= System Configuration Overview = This page documents the [htdocs:configuration.scm System configuration] for the Neotek server, maintained using [https://guix.gnu.org Guix]. The configuration integrates: • Trac for project management • Gitolite for secure Git access • Git HTTP access via nginx + fcgiwrap • Certbot-managed TLS • !WireGuard VPN access • Minimal desktop environment • Declarative and snapshot-friendly Btrfs subvolume layout == Modules and Packages == The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers. The following packages are installed: • Window manager: i3-wm, i3status, dmenu, st • Core tools: vim, git, htop, iotop, lsof • Server tools: certbot, nginx, trac • SSL and Git access: le-certs, fcgiwrap == File System Layout == A single Btrfs volume (!NeotekRoot) is used, subdivided into subvolumes for: • / → @ • /home → @home • /gnu → @gnu • /var/log → @log All subvolumes are mounted with: {{{ compress=zstd,ssd,discard=async }}} This ensures compression, SSD optimization, and trim support. == Users and Permissions == User accounts are declaratively defined: • enno: Admin user, with access to wheel, ssl-cert, tracd, etc. • tracd: Trac daemon user (no login shell) • nginx: Nginx worker (read access to certs/repos) • git: Gitolite access user (home is /home/git) Groups: • ssl-cert: Shared access to Let’s Encrypt files • git: Gitolite and HTTP Git • tracd: Trac service access A custom activation service adjusts permissions for: • /etc/letsencrypt/live and /etc/letsencrypt/archive • /home/git == Services == === Core === • gnome-desktop-service-type: Minimal GUI • openssh-service-type: Remote access • qemu-guest-agent-service-type: VM support === Trac === A custom shepherd service starts tracd: • Port: 8080 • Auth: .htpasswd with realm-based routing • User/group: tracd • PATH includes Git for ticket/repo integration === Gitolite === • Uses system user git • Admin pubkey bootstrap from gitolite-admin.pub • umask 0027 ensures private, group-readable repos NOTE: You need to put the file git-daemon-export-ok in every bare repo you want to export and which had an valid nginx route. After a system reconfigure you should check if this file is still there, if not you have to recreate it. This will be done automatically in the future, but be aware until than. === Certbot === • Auto-manages TLS for kokyou.dev • Renewed certs are made readable by ssl-cert group === nginx === Reverse proxy setup with: • SSL termination for kokyou.dev • Proxy to Trac (http://127.0.0.1:8080) • Git over HTTP using git-http-backend via fcgiwrap • Basic HTTP auth for repo endpoints Example Git locations: • /oaichannel.git • /public_guix_channel.git All secured via .htpasswd. === fcgiwrap === • Wraps git-http-backend to allow nginx to serve bare repos. • Runs as git:git === !WireGuard VPN === • Interface: 10.0.0.1 • Peer: wintermute at 10.0.0.2 • Uses private key from /srv/wg/wg_armitage_prv.key === Xorg Configuration === Keyboard layout is set to us with altgr-intl variant. == Boot and Init == === Bootloader === • grub-efi-bootloader • EFI target: /boot/efi === Initrd === • Adds virtio_scsi to support virtio disks (used in QEMU) == Summary == This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include: • Separation of concerns across services • Reproducible and declarative service setup • Git and Trac integration via FastCGI • TLS automation with Certbot • Secure VPN access • Snapshot-friendly Btrfs setup [wiki:Configs back]