there was a fish in the calculatorhttps://fishinthecalculator.me/feeds/tags/bonfire.xmlTag: bonfire2026-05-05T22:13:01ZBonfire & Guix, a love storyhttps://fishinthecalculator.me/blog/bonfire--guix-a-love-story.htmlGiacomo Leiditherewasa@fishinthecalculator.me2025-06-04T23:23:00Z<p>Bonfire is a new framework to build federated applications that just <a href="https://github.com/bonfire-networks/bonfire-app/releases/tag/v1.0.0-rc.1">reached RC1</a>. It is written in Elixir, a nice functional language, and allows communities to create custom flavored Fediverse applications, that can be tailored for their specific needs. I have been <a href="/projects.html#bonfire">in touch with the core team</a> and I'm trying to make the experience of running Bonfire on Guix as smooth as possible.</p><p>Guix is a general purpose provisioning tool, it implements trustable, functional and reproducible <a href="https://codeberg.org/guix/guix/src/branch/master/gnu/packages/base.scm#L99">package recipes</a> in the Guile language. It implements also a distro called Guix System, featuring transactional, atomic upgrades and that can be completely be manipulated with Guile. This allows to easily modularize configuration bits and makes it possible to reuse or generate system configurations.</p><p>The post is structured in the following way:</p><ul><li><a href="#where_you_start_from">Where you start from</a></li><li><a href="#dns_setup">DNS Setup</a></li><li><a href="#enabling_gocix">Enabling <code>gocix</code></a></li><li><a href="#ssl_certificates">Setting up SSL certificates (HTTPS) with Certbot</a></li><li><a href="#ssh_assumptions">SSH assumptions</a></li><li><a href="#secrets_setup">Secrets setup</a></li><li><a href="#automatic_database_provisioning">Automatic database provisioning</a></li><li><a href="#firewall_setup">Firewall setup</a></li><li><a href="#enabling_rootless_podman">Enabling rootless Podman</a></li><li><a href="#configuring_oci_provisioning">Configuring OCI provisioning</a></li><li><a href="#starting_bonfire_social">Starting Bonfire Social</a></li><li><a href="#running_a_reverse_proxy">Running a Reverse proxy</a></li><li><a href="#configuring_database_backups">Configuring database backups</a></li><li><a href="#enabling_automatic_upgrades">Enabling automatic upgrades</a></li><li><a href="#enabling_automatic_reboots">Enabling automatic reboots</a></li><li><a href="#summing_up">Summing up</a></li></ul><p>In case you just want to see the final configuration, you can <a href="#summing_up">jump from here</a>.</p><h3 id="where_you_start_from">Where you start from</h3><p>In this post we'll set up a production Bonfire instance with a declarative approach over the Guix System. It will be a secure setup featuring: HTTPS, automatic backups and Guix provisioned secrets. This post also assumes you have a preinstalled Guix machine that you can login into either via console or SSH. If you need help with installing Guix, feel free to reach out, it takes time but I try to help everyone.</p><p>If, at any point while following the instructions, you get your system into a broken state you can always go back to the last known system generation with:</p><pre><code># Supposing the last known good generation ID is 120
sudo guix system switch-generation 120</code></pre><p>Then reboot. You should now be back again in a functional system. I recommend noting the current generation ID you are in before doing anything, with:</p><pre><code>$ guix system list-generations
...
Generation 120 Jun 14 2025 20:57:49 (current)
file name: /var/guix/profiles/system-120-link
canonical file name: /gnu/store/lmg382z3zlpi9bcl81srd8dh92nr5aml-system
label: GNU with Linux-Libre 6.14.11
bootloader: grub
root device: UUID: e4a319f6-6552-4d6b-afe8-9988df65173c
kernel: /gnu/store/awmrxyh7i8phaqniwgmj7v4haxk8g9p2-linux-libre-6.14.11/bzImage
channels:
guix:
repository URL: https://git.guix.gnu.org/guix.git
branch: master
commit: c8218094c47482c16f4cdd1e8092c35dab117418</code></pre><p>In this case the generation ID is <code>120</code> (note the <code>(current)</code>).</p><h3 id="dns_setup">DNS setup</h3><p>Everything in this post assumes you have at least an <code>A</code> DNS record pointing to your machine's public IP address. Even better if you have also an <code>AAAA</code> record. Supposing your domain name is <code>bonfire.fishinthecalculator.me</code> you can check if DNS is working fine on the Guix System with:</p><pre><code>$ guix shell bind bind:utils -- dig bonfire.fishinthecalculator.me A</code></pre><p>The same goes for <code>AAAA</code> records:</p><pre><code>$ guix shell bind bind:utils -- dig bonfire.fishinthecalculator.me AAAA</code></pre><h3 id="enabling_gocix">Enabling gocix</h3><p>The first piece of configuration you'll need <a href="https://github.com/fishinthecalculator/gocix?tab=readme-ov-file#configure">is the <code>gocix</code> channel</a> in your user's <code>.config/guix/channels.scm</code>. <code>gocix</code> is a <a href="/projects.html#gocix">project I made</a> to <a href="https://github.com/fishinthecalculator/gocix?tab=readme-ov-file#motivation">bring to your Guix installation</a> cloud native applications, backed by OCI images, that can be configured in Guile. They share most of the nice properties Guix native services have: atomic upgrades, transactions and rollbacks.</p><p>After <code>guix pull</code>, in a new shell, your <code>guix describe</code> should look something (commit hashes will probably differ) like this:</p><pre><code>$ guix describe
Generation 68 Jun 13 2025 19:20:50 (current)
guix 4c142ad
repository URL: https://git.guix.gnu.org/guix.git
branch: master
commit: 4c142ad34b5ce32ce9004c3efa90d61d197ce436
sops-guix 89f46bc
repository URL: https://github.com/fishinthecalculator/sops-guix
branch: main
commit: 89f46bc4686504763f49e6b34c596720d347d8da
gocix fca34c4
repository URL: https://github.com/fishinthecalculator/gocix
branch: main
commit: fca34c4f871501b252d741fad0522a9fc65b65da</code></pre><h3 id="ssl_certificates">SSL certificates</h3><p>You want to setup SSL certificates provisioning as soon as possible, since everything from now on presupposes HTTPS. To do so on the Guix system, you have to add the <code>certbot-service-type</code> to your <code>operating-system</code> record (which after installation is available in <code>/etc/config.scm</code>):</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">certbot</span><span class="syntax-close">)</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'certbot-service-type'
</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">certbot-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">email</span> <span class="syntax-string">"your@email.org"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">certificates</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">certificate-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">domains</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>Now, after running <code>sudo guix system reconfigure /etc/config.scm</code>, you should be able to check the status of the <code>renew-certbot-certificates</code> Shepherd service with:</p><pre><code>$ sudo herd status renew-certbot-certificates
● Status of renew-certbot-certificates:
It is stopped (one-shot).
It is enabled.
Provides: renew-certbot-certificates
Requires: nginx
Custom action: configuration
Will be respawned.
Recent messages (use '-n' to view more or less):
2025-03-19 22:32:18
2025-03-19 22:32:18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-03-19 22:32:18 Certificate not yet due for renewal; no action taken.
2025-03-19 22:32:18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-03-19 22:32:18 Certificate successfully acquired: bonfire.fishinthecalculator.me</code></pre><p>The command shows that the service has successfully acquired an SSL certificate for your domain. From now on the Guix System <a href="https://guix.gnu.org/manual/devel/en/guix.html#Certificate-Services">will periodically take care of renewing the certificate</a>. You can check the files are actually there with:</p><pre><code>$ sudo ls -l /etc/letsencrypt/live/bonfire.fishinthecalculator.me/
total 4
lrwxrwxrwx 1 root root 54 Mar 8 02:51 cert.pem -> ../../archive/bonfire.fishinthecalculator.me/cert1.pem
lrwxrwxrwx 1 root root 55 Mar 8 02:51 chain.pem -> ../../archive/bonfire.fishinthecalculator.me/chain1.pem
lrwxrwxrwx 1 root root 59 Mar 8 02:51 fullchain.pem -> ../../archive/bonfire.fishinthecalculator.me/fullchain1.pem
lrwxrwxrwx 1 root root 57 Mar 8 02:51 privkey.pem -> ../../archive/bonfire.fishinthecalculator.me/privkey1.pem
-rw-r--r-- 1 root root 692 Mar 8 02:51 README</code></pre><h3 id="ssh_assumptions">SSH assumptions</h3><p>If you need SSH access you are encouraged to turn off root login, password authentication and use only SSH keys. You can <a href="https://guix.gnu.org/manual/devel/en/guix.html#index-openssh_002dconfiguration">check the Guix manual on how to do that</a>. Also <code>fail2ban</code> <a href="https://guix.gnu.org/manual/devel/en/guix.html#index-Fail2Ban">is pretty easy to setup</a> with its default configuration for port <code>22</code>.</p><h3 id="secrets_setup">Secrets setup</h3><p>Next you are going to need to setup some secrets, both for the PostgreSQL database and the Bonfire instance. One way of doing so is with <a href="https://getsops.io">SOPS</a> and <a href="https://github.com/fishinthecalculator/sops-guix"><code>sops-guix</code></a>. You can read a <a href="https://github.com/fishinthecalculator/sops-guix?tab=readme-ov-file#creating-secrets-with-sops">more in depth version of this section</a> at <code>sops-guix</code>.</p><p>SOPS allows for two different encyption tools: <a href="https://www.gnupg.org">GnuPG</a> and <a href="https://age-encryption.org">age</a>. If you don't have any requirement the easiest way is to generate <code>age</code> keys and encrypt secrets with them.</p><pre><code>~$ sudo -i
Password:
~# mkdir -p ~/.config/sops/age
~# guix shell age -- age-keygen -o /root/.config/sops/age/keys.txt
...
Public key: age1m3hcq7d9sl3d0uz6ezxvns4f7mjctksmmf5d8tpptmyz30rk9qnscgzfsa</code></pre><p>You'll need one keypair for each user of the secret so, if you intend to be able to update secrets on a different machine than the one you are installing Bonfire on, make sure to generate a keypair there as well. If you are creating secrets on a PC or a laptop and intend to run Bonfire on a server you SSH into, this is your scenario. Create one keypair for your user on your machine at <code>$HOME.config/sops/age/keys.txt</code> and the above on the server.</p><p>Next you need to create a SOPS configuration file, named <code>.sops.yaml</code>, in the same directory your configuration file is:</p><pre><code>keys:
- &user_yourself_age age1peu96695en0xrlshkd3j3zzd04payh3cx27yjw6r40z8ekemnuesmkrupn
- &host_yoursystem age1m3hcq7d9sl3d0uz6ezxvns4f7mjctksmmf5d8tpptmyz30rk9qnscgzfsa
creation_rules:
- path_regex: .*yoursystem\.yaml$
key_groups:
- age:
- *user_yourself_age
- *host_yoursystem</code></pre><p>You are now ready to create the <a href="https://docs.bonfirenetworks.org/deploy.html#secret-keys-for-which-you-should-put-random-secrets">secrets you need</a>.</p><h4 id="postgresql_secret">PostgreSQL secret</h4><p>You will need a password to protect the PostgreSQL access from unauthorized users. You can generate a random string with:</p><pre><code>$ guix shell openssl -- openssl rand -base64 32
v/hSYQHNCJMYW+U8D3m6ADQ+5382jN9iJ69gfImEISY=</code></pre><p>From the same directory where the <code>.sops.yaml</code> and your configuration are stored, run the following command to create a <code>yoursystem.yaml</code> file that will store your encrypted secrets. Unencrypted secrets are supposed to never hit the disk, check out <code>sops-guix</code> README for more information.</p><pre><code>$ guix shell sops -- sops yoursystem.yaml</code></pre><p>Your default editor will pop up. Replace the SOPS example secrets and add the following content to the file:</p><pre><code>postgres:
bonfire: v/hSYQHNCJMYW+U8D3m6ADQ+5382jN9iJ69gfImEISY=</code></pre><p>Save and close the editor. You can now check inside <code>yoursystem.yaml</code> and see that the secrets is effectively encrypted.</p><h4 id="meilisearch_secret">meilisearch secret</h4><p>Bonfire requires an additional service to run searches, <a href="https://www.meilisearch.com/"><code>meilisearch</code></a>. Generate another password and add, the same way as before with <code>sops yoursystem.yaml</code>, to your secrets file the following:</p><pre><code>meilisearch:
master: ...</code></pre><h4 id="bonfire_secrets">Bonfire secrets</h4><p>The last three secrets are for Bonfire. You can do that with a one-liner with:</p><pre><code>$ sops set yoursystem.yaml '["bonfire"]' "$(echo '{"secret_key_base": "", "signing_salt": "", "encryption_salt": ""}' | jq ".secret_key_base = \"$(openssl rand -base64 128)\"" | jq ".signing_salt = \"$(openssl rand -base64 128)\"" | jq ".encryption_salt = \"$(openssl rand -base64 128)\"")</code></pre><p>This should create correctly sized secrets for Bonfire.</p><h4 id="email_secrets">Email secrets</h4><p>Bonfire needs to be able to send emails to users, both for invites and password change. It <a href="https://docs.bonfirenetworks.org/Bonfire.Mailer.html">supports many ways to do so</a>, I happen to use the free tier of Mailjet but there are many options. Email setup is out of scope for this post, but at the end of the setup process you'll get one or more secret tokens. Add them in <code>yoursystem.yaml</code> the same way you did for the other secrets and save the file. Make sure to remember the list of keys in the YAML file necessary to access the secrets, in my case they are:</p><pre><code>mail:
bonfire:
key: ...
private_key: ...</code></pre><p>When all secrets are in your <code>yoursystem.yaml</code> file your can add the following to your operating system configuration:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">gexp</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'local-file'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">utils</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'current-source-directory'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">sops</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">sops</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'sops-secrets-service-type' and 'sops-sops-secret->secret-file'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">sops</span> <span class="syntax-symbol">secrets</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'sops-secret'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%project-root</span>
<span class="syntax-open">(</span><span class="syntax-symbol">current-source-directory</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">sops.yaml</span>
<span class="syntax-open">(</span><span class="syntax-symbol">local-file</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/.sops.yaml"</span><span class="syntax-close">)</span>
<span class="syntax-string">"sops.yaml"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">yoursystem.yaml</span>
<span class="syntax-open">(</span><span class="syntax-symbol">local-file</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/yoursystem.yaml"</span><span class="syntax-close">)</span>
<span class="syntax-string">"yoursystem.yaml"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; PostgreSQL
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-postgres-password-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-comment">;; Each element of this list represents
</span> <span class="syntax-comment">;; one key in yoursystem.yaml. In this case
</span> <span class="syntax-comment">;; it represents:
</span> <span class="syntax-comment">;;
</span> <span class="syntax-comment">;; postgres:
</span> <span class="syntax-comment">;; bonfire:
</span> <span class="syntax-comment">;;
</span> <span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"postgres"</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"postgres"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o440</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Meilisearch
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">meilisearch-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"meilisearch"</span> <span class="syntax-string">"master"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-mail-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"mail"</span> <span class="syntax-string">"bonfire"</span> <span class="syntax-string">"key"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-mail-private-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"mail"</span> <span class="syntax-string">"bonfire"</span> <span class="syntax-string">"private_key"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-secret-key-base-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"secret_key_base"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-signing-salt-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"signing_salt"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-encryption-salt-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"encryption_salt"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-service-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">config</span> <span class="syntax-symbol">sops.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">secrets</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">meilisearch-key-secret</span>
<span class="syntax-symbol">bonfire-postgres-password-secret</span>
<span class="syntax-symbol">bonfire-mail-key-secret</span>
<span class="syntax-symbol">bonfire-mail-private-key-secret</span>
<span class="syntax-symbol">bonfire-secret-key-base-secret</span>
<span class="syntax-symbol">bonfire-signing-salt-secret</span>
<span class="syntax-symbol">bonfire-encryption-salt-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="automatic_database_provisioning">Automatic database provisioning</h3><p>Bonfire supports the PostgreSQL database engine and requires the <code>postgis</code> extension, this is what is is required to set them up:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">packages</span> <span class="syntax-symbol">geo</span><span class="syntax-close">)</span> <span class="syntax-comment">;for postgis
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">packages</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql-service-type' and 'postgresql-role-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql</span> <span class="syntax-symbol">postgresql</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire requires postgis.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">extension-packages</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">postgis</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-symbol">5432</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-role-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span>
<span class="syntax-comment">;; Allow database passwords to be provisioned through SOPS secrets
</span> <span class="syntax-open">(</span><span class="syntax-symbol">append</span>
<span class="syntax-symbol">%default-postgresql-role-shepherd-requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">sops-secrets</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="firewall_setup">Firewall setup</h3><p>The <code>iptables-service-type</code> is required by the <code>rootless-podman-service-type</code>, and in general in case the machine is exposed to the Internet having a firewall is a good idea. The following configuration allows only TCP or UDP connections on ports <code>22</code>, <code>80</code> and <code>443</code>. All ICMP traffic is dropped. All of this both for IPv4 and IPv6.</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">networking</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'iptables-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">gexp</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'plain-file'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">iptables-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">ipv4-rules</span> <span class="syntax-open">(</span><span class="syntax-symbol">plain-file</span> <span class="syntax-string">"iptables.rules"</span> <span class="syntax-string">"*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">ipv6-rules</span> <span class="syntax-open">(</span><span class="syntax-symbol">plain-file</span> <span class="syntax-string">"ip6tables.rules"</span> <span class="syntax-string">"*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
</code></pre><p>If the machine is not exposed to the internet then it is sufficient to add to your services:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">networking</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'iptables-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="enabling_rootless_podman">Enabling rootless Podman</h3><p>If you want to be able to run rootless containers with your own user <a href="https://guix.gnu.org/manual/devel/en/guix.html#index-container-management_002c-podman">follow the Guix manual</a>, for the Bonfire OCI image to work it is sufficient to add the <code>rootless-podman-service-type</code> and it DBus dependencies to your configuration:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">containers</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'rootless-podman-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">dbus</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'dbus-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">desktop</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'elogind-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="configuring_oci_provisioning">Configuring OCI provisioning</h3><p>Bonfire currently runs as an OCI image on the Guix System. This is an advantage in that it's not needed to package and maintain Guix native packages for all the Elixir dependencies, and is a disadvantage since binaries in the OCI image <a href="https://guix.gnu.org/it/blog/2024/identifying-software/">can't be verifiably connected to the source code</a> they and their dependencies are built from. In the past I did some <a href="https://github.com/fishinthecalculator/bonfire-guix">effort to package Bonfire extensions</a> but the work to build the Social flavor is still immense.</p><p>To run OCI services with the <code>rootless-podman-service-type</code>, you need to configure the <code>oci-service-type</code>:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">containers</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'rootless-podman-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">dbus</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'dbus-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">desktop</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'elogind-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">runtime</span> <span class="syntax-symbol">'podman</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>Now reconfigure your system and reboot it to finalize service upgrades.</p><h3 id="starting_bonfire_social">Starting Bonfire Social</h3><p>To provision a functional Bonfire instance you will need two services, meilisearch and the Bonfire flavour. The <code>(oci services bonfire)</code> module provides a Guix System service able to provision a database, SOPS secrets and the Bonfire instance. Add the following to your operating system configuration, and make sure to change the values based on your actual setup:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">oci</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">bonfire</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'oci-bonfire-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">oci</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">meilisearch</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'oci-meilisearch-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-meilisearch-configuration</span>
<span class="syntax-comment">;; We use the host network since we have a firewall.
