wiki:System Description

Version 6 (modified by enno, 5 days ago) ( diff )

--

System Configuration Overview

This page documents the System configuration for the Neotek server, maintained using Guix. The configuration integrates:

  • Trac for project management
  • Gitolite for secure Git access
  • Git HTTP access via nginx + fcgiwrap
  • Certbot-managed TLS
  • WireGuard VPN access
  • Minimal desktop environment
  • Declarative and snapshot-friendly Btrfs subvolume layout

Modules and Packages

The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers.

The following packages are installed:

  • Window manager: i3-wm, i3status, dmenu, st
  • Core tools: vim, git, htop, iotop, lsof
  • Server tools: certbot, nginx, trac
  • SSL and Git access: le-certs, fcgiwrap

File System Layout

A single Btrfs volume (NeotekRoot) is used, subdivided into subvolumes for:

  • / → @
  • /home → @home
  • /gnu → @gnu
  • /var/log → @log

All subvolumes are mounted with: 

compress=zstd,ssd,discard=async

This ensures compression, SSD optimization, and trim support.

Users and Permissions

User accounts are declaratively defined:

  • enno: Admin user, with access to wheel, ssl-cert, tracd, etc.
  • tracd: Trac daemon user (no login shell)
  • nginx: Nginx worker (read access to certs/repos)
  • git: Gitolite access user (home is /home/git)

Groups:

  • ssl-cert: Shared access to Let’s Encrypt files
  • git: Gitolite and HTTP Git
  • tracd: Trac service access

A custom activation service adjusts permissions for:

  • /etc/letsencrypt/live and /etc/letsencrypt/archive
  • /home/git

Services

Core

  • gnome-desktop-service-type: Minimal GUI
  • openssh-service-type: Remote access
  • qemu-guest-agent-service-type: VM support

Trac

A custom shepherd service starts tracd:

  • Port: 8080
  • Auth: .htpasswd with realm-based routing
  • User/group: tracd
  • PATH includes Git for ticket/repo integration

Gitolite

  • Uses system user git
  • Admin pubkey bootstrap from gitolite-admin.pub
  • umask 0027 ensures private, group-readable repos

Certbot

  • Auto-manages TLS for kokyou.dev
  • Renewed certs are made readable by ssl-cert group

nginx

Reverse proxy setup with:

  • SSL termination for kokyou.dev
  • Proxy to Trac (http://127.0.0.1:8080)
  • Git over HTTP using git-http-backend via fcgiwrap
  • Basic HTTP auth for repo endpoints

Example Git locations:

  • /oaichannel.git
  • /public_guix_channel.git

All secured via .htpasswd.

fcgiwrap

  • Wraps git-http-backend to allow nginx to serve bare repos.
  • Runs as git:git

WireGuard VPN

  • Interface: 10.0.0.1
  • Peer: wintermute at 10.0.0.2
  • Uses private key from /srv/wg/wg_armitage_prv.key

Xorg Configuration

Keyboard layout is set to us with altgr-intl variant.

Boot and Init

Bootloader

  • grub-efi-bootloader
  • EFI target: /boot/efi

Initrd

  • Adds virtio_scsi to support virtio disks (used in QEMU)

Summary

This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include:

  • Separation of concerns across services
  • Reproducible and declarative service setup
  • Git and Trac integration via FastCGI
  • TLS automation with Certbot
  • Secure VPN access
  • Snapshot-friendly Btrfs setup

back

Note: See TracWiki for help on using the wiki.