Deploy certbot and nginx to turing

author: Johannes Christ <[email protected]> 2025-04-27 18:54:34 +0200
committer: jchristgit <[email protected]> 2025-04-27 20:27:01 +0200
commit: e27f7b772646ee1acdd21e9dc3d095323fa2dc88 (patch)
tree: ef1ee126ff5c908c03cbea4b744f24fc785eacb5
parent: Allow agents in the field to safely SSH to turing (diff)
1 files changed, 35 insertions, 1 deletions
diff --git a/guix/turing.scm b/guix/turing.scm
index 6bf36cb..af81c1c 100644
--- a/guix/turing.scm
+++ b/guix/turing.scm
@@ -6,7 +6,9 @@
              (gnu packages tmux)
              (gnu packages vim)
              (gnu services admin)
-             (gnu services databases))
+             (gnu services certbot)
+             (gnu services databases)
+             (gnu services web))
 (use-service-modules networking ssh)
 (use-package-modules bootloaders)
 
@@ -46,6 +48,12 @@
                             (name "turing")
                             (mapping '((22 "127.0.0.1:22")))))))
 
+(define %certbot-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
 (define %services
   (append (list (service openssh-service-type
                    (openssh-configuration
@@ -61,6 +69,32 @@
                            (postgresql postgresql-16)))
                 (service tor-service-type)
                 %hidden-service-turing
+                (service nginx-service-type
+                         (nginx-configuration
+                           (server-blocks '())))
+; The below is added by the certbot role
+;                                     (listen '("80" "[::]:80"))
+;                                     (server-name '("turing.box.pydis.wtf"))
+;                                     (root "/var/www/owlcorp.uk")
+;                                     (locations
+;                                       (list
+;                                         (nginx-location-configuration
+;                                           ; Certbot webroot serving
+;                                           (uri "/.well-known")
+;                                           (body (list "root /var/www; "))))))))))
+;
+                (service certbot-service-type
+                         (certbot-configuration
+                          (email "[email protected]")
+                          ; Do not add certbot configuration to nginx automatically
+                          ; XXX: seems broken, report upstream?
+                          ; (default-location #f)
+                          (webroot "/var/www")
+                          (certificates
+                           (list
+                            (certificate-configuration
+                             (domains '("turing.box.pydis.wtf"))
+                             (deploy-hook %certbot-deploy-hook))))))
                 (service unattended-upgrade-service-type)
                 (simple-service 'resolv-conf etc-service-type
                                 (list `("resolv.conf" ,(plain-file
author	Johannes Christ <[email protected]>	2025-04-27 18:54:34 +0200
committer	jchristgit <[email protected]>	2025-04-27 20:27:01 +0200
commit	e27f7b772646ee1acdd21e9dc3d095323fa2dc88 (patch)
tree	ef1ee126ff5c908c03cbea4b744f24fc785eacb5
parent	Allow agents in the field to safely SSH to turing (diff)