= System Configuration Overview =

This page documents the system configuration for the Neotek server, maintained using [https://guix.gnu.org Guix System]. The configuration integrates:
	•	Trac for project management
	•	Gitolite for secure Git access
	•	Git HTTP access via nginx + fcgiwrap
	•	Certbot-managed TLS
	•	!WireGuard VPN access
	•	Minimal desktop environment
	•	Declarative and snapshot-friendly Btrfs subvolume layout

== Modules and Packages ==

The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers.

The following packages are installed:
	•	Window manager: i3-wm, i3status, dmenu, st
	•	Core tools: vim, git, htop, iotop, lsof
	•	Server tools: certbot, nginx, trac
	•	SSL and Git access: le-certs, fcgiwrap

== File System Layout ==

A single Btrfs volume (NeotekRoot) is used, subdivided into subvolumes for:
	•	/ → @
	•	/home → @home
	•	/gnu → @gnu
	•	/var/log → @log

All subvolumes are mounted with:

{{{
compress=zstd,ssd,discard=async
}}}

This ensures compression, SSD optimization, and trim support.

== Users and Permissions ==

User accounts are declaratively defined:
	•	enno: Admin user, with access to wheel, ssl-cert, tracd, etc.
	•	tracd: Trac daemon user (no login shell)
	•	nginx: Nginx worker (read access to certs/repos)
	•	git: Gitolite access user (home is /home/git)

Groups:
	•	ssl-cert: Shared access to Let’s Encrypt files
	•	git: Gitolite and HTTP Git
	•	tracd: Trac service access

A custom activation service adjusts permissions for:
	•	/etc/letsencrypt/live and /etc/letsencrypt/archive
	•	/home/git

== Services ==

=== Core ===
	•	gnome-desktop-service-type: Minimal GUI
	•	openssh-service-type: Remote access
	•	qemu-guest-agent-service-type: VM support

=== Trac ===

A custom shepherd service starts tracd:
	•	Port: 8080
	•	Auth: .htpasswd with realm-based routing
	•	User/group: tracd
	•	PATH includes Git for ticket/repo integration

=== Gitolite ===
	•	Uses system user git
	•	Admin pubkey bootstrap from gitolite-admin.pub
	•	umask 0027 ensures private, group-readable repos

=== Certbot ===
	•	Auto-manages TLS for kokyou.dev
	•	Renewed certs are made readable by ssl-cert group

=== nginx ===

Reverse proxy setup with:
	•	SSL termination for kokyou.dev
	•	Proxy to Trac (http://127.0.0.1:8080)
	•	Git over HTTP using git-http-backend via fcgiwrap
	•	Basic HTTP auth for repo endpoints

Example Git locations:
	•	/oaichannel.git
	•	/public_guix_channel.git

All secured via .htpasswd.

=== fcgiwrap ===
	•	Wraps git-http-backend to allow nginx to serve bare repos.
	•	Runs as git:git

=== WireGuard VPN ===
	•	Interface: 10.0.0.1
	•	Peer: wintermute at 10.0.0.2
	•	Uses private key from /srv/wg/wg_armitage_prv.key

=== Xorg Configuration ===

Keyboard layout is set to us with altgr-intl variant.

== Boot and Init ==

=== Bootloader ===
	•	grub-efi-bootloader
	•	EFI target: /boot/efi

=== Initrd ===
	•	Adds virtio_scsi to support virtio disks (used in QEMU)

== Summary ==

This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include:
	•	Separation of concerns across services
	•	Reproducible and declarative service setup
	•	Git and Trac integration via FastCGI
	•	TLS automation with Certbot
	•	Secure VPN access
	•	Snapshot-friendly Btrfs setup