</span> <span class="syntax-comment">;; An OCI network could be used between Bonfire and meilisearch.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">network</span> <span class="syntax-string">"host"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-string">"7700"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Since secrets are provisioned by sops-guix
</span> <span class="syntax-comment">;; sops-secrets must be added as a Shepherd dependency.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">user-processes</span> <span class="syntax-symbol">sops-secrets</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">master-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">meilisearch-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-bonfire-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">bonfire-configuration</span>
<span class="syntax-comment">;; Networking
</span> <span class="syntax-open">(</span><span class="syntax-symbol">hostname</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-string">"4000"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">public-port</span> <span class="syntax-string">"443"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">network</span> <span class="syntax-string">"host"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">postgres-user</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgres-db</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Mail
</span> <span class="syntax-open">(</span><span class="syntax-symbol">mail-domain</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">mail-from</span> <span class="syntax-string">"friendlyadmin@bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-comment">;; Shepherd
</span> <span class="syntax-open">(</span><span class="syntax-symbol">upload-data-directory</span> <span class="syntax-string">"/var/lib/bonfire/uploads"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">user-processes</span> <span class="syntax-symbol">postgresql</span> <span class="syntax-symbol">postgres-roles</span> <span class="syntax-symbol">sops-secrets</span> <span class="syntax-symbol">podman-meilisearch</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">extra-variables</span>
<span class="syntax-symbol">`</span><span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-string">"MAIL_BACKEND"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"mailjet"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"SERVER_PORT"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"4000"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"SEARCH_MEILI_INSTANCE"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"http://localhost:7700"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Secrets
</span> <span class="syntax-open">(</span><span class="syntax-symbol">meili-master-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">meilisearch-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgres-password</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-postgres-password-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mail-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-mail-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mail-private-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-mail-private-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">secret-key-base</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-secret-key-base-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">signing-salt</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-signing-salt-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">encryption-salt</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-encryption-salt-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>Now after reconfiguring your system, which might take a while, you should have a <code>podman-bonfire</code> service among your root's <code>herd status</code>:</p><pre><code>$ sudo herd status podman-bonfire
Password:
● Status of podman-bonfire:
It is running since 11:48:45 AM (12 hours ago).
Main PID: 26476
Command: /run/current-system/profile/bin/podman run --rm --replace --name podman-bonfire --entrypoint /bin/sh --env POSTGRES_USER=bonfire --env FLAVOUR=social --env HOSTNAME=bonfire.fishinthecalculator.me --env POSTGRES_HOST=localhost --env POSTGRES_DB=bonfire --env MAIL_DOMAIN=bonfire.fishinthecalculator.me --env MAIL_FROM=friendlyadmin@bonfire.fishinthecalculator.me --env MAIL_PORT=465 --env MAIL_SSL=true --env PORT=4000 --env PUBLIC_PORT=443 --env LANG --env SEEDS_USER=root --env ERLANG_COOKIE=bonfire_cookie --env MIX_ENV=prod --env PLUG_BACKEND=bandit --env APP_NAME=Bonfire --env MAIL_BACKEND=mailjet --env SERVER_PORT=4000 --env SEARCH_MEILI_INSTANCE=http://localhost:7700 --network host -v /var/lib/bonfire/uploads:/opt/app/data/uploads -v /run/secrets/meilisearch:/run/secrets/meilisearch:ro -v /run/secrets/postgres:/run/secrets/postgres:ro -v /run/secrets/bonfire/mail:/run/secrets/bonfire/mail:ro -v /run/secrets/bonfire:/run/secrets/bonfire:ro docker.io/bonfirenetworks/bonfire:1.0.0-rc.1.10-social-amd64 -c "set -e; export MEILI_MASTER_KEY=\"$(cat /run/secrets/meilisearch/master)\"; export POSTGRES_PASSWORD=\"$(cat /run/secrets/postgres/bonfire)\"; export MAIL_KEY=\"$(cat /run/secrets/mail/bonfire/key)\"; export MAIL_PRIVATE_KEY=\"$(cat /run/secrets/mail/bonfire/private_key)\"; export SECRET_KEY_BASE=\"$(cat /run/secrets/bonfire/secret_key_base)\"; export SIGNING_SALT=\"$(cat /run/secrets/bonfire/signing_salt)\"; export ENCRYPTION_SALT=\"$(cat /run/secrets/bonfire/encryption_salt)\"; exec -a ./bin/bonfire ./bin/bonfire start"
It is enabled.
Provides: podman-bonfire
Requires: postgresql postgres-roles sops-secrets podman-meilisearch cgroups2-fs-owner cgroups2-limits rootless-podman-shared-root-fs user-processes podman-volumes
Custom actions: command-line entrypoint pull
Will not be respawned.
Log file: /var/log/bonfire.log
Recent messages (use '-n' to view more or less):
2025-06-13 23:45:44 Phoenix.Router.__call__/5 @ deps/phoenix/lib/phoenix/router.ex:475
2025-06-13 23:45:44 Bonfire.Web.Endpoint.plug_builder_call/2 @ lib/bonfire/web/endpoint.ex:1
</code></pre><p>On the first run it will take some time as it will need to perform database migrations, in general you can check its output by reading <code>/var/log/bonfire.log</code>.</p><h3 id="running_a_reverse_proxy">Running a reverse proxy</h3><p>The last piece to be able to access your instance from the Internet is a reverse proxy. We'll use NGINX but any one should work. To configure NGINX to forward traffic to Bonfire the following must be added to your configuration:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">web</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'nginx-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">nginx-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-configuration</span>
<span class="syntax-comment">;; Wait for bonfire to start
</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">podman-bonfire</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">server-blocks</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-server-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">server-name</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">listen</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"443 ssl"</span> <span class="syntax-string">"[::]:443 ssl"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">ssl-certificate</span> <span class="syntax-string">"/etc/certs/bonfire.fishinthecalculator.me/fullchain.pem"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">ssl-certificate-key</span> <span class="syntax-string">"/etc/certs/bonfire.fishinthecalculator.me/privkey.pem"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">locations</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-location-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">uri</span> <span class="syntax-string">"/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">body</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-string">"proxy_pass http://localhost:4000;"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Taken from https://www.nginx.com/resources/wiki/start/topics/examples/full/
</span> <span class="syntax-comment">;; Those settings are used when proxies are involved
</span> <span class="syntax-string">"proxy_redirect off;"</span>
<span class="syntax-string">"proxy_set_header Host $host;"</span>
<span class="syntax-string">"proxy_set_header X-Real-IP $remote_addr;"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"</span>
<span class="syntax-string">"proxy_http_version 1.1;"</span>
<span class="syntax-string">"proxy_cache_bypass $http_upgrade;"</span>
<span class="syntax-string">"proxy_set_header Upgrade $http_upgrade;"</span>
<span class="syntax-string">"proxy_set_header Connection \"upgrade\";"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-Proto $scheme;"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-Host $host;"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Statically serve uploads media.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">nginx-location-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">uri</span> <span class="syntax-string">"/data/uploads/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">body</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"alias /var/lib/bonfire/uploads/;"</span><span class="syntax-close">)</span>
<span class="syntax-string">"index index.html index.htm;"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>Now after reconfiguring you should be able to access your instance and set it up. The first user to register is the admin, they can decide how further user can be added to the instance.</p><p><img src="/static/images/bonfire.fishinthecalculator.me.png" alt="bonfire.fishinthecalculator.me's home page" /></p><h3 id="configuring_database_backups">Configuring database backups</h3><p>If you'd like to have nightly jobs dumping Bonfire's database to disk, to be able to recover from data corruption for example, you can use the <code>postgresql-backup-service-type</code>. There is <a href="https://codeberg.org/guix/guix/pulls/500">a PR</a> for sending it upstream, but to use it now you'll have to add the <a href="https://codeberg.org/fishinthecalculator/small-guix#configure"><code>small-guix</code> channel</a> to your <code>.config/guix/channels.scm</code>. After running <code>guix pull</code>, in a new shell, <code>guix describe</code> should mention <code>small-guix</code>.</p><p>Now you can add the following to your operating system configuration:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">small-guix</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql-backup-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-backup-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-backup-configuration</span>
<span class="syntax-comment">;; Every day at 5 AM.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 5 * * *"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Databases to backup.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">databases</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span><span class="syntax-symbol">'</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Which day to take the weekly backup from (1-7 = Monday-Sunday).
