submitted . ,#~(lambda args #$(send-guix-data-service-event 'build-submitted-send-event-to-guix-data-service-hook))) (build-started . ,#~(lambda args #$(send-guix-data-service-event 'build-started-send-event-to-guix-data-service-hook))) (build-success . ,#~(lambda args (use-modules (gcrypt pk-crypto)) ; for read-file-sexp #$recompress-log-file-hook (apply ((@ (guix-build-coordinator hooks) build-success-publish-hook) #$publish-directory ;; These should be the same as ;; /etc/guix/... but are copied here so that ;; they can be read by the Guix Build ;; Coordinantor #:public-key (read-file-sexp "/etc/guix-build-coordinator/signing-key.pub") #:private-key (read-file-sexp "/etc/guix-build-coordinator/signing-key.sec")) args) #$(send-guix-data-service-event 'build-success-send-event-to-guix-data-service-hook) (apply (@ (guix-build-coordinator hooks) default-build-success-hook) args))) (build-failure . ,#~(lambda args #$recompress-log-file-hook (apply ((@ (guix-build-coordinator hooks) build-failure-retry-hook)) args) #$(send-guix-data-service-event 'build-failure-send-event-to-guix-data-service-hook) (apply (@ (guix-build-coordinator hooks) default-build-failure-hook) args))) (build-canceled . ,#~(lambda args #$(send-guix-data-service-event 'build-canceled-send-event-to-guix-data-service-hook) (apply (@ (guix-build-coordinator hooks) default-build-canceled-hook) args)))))))) (operating-system (host-name "bayfront") (timezone "Europe/Paris") (locale "en_US.UTF-8") (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (terminal-outputs '(console)))) (mapped-devices (list (mapped-device (source (list "/dev/sda2" "/dev/sdb2")) (target "/dev/md0") (type raid-device-mapping)))) (file-systems (cons (file-system (device "/dev/md0") (mount-point "/") (type "ext4") (dependencies mapped-devices)) %base-file-systems)) (swap-devices '("/swap")) ;; Add a kernel module for RAID-10. (initrd-modules (cons "raid10" %base-initrd-modules)) (packages (cons* certbot wget iptables jnettop mdadm vim lm-sensors openssh nss-certs guix-build-coordinator %base-packages)) (services (cons* ;; TODO: create a bonding interface over ens9 + ens10 ;; TODO: configure ens10 as with: ;; ip a add dev ens10 2a01:474:0::56/48 ;; ip -6 route add default via 2a01:474:0::126 (static-networking-service "ens10" "185.233.100.56" #:netmask "255.255.255.128" #:gateway "185.233.100.126" #:name-servers '("185.233.100.100" "185.233.100.101")) ;; Alternate interface. (static-networking-service "ens9" "185.233.100.57" #:netmask "255.255.255.128" ;; Don't repeat #:gateway and #:name-servers. ) ;; Make SSH and HTTP/HTTPS available over Tor. (tor-hidden-service "http" '((22 "127.0.0.1:22") (80 "127.0.0.1:80") (443 "127.0.0.1:443"))) (service tor-service-type) (service prometheus-node-exporter-service-type) (service ntp-service-type) ;; DNS (service knot-service-type (knot-configuration (zones (list (knot-zone-configuration (inherit guix.gnu.org-zone) (zonefile-load 'difference-no-serial) ;; (dnssec-policy "default") (acl '("transfer-allow" "gnu-transfer")) (notify '("gnu-master"))))) (acls (list (knot-acl-configuration (id "transfer-allow") (address (list berlin-ip4)) (action '(transfer))) (knot-acl-configuration (id "gnu-transfer") (address (list gnu-ns1-ip4)) (action '(transfer))))) (remotes (list (knot-remote-configuration (id "gnu-master") (address (list gnu-ns1-ip4))))))) ;; Runnning hpc.guix.info. (service static-web-site-service-type guix-hpc-web-site) ;; hpcguix-web as it can be seen at ;; . (service hpcguix-web-service-type (hpcguix-web-configuration (specs #~(begin (use-modules (guix channels)) (define site-config (hpcweb-configuration (title-prefix "Guix-HPC — ") (package-filter-proc (const #t)) (package-page-extension-proc (lambda (path) (let ((url (string-append "http://data.guix.gnu.org" "/repository/1/branch/master/package/" (basename path)))) `(div (a (@ (href ,url)) "View package version history."))))) (menu '(("/about" "ABOUT") ("/browse" "BROWSE") ("/blog" "BLOG"))) (channels #$%hpcguix-web-channels))))))) (service certbot-service-type %certbot-configuration) (service goggles-service-type) (service mcron-service-type (mcron-configuration (jobs (let ((threshold (* 800 GiB))) (list #~(job '(next-hour '(4)) (string-append #$guix "/bin/guix gc -F" #$(number->string threshold))) ;; Half a day later, make sure ;; half of our quota is available. #~(job '(next-hour '(16)) (string-append #$guix "/bin/guix gc -F" #$(number->string (quotient threshold 2))))))))) firewall-service (service openssh-service-type) (service sysadmin-service-type %sysadmins) (service nginx-service-type (nginx-configuration (extra-content %bayfront-nginx-service-extra-config) (upstream-blocks (list (nginx-upstream-configuration (name "guix-build-coordinator-proxy") (servers '("localhost:8745"))))) (server-blocks (append %hpc.guix.info-nginx-servers %guix-hpc.bordeaux.inria.fr-nginx-servers %logs.guix.gnu.org-nginx-servers %bayfront.guix.gnu.org-nginx-servers %coordinator.bayfront.guix.gnu.org-nginx-servers)))) (service guix-build-coordinator-service-type %guix-build-coordinator-configuration) (service guix-build-coordinator-queue-builds-service-type (guix-build-coordinator-queue-builds-configuration (systems '("x86_64-linux")))) (service guix-build-coordinator-agent-service-type (guix-build-coordinator-agent-configuration (coordinator "https://coordinator.bayfront.guix.gnu.org") (authentication (guix-build-coordinator-agent-password-file-auth (uuid "0c973ac8-4e62-4889-87b4-31c9536641db") (password-file "/etc/guix-build-coordinator-agent-password"))) (max-parallel-builds 8) (max-1min-load-average 16) (systems '("x86_64-linux" "i686-linux")) (derivation-substitute-urls (list "https://data.guix.gnu.org")) (non-derivation-substitute-urls (list "https://bayfront.guix.gnu.org")))) (modify-services %base-services (guix-service-type config => (guix-configuration (substitute-urls '("https://bayfront.guix.gnu.org")) (authorized-keys (cons* (local-file "keys/guix/bayfront.guix.info-export.pub") ;; for substituting derivations (plain-file "data.guix.gnu.org.pub" " (public-key (ecc (curve Ed25519) (q #1EEE5340C3AAD6E062A1395A88A86FC75982E8BC7DCBAE171858EEAAB14AAB77#) ) )") %build-node-keys)) (max-silent-time 3600) (timeout (* 12 3600)) ;; be friendly to 'guix publish' users (log-compression 'gzip) (build-accounts 64) (extra-options (list "--max-jobs" "4")))) (login-service-type config => (login-configuration (inherit config) (motd %motd))) (openssh-service-type config => (openssh-configuration (inherit config) (password-authentication? #f))))))) ;; Local Variables: ;; eval: (put 'modify-services 'scheme-indent-function 1) ;; End: