diff options
author | 2025-04-27 18:54:34 +0200 | |
---|---|---|
committer | 2025-04-27 20:27:01 +0200 | |
commit | e27f7b772646ee1acdd21e9dc3d095323fa2dc88 (patch) | |
tree | ef1ee126ff5c908c03cbea4b744f24fc785eacb5 | |
parent | Allow agents in the field to safely SSH to turing (diff) |
Deploy certbot and nginx to turing
-rw-r--r-- | guix/turing.scm | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/guix/turing.scm b/guix/turing.scm index 6bf36cb..af81c1c 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -6,7 +6,9 @@ (gnu packages tmux) (gnu packages vim) (gnu services admin) - (gnu services databases)) + (gnu services certbot) + (gnu services databases) + (gnu services web)) (use-service-modules networking ssh) (use-package-modules bootloaders) @@ -46,6 +48,12 @@ (name "turing") (mapping '((22 "127.0.0.1:22"))))))) +(define %certbot-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (define %services (append (list (service openssh-service-type (openssh-configuration @@ -61,6 +69,32 @@ (postgresql postgresql-16))) (service tor-service-type) %hidden-service-turing + (service nginx-service-type + (nginx-configuration + (server-blocks '()))) +; The below is added by the certbot role +; (listen '("80" "[::]:80")) +; (server-name '("turing.box.pydis.wtf")) +; (root "/var/www/owlcorp.uk") +; (locations +; (list +; (nginx-location-configuration +; ; Certbot webroot serving +; (uri "/.well-known") +; (body (list "root /var/www; ")))))))))) +; + (service certbot-service-type + (certbot-configuration + (email "[email protected]") + ; Do not add certbot configuration to nginx automatically + ; XXX: seems broken, report upstream? + ; (default-location #f) + (webroot "/var/www") + (certificates + (list + (certificate-configuration + (domains '("turing.box.pydis.wtf")) + (deploy-hook %certbot-deploy-hook)))))) (service unattended-upgrade-service-type) (simple-service 'resolv-conf etc-service-type (list `("resolv.conf" ,(plain-file |