</span> <span class="syntax-open">(</span><span class="syntax-symbol">day-of-week-to-keep</span> <span class="syntax-symbol">6</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Number of days to keep daily backups.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">days-to-keep</span> <span class="syntax-symbol">7</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; How many weeks to keep weekly backups.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">weeks-to-keep</span> <span class="syntax-symbol">5</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">nginx-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
</code></pre><p>After some time, you'll get something like this at <code>/var/lib/postgresql-backups</code>:</p><pre><code>$ sudo tree -a /var/lib/postgresql-backups/
/var/lib/postgresql-backups/
├── 2025-06-05-daily
│ └── bonfire.custom
├── 2025-06-06-daily
│ └── bonfire.custom
├── 2025-06-07-weekly
│ └── bonfire.custom
├── 2025-06-08-daily
│ └── bonfire.custom
├── 2025-06-09-daily
│ └── bonfire.custom
├── 2025-06-10-daily
│ └── bonfire.custom
├── 2025-06-11-daily
│ └── bonfire.custom
└── 2025-06-12-daily
└── bonfire.custom</code></pre><p>You can then long term encrypt and backup these on S3, OneDrive, Google Drive with <code>rclone</code> and the <code>restic-backup-service-type</code>, check it out <a href="https://guix.gnu.org/manual/devel/en/guix.html#Miscellaneous-Services">on the Guix Manual</a>, search for <code>restic-backup-service-type</code>.</p><h3 id="enabling_automatic_upgrades">Enabling automatic upgrades</h3><p>A good practice for a server exposed to the Internet is to continually apply security fixes. On Guix, <a href="https://issues.guix.gnu.org/issue/78332">for now</a>, this means following the default branch. To automatically upgrade your system overnight, <a href="https://guix.gnu.org/manual/devel/en/guix.html#Unattended-Upgrades">you can use the <code>unattended-upgrade-service-type</code></a>, configuring it to use <code>gocix</code> (and <code>small-guix</code> in case you use PostgreSQL backups) and to run at any given time. I run it once every night at 2AM:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">admin</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'unattended-upgrade-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">channels</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'channel->code'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%channels</span>
<span class="syntax-open">(</span><span class="syntax-symbol">cons*</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channel</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-symbol">'small-guix</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">url</span> <span class="syntax-string">"https://codeberg.org/fishinthecalculator/small-guix.git"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">branch</span> <span class="syntax-string">"main"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Enable signature verification:
</span> <span class="syntax-open">(</span><span class="syntax-symbol">introduction</span>
<span class="syntax-open">(</span><span class="syntax-symbol">make-channel-introduction</span>
<span class="syntax-string">"f260da13666cd41ae3202270784e61e062a3999c"</span>
<span class="syntax-open">(</span><span class="syntax-symbol">openpgp-fingerprint</span>
<span class="syntax-string">"8D10 60B9 6BB8 292E 829B 7249 AED4 