wiki:System Description

Version 7 (modified by enno, 2 weeks ago) ( diff )

--

System Configuration Overview

This page documents the System configuration for the Neotek server, maintained using Guix. The configuration integrates:

  • Trac for project management
  • Gitolite for secure Git access
  • Git HTTP access via nginx + fcgiwrap
  • Certbot-managed TLS
  • WireGuard VPN access
  • Minimal desktop environment
  • Declarative and snapshot-friendly Btrfs subvolume layout

Modules and Packages

The system imports essential Guix modules for services, users, packages, and expression construction. Additionally, it includes a private channel oai and SRFI-1 helpers.

The following packages are installed:

  • Window manager: i3-wm, i3status, dmenu, st
  • Core tools: vim, git, htop, iotop, lsof
  • Server tools: certbot, nginx, trac
  • SSL and Git access: le-certs, fcgiwrap

File System Layout

A single Btrfs volume (NeotekRoot) is used, subdivided into subvolumes for:

  • / → @
  • /home → @home
  • /gnu → @gnu
  • /var/log → @log

All subvolumes are mounted with: 

compress=zstd,ssd,discard=async

This ensures compression, SSD optimization, and trim support.

Users and Permissions

User accounts are declaratively defined:

  • enno: Admin user, with access to wheel, ssl-cert, tracd, etc.
  • tracd: Trac daemon user (no login shell)
  • nginx: Nginx worker (read access to certs/repos)
  • git: Gitolite access user (home is /home/git)

Groups:

  • ssl-cert: Shared access to Let’s Encrypt files
  • git: Gitolite and HTTP Git
  • tracd: Trac service access

A custom activation service adjusts permissions for:

  • /etc/letsencrypt/live and /etc/letsencrypt/archive
  • /home/git

Services

Core

  • gnome-desktop-service-type: Minimal GUI
  • openssh-service-type: Remote access
  • qemu-guest-agent-service-type: VM support

Trac

A custom shepherd service starts tracd:

  • Port: 8080
  • Auth: .htpasswd with realm-based routing
  • User/group: tracd
  • PATH includes Git for ticket/repo integration

Gitolite

  • Uses system user git
  • Admin pubkey bootstrap from gitolite-admin.pub
  • umask 0027 ensures private, group-readable repos

NOTE: You need to put the file git-daemon-export-ok in every bare repo you want to export and which had an valid nginx route. After a system reconfigure you should check if this file is still there, if not you have to recreate it. This will be done automatically in the future, but be aware until than.

Certbot

  • Auto-manages TLS for kokyou.dev
  • Renewed certs are made readable by ssl-cert group

nginx

Reverse proxy setup with:

  • SSL termination for kokyou.dev
  • Proxy to Trac (http://127.0.0.1:8080)
  • Git over HTTP using git-http-backend via fcgiwrap
  • Basic HTTP auth for repo endpoints

Example Git locations:

  • /oaichannel.git
  • /public_guix_channel.git

All secured via .htpasswd.

fcgiwrap

  • Wraps git-http-backend to allow nginx to serve bare repos.
  • Runs as git:git

WireGuard VPN

  • Interface: 10.0.0.1
  • Peer: wintermute at 10.0.0.2
  • Uses private key from /srv/wg/wg_armitage_prv.key

Xorg Configuration

Keyboard layout is set to us with altgr-intl variant.

Boot and Init

Bootloader

  • grub-efi-bootloader
  • EFI target: /boot/efi

Initrd

  • Adds virtio_scsi to support virtio disks (used in QEMU)

Summary

This system provides a secure, lean, and fully declarative infrastructure combining modern development tools with reproducibility and control. Key benefits include:

  • Separation of concerns across services
  • Reproducible and declarative service setup
  • Git and Trac integration via FastCGI
  • TLS automation with Certbot
  • Secure VPN access
  • Snapshot-friendly Btrfs setup

back

Note: See TracWiki for help on using the wiki.