System Configuration Overview
This page documents the System configuration for the Neotek server, maintained using Guix. The configuration integrates:
- Trac for project management
- Gitolite for secure Git access
- Git HTTP access via nginx + fcgiwrap
- Certbot-managed TLS
- WireGuard VPN access
- Minimal desktop environment
- Declarative and snapshot-friendly Btrfs subvolume layout
Modules and Packages
The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers.
The following packages are installed:
- Window manager: i3-wm, i3status, dmenu, st
- Core tools: vim, git, htop, iotop, lsof
- Server tools: certbot, nginx, trac
- SSL and Git access: le-certs, fcgiwrap
File System Layout
A single Btrfs volume (NeotekRoot) is used, subdivided into subvolumes for:
- / → @
- /home → @home
- /gnu → @gnu
- /var/log → @log
All subvolumes are mounted with:
compress=zstd,ssd,discard=async
This ensures compression, SSD optimization, and trim support.
Users and Permissions
User accounts are declaratively defined:
- enno: Admin user, with access to wheel, ssl-cert, tracd, etc.
- tracd: Trac daemon user (no login shell)
- nginx: Nginx worker (read access to certs/repos)
- git: Gitolite access user (home is /home/git)
Groups:
- ssl-cert: Shared access to Let’s Encrypt files
- git: Gitolite and HTTP Git
- tracd: Trac service access
A custom activation service adjusts permissions for:
- /etc/letsencrypt/live and /etc/letsencrypt/archive
- /home/git
Services
Core
- gnome-desktop-service-type: Minimal GUI
- openssh-service-type: Remote access
- qemu-guest-agent-service-type: VM support
Trac
A custom shepherd service starts tracd:
- Port: 8080
- Auth: .htpasswd with realm-based routing
- User/group: tracd
- PATH includes Git for ticket/repo integration
Gitolite
- Uses system user git
- Admin pubkey bootstrap from gitolite-admin.pub
- umask 0027 ensures private, group-readable repos
Certbot
- Auto-manages TLS for kokyou.dev
- Renewed certs are made readable by ssl-cert group
nginx
Reverse proxy setup with:
- SSL termination for kokyou.dev
- Proxy to Trac (http://127.0.0.1:8080)
- Git over HTTP using git-http-backend via fcgiwrap
- Basic HTTP auth for repo endpoints
Example Git locations:
- /oaichannel.git
- /public_guix_channel.git
All secured via .htpasswd.
fcgiwrap
- Wraps git-http-backend to allow nginx to serve bare repos.
- Runs as git:git
WireGuard VPN
- Interface: 10.0.0.1
- Peer: wintermute at 10.0.0.2
- Uses private key from /srv/wg/wg_armitage_prv.key
Xorg Configuration
Keyboard layout is set to us with altgr-intl variant.
Boot and Init
Bootloader
- grub-efi-bootloader
- EFI target: /boot/efi
Initrd
- Adds virtio_scsi to support virtio disks (used in QEMU)
Summary
This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include:
- Separation of concerns across services
- Reproducible and declarative service setup
- Git and Trac integration via FastCGI
- TLS automation with Certbot
- Secure VPN access
- Snapshot-friendly Btrfs setup
