Update service to handle HTTPS certificates in container.

Add the uacme service to the public-sparql container and update the
services in order to automate the retrieval and update of HTTPS
certificates within the container.

1 files changed, 75 insertions, 44 deletions

diff --git a/public-sparql.scm b/public-sparql.scm
index 76c9f3a..9ea307f 100644
--- a/public-sparql.scm
+++ b/public-sparql.scm
@@ -17,51 +17,82 @@
 ;;; along with genenetwork-machines.  If not, see
 ;;; <https://www.gnu.org/licenses/>.
 
-(use-modules (gnu)
+(use-modules (guix records)
+             (gnu)
+             (gnu services web)
+             (gnu packages admin)
              (gn services databases)
-             (gnu services web))
+             (forge acme)
+             (forge nginx)
+             (forge socket))
 
-(define (virtuoso-reverse-proxy-server-block listen sparql-port)
-  "Return an <nginx-server-configuration> object listening on LISTEN to
-reverse proxy the Virtuoso server. SPARQL-PORT is the port virtuoso's
-SPARQL endpoint is listening on."
-  (nginx-server-configuration
-   (server-name '("sparql.genenetwork.org"))
-   (listen (list listen))
-   (locations
-    (list (nginx-location-configuration
-           (uri "/")
-           (body (list (string-append "proxy_pass http://localhost:"
-                                      (number->string sparql-port) ";")
-                       "proxy_set_header Host $host;")))))))
-
-(define %reverse-proxy-port 8990)
 (define %virtuoso-port 8981)
-(define %sparql-port 8982)
 
-(operating-system
-  (host-name "sparql")
-  (timezone "UTC")
-  (locale "en_US.utf8")
-  (bootloader (bootloader-configuration
-               (bootloader grub-bootloader)
-               (targets (list "/dev/sdX"))))
-  (file-systems %base-file-systems)
-  (users %base-user-accounts)
-  (packages %base-packages)
-  (services (cons* (service virtuoso-service-type
-                            (virtuoso-configuration
-                             (server-port %virtuoso-port)
-                             (http-server-port %sparql-port)
-			     (number-of-buffers 4000000)
-			     (dirs-allowed "/var/lib/virtuoso")
-			     (maximum-dirty-buffers 3000000)
-                             (database-file "/var/lib/virtuoso/public-virtuoso.db")
-                             (transaction-file "/var/lib/virtuoso/public-virtuoso.trx")))
-                   (service nginx-service-type
-                            (nginx-configuration
-                             (server-blocks
-                              (list (virtuoso-reverse-proxy-server-block
-                                     (number->string %reverse-proxy-port)
-                                     %sparql-port)))))
-                   %base-services)))
+(define-record-type* <sparql-configuration>
+  sparql-configuration make-sparql-configuration sparql-configuration?
+
+  (server-name sparql-configuration-server-name
+               (default "sparql.genenetwork.org"))
+  (virtuoso-configuration sparql-configuration-virtuoso-configuration
+                          (default (virtuoso-configuration
+                                    (server-port 8981)
+                                    (http-server-port 8982)
+			            (number-of-buffers 4000000)
+			            (dirs-allowed "/var/lib/virtuoso")
+			            (maximum-dirty-buffers 3000000)
+                                    (database-file "/var/lib/virtuoso/public-virtuoso.db")
+                                    (transaction-file "/var/lib/virtuoso/public-virtuoso.trx")))))
+
+(define (virtuoso-reverse-proxy-server-block config)
+  "Return an <nginx-server-configuration> to reverse proxy the Virtuoso server."
+  (match-record config <sparql-configuration> (server-name virtuoso-configuration)
+    (list (nginx-server-configuration
+           (server-name (list server-name))
+           (locations
+            (list (nginx-location-configuration
+                   (uri "/")
+                   (body (list (string-append
+                                "proxy_pass http://localhost:"
+                                (number->string
+                                 (virtuoso-configuration-http-server-port virtuoso-configuration))
+                                ";")
+                               "proxy_set_header Host $host;")))))))))
+
+(define sparql-service-type
+  (service-type
+   (name 'public-sparql)
+   (description "Expose a virtuoso service to the public")
+   (extensions
+    (list (service-extension forge-nginx-service-type
+                             virtuoso-reverse-proxy-server-block)))))
+
+(let ((sparql-config (sparql-configuration)))
+  (operating-system
+    (host-name "sparql")
+    (timezone "UTC")
+    (locale "en_US.utf8")
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets (list "/dev/sdX"))))
+    (file-systems %base-file-systems)
+    (users %base-user-accounts)
+    (sudoers-file
+     (mixed-text-file "sudoers"
+                      "@include " %sudoers-specification
+                      "\nacme ALL = NOPASSWD: " (file-append shepherd "/bin/herd") " restart nginx\n"))
+    (packages %base-packages)
+    (services (cons* (service forge-nginx-service-type
+                              (forge-nginx-configuration
+                               (http-listen (forge-ip-socket
+                                             (ip "0.0.0.0")
+                                             (port 8990)))
+                               (https-listen (forge-ip-socket
+                                              (ip "0.0.0.0")
+                                              (port 8991)))))
+                     (service acme-service-type
+                              (acme-configuration
+                               (email "arunisaac@systemreboot.net")))
+                     (service virtuoso-service-type
+                              (sparql-configuration-virtuoso-configuration sparql-config))
+                     (service sparql-service-type sparql-config)
+                     %base-services))))