;; Based on gnu/system/examples/beaglebone-black.scm in Guix source code ;; ;; This file is not part of GNU Guix. ;; ;; GNU Guix is free software; you can redistribute it and/or modify it ;; under the terms of the GNU General Public License as published by ;; the Free Software Foundation; either version 3 of the License, or (at ;; your option) any later version. ;; ;; GNU Guix is distributed in the hope that it will be useful, but ;; WITHOUT ANY WARRANTY; without even the implied warranty of ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;; GNU General Public License for more details. ;; ;; You should have received a copy of the GNU General Public License ;; along with GNU Guix. If not, see . (define-module (rockpro64-system) #:use-module (gnu) #:use-module (gnu bootloader u-boot) #:use-module (gnu machine) #:use-module (gnu machine ssh) #:use-module (gnu services certbot) #:use-module (gnu services dns) #:use-module (gnu services networking) #:use-module (gnu services shepherd) #:use-module (gnu services ssh) #:use-module (gnu services version-control) #:use-module (gnu services vpn) #:use-module (gnu services web) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages benchmark) #:use-module (gnu packages bootloaders) #:use-module (gnu packages certs) #:use-module (gnu packages linux) #:use-module (gnu packages networking) #:use-module (gnu packages ntp) #:use-module (gnu packages python-xyz) #:use-module (gnu packages screen) #:use-module (gnu packages tls) #:use-module (gnu packages version-control) #:use-module (gnu packages vim) #:use-module (guix build-system gnu) #:use-module (guix build-system trivial) #:use-module (guix download) #:use-module (guix gexp) #:use-module (guix git-download) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix store) #:export (rockpro64-operating-system)) (define-public %nginx-deploy-hook (program-file "nginx-deploy-hook" #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) (define-public self-signed-certificate (package (name "self-signed-certificate") (version "0.1") (source #f) (native-inputs (list openssl)) (build-system trivial-build-system) (arguments (list #:modules '((guix build utils)) #:builder #~(begin (use-modules (guix build utils)) (let ((openssl (string-append #$(this-package-native-input "openssl") "/bin/openssl")) (out (string-append #$output "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/"))) (mkdir-p out) (invoke openssl "req" "-nodes" "-batch" "-x509" "-newkey" "rsa:2048" "-keyout"(string-append out "/privkey.pem") "-out" (string-append out "/fullchain.pem") "-days" "356"))))) (synopsis "Self signed certificate") (description "This is useful to start nginx without certificate.") (home-page "https://git.sr.ht/~gnutoo/machines_configs.git") (license license:cc0))) (define (self-signed-certificate-shepherd-service config) (list (shepherd-service (documentation "Provide temporary self-signed certificate") (provision '(self-signed-certificate)) (one-shot? #t) (start #~(lambda* _ (if (and (not (access? "/etc/letsencrypt/live/rockpro64.gnutoo.cyberdimension.org/" (logior R_OK X_OK))) (access? "/etc/letsencrypt/live/" (logior R_OK X_OK))) (lambda _ (mkdir (string-append "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/")) (copy-file #$(file-append self-signed-certificate (string-append "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/" "fullchain.pem")) #$(string-append "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/" "fullchain.pem")) (copy-file #$(file-append self-signed-certificate (string-append "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/" "privkey.pem")) #$(string-append "/etc/letsencrypt/live/" "rockpro64.gnutoo.cyberdimension.org/" "privkey.pem"))))))))) (define self-signed-certificate-service-type (service-type (name 'self-signed-certificate) (description "Provide temporary self-signed certificate") (extensions (list (service-extension shepherd-root-service-type self-signed-certificate-shepherd-service))) (default-value #f))) (define-public gnutoo.cyberdimension.org (package (name "gnutoo.cyberdimension.org") (version "0.1") (source (origin (method git-fetch) (uri (git-reference (url "https://git.sr.ht/~gnutoo/gnutoo-website") (commit "2a1e73ba998f32b413d27aa58d7394f052fdda3b"))) (file-name (git-file-name name version)) (sha256 (base32 "1palnh7j5x1mc135338qhkpxyam5mci671b4cj1xp8znqa789n4w")))) (native-inputs `(("make" ,gnu-make) ("pelican" ,pelican))) (build-system gnu-build-system) (arguments `(#:phases (modify-phases %standard-phases (delete 'configure) ; We only have a Makefile (delete 'build) ; with only an install target (delete 'check)) #:make-flags (list (string-append "DESTDIR=" (assoc-ref %outputs "out") "/share/gnutoo.cyberdimension.org/")))) (synopsis "https://gnutoo.cyberdimension.org website") (description "https://gnutoo.cyberdimension.org is the website that is currently hosted at https://gnutoo.cyberdimension.org.") (home-page "https://git.sr.ht/~gnutoo/gnutoo-website") (license license:agpl3+))) (define-zone-entries cyberdimension-eu-org-entries ; Name TTL Class Type Data ("ns1" "" "IN" "A" "79.143.250.36") ("ns2" "" "IN" "AAAA" "2001:678:938:3ff::36") ("@" "" "IN" "NS" "ns1.cyberdimension.eu.org.") ("@" "" "IN" "NS" "ns2.cyberdimension.eu.org.") ("@" "" "IN" "A" "79.143.250.36") ("@" "" "IN" "AAAA" "2001:678:938:3ff::36")) (define-public cyberdimension-eu-org-zone (knot-zone-configuration (domain "cyberdimension.eu.org") (zone (zone-file (origin "cyberdimension.eu.org") (entries cyberdimension-eu-org-entries))))) (define rockpro64-operating-system (operating-system (host-name "rockpro64") (timezone "Europe/Paris") (bootloader (bootloader-configuration (bootloader u-boot-rockpro64-rk3399-bootloader) (targets '("/dev/mmcblk2")))) (initrd-modules (append (list "dw_mmc-rockchip" ;; CONFIG_MMC_DW_ROCKCHIP for uSD boot "dwc3" ;; CONFIG_USB_DWC3 for USB boot "dwc3_of_simple" ;; CONFIG_USB_DWC3_OF_SIMPLE for USB boot "ehci_platform" ;; CONFIG_USB_EHCI_HCD_PLATFORM for USB boot "fixed" ;; CONFIG_REGULATOR_FIXED_VOLTAGE for USB boot "i2c_rk3x" ;; CONFIG_I2C_RK3X for uSD boot "ohci_platform" ;; CONFIG_USB_OHCI_HCD_PLATFORM for USB boot "phy_rockchip_emmc" ;; CONFIG_PHY_ROCKCHIP_EMMC for eMMC boot "phy_rockchip_inno_usb2" ;; CONFIG_PHY_ROCKCHIP_INNO_USB2 for USB boot "phy_rockchip_usb" ;; CONFIG_PHY_ROCKCHIP_USB for USB boot "pl330" ;; CONFIG_USB_SERIAL_PL2303 for uSD boot "rk808" ;; CONFIG_MFD_RK808 for uSD boot "rk808_regulator" ;; CONFIG_REGULATOR_RK808 for uSD boot "sd_mod" ;; CONFIG_BLK_DEV_SD for USB boot "sdhci_of_arasan" ;; CONFIG_MMC_SDHCI_OF_ARASAN for eMMC boot "uas" ;; CONFIG_USB_UAS for USB boot "usb_storage" ;; CONFIG_USB_STORAGE for USB boot "xhci_plat_hcd") ;; CONFIG_USB_XHCI_PLATFORM for USB boot %base-initrd-modules)) ;; rootdelay=5 is needed for booting USB boot (kernel-arguments (append '("loglevel=8" "rootdelay=5"))) (file-systems (append (list (file-system (mount-point "/") (device "/dev/mmcblk2p2") (type "ext4"))) %base-file-systems)) (users (cons* (user-account (name "gnutoo") (uid 1000) (group "gnutoo")) %base-user-accounts)) (groups (cons* (user-group (name "gnutoo") (id 1000)) %base-groups)) (packages (append (list git gnu-make htop mtr net-tools nss-certs ntp phoronix-test-suite screen self-signed-certificate vim wireshark) ;; For tshark %base-packages)) (services (append (list (service agetty-service-type (agetty-configuration (extra-options '("-L")) ;no carrier detect (baud-rate "1500000") (term "vt100") (tty "ttyS2"))) (service gitolite-service-type (gitolite-configuration (admin-pubkey (plain-file "gnutoo.pub" (string-append "ssh-ed25519 " "AAAAC3NzaC1lZDI1NTE5AAAAIHvzPb+bkC" "F9Vf4SQpXT0eJbUorbAoGwOZrkws9DFzKv" " gnutoo@primary_laptop"))))) (service knot-service-type (knot-configuration (zones (list cyberdimension-eu-org-zone)))) (service self-signed-certificate-service-type) (service static-networking-service-type (list (static-networking (addresses (list (network-address (device "eth0") (value "192.168.10.35/24")))) (routes (list (network-route (destination "default") (gateway "192.168.10.1")))) (name-servers '("192.168.10.1"))))) (service openssh-service-type (openssh-configuration (port-number 222) (permit-root-login #t) (password-authentication? #f) (challenge-response-authentication? #f) (authorized-keys `(("root" ,(local-file "id_ed25519.pub")) ("gnutoo" ,(local-file "id_ed25519.pub")))))) (service wireguard-service-type (wireguard-configuration (addresses '("79.143.250.36/27" "2001:678:938:3ff::36/64")) (port 0) (private-key (local-file "id_wireguard")) (peers (list (wireguard-peer (name "stephanie.franciliens.net") (endpoint "stephanie.franciliens.net:51820") (public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=") (allowed-ips '("0.0.0.0/0" "::/0")))))))) (modify-services %base-services (guix-service-type config => (guix-configuration (authorized-keys (append (list (local-file "signing-key.pub")) %default-authorized-guix-keys))))))))) rockpro64-operating-system