| | 1 | = System Configuration Overview = |
| | 2 | |
| | 3 | This page documents the system configuration for the Neotek server, maintained using [https://guix.gnu.org Guix System]. The configuration integrates: |
| | 4 | • Trac for project management |
| | 5 | • Gitolite for secure Git access |
| | 6 | • Git HTTP access via nginx + fcgiwrap |
| | 7 | • Certbot-managed TLS |
| | 8 | • WireGuard VPN access |
| | 9 | • Minimal desktop environment |
| | 10 | • Declarative and snapshot-friendly Btrfs subvolume layout |
| | 11 | |
| | 12 | == Modules and Packages == |
| | 13 | |
| | 14 | The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers. |
| | 15 | |
| | 16 | The following packages are installed: |
| | 17 | • Window manager: i3-wm, i3status, dmenu, st |
| | 18 | • Core tools: vim, git, htop, iotop, lsof |
| | 19 | • Server tools: certbot, nginx, trac |
| | 20 | • SSL and Git access: le-certs, fcgiwrap |
| | 21 | |
| | 22 | == File System Layout == |
| | 23 | |
| | 24 | A single Btrfs volume (NeotekRoot) is used, subdivided into subvolumes for: |
| | 25 | • / → @ |
| | 26 | • /home → @home |
| | 27 | • /gnu → @gnu |
| | 28 | • /var/log → @log |
| | 29 | |
| | 30 | All subvolumes are mounted with: |
| | 31 | |
| | 32 | {{{ |
| | 33 | compress=zstd,ssd,discard=async |
| | 34 | }}} |
| | 35 | |
| | 36 | This ensures compression, SSD optimization, and trim support. |
| | 37 | |
| | 38 | == Users and Permissions == |
| | 39 | |
| | 40 | User accounts are declaratively defined: |
| | 41 | • enno: Admin user, with access to wheel, ssl-cert, tracd, etc. |
| | 42 | • tracd: Trac daemon user (no login shell) |
| | 43 | • nginx: Nginx worker (read access to certs/repos) |
| | 44 | • git: Gitolite access user (home is /home/git) |
| | 45 | |
| | 46 | Groups: |
| | 47 | • ssl-cert: Shared access to Let’s Encrypt files |
| | 48 | • git: Gitolite and HTTP Git |
| | 49 | • tracd: Trac service access |
| | 50 | |
| | 51 | A custom activation service adjusts permissions for: |
| | 52 | • /etc/letsencrypt/live and /etc/letsencrypt/archive |
| | 53 | • /home/git |
| | 54 | |
| | 55 | == Services == |
| | 56 | |
| | 57 | === Core === |
| | 58 | • gnome-desktop-service-type: Minimal GUI |
| | 59 | • openssh-service-type: Remote access |
| | 60 | • qemu-guest-agent-service-type: VM support |
| | 61 | |
| | 62 | === Trac === |
| | 63 | |
| | 64 | A custom [wiki:Shepherd shepherd] service starts tracd: |
| | 65 | • Port: 8080 |
| | 66 | • Auth: .htpasswd with realm-based routing |
| | 67 | • User/group: tracd |
| | 68 | • PATH includes Git for ticket/repo integration |
| | 69 | |
| | 70 | === Gitolite === |
| | 71 | • Uses system user git |
| | 72 | • Admin pubkey bootstrap from gitolite-admin.pub |
| | 73 | • umask 0027 ensures private, group-readable repos |
| | 74 | |
| | 75 | === Certbot === |
| | 76 | • Auto-manages TLS for kokyou.dev |
| | 77 | • Renewed certs are made readable by ssl-cert group |
| | 78 | |
| | 79 | === nginx === |
| | 80 | |
| | 81 | Reverse proxy setup with: |
| | 82 | • SSL termination for kokyou.dev |
| | 83 | • Proxy to Trac (http://127.0.0.1:8080) |
| | 84 | • Git over HTTP using git-http-backend via fcgiwrap |
| | 85 | • Basic HTTP auth for repo endpoints |
| | 86 | |
| | 87 | Example Git locations: |
| | 88 | • /oaichannel.git |
| | 89 | • /public_guix_channel.git |
| | 90 | |
| | 91 | All secured via .htpasswd. |
| | 92 | |
| | 93 | === fcgiwrap === |
| | 94 | • Wraps git-http-backend to allow nginx to serve bare repos. |
| | 95 | • Runs as git:git |
| | 96 | |
| | 97 | === WireGuard VPN === |
| | 98 | • Interface: 10.0.0.1 |
| | 99 | • Peer: wintermute at 10.0.0.2 |
| | 100 | • Uses private key from /srv/wg/wg_armitage_prv.key |
| | 101 | |
| | 102 | === Xorg Configuration === |
| | 103 | |
| | 104 | Keyboard layout is set to us with altgr-intl variant. |
| | 105 | |
| | 106 | == Boot and Init == |
| | 107 | |
| | 108 | === Bootloader === |
| | 109 | • grub-efi-bootloader |
| | 110 | • EFI target: /boot/efi |
| | 111 | |
| | 112 | === Initrd === |
| | 113 | • Adds virtio_scsi to support virtio disks (used in QEMU) |
| | 114 | |
| | 115 | == Summary == |
| | 116 | |
| | 117 | This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include: |
| | 118 | • Separation of concerns across services |
| | 119 | • Reproducible and declarative service setup |
| | 120 | • Git and Trac integration via FastCGI |
| | 121 | • TLS automation with Certbot |
| | 122 | • Secure VPN access |
| | 123 | • Snapshot-friendly Btrfs setup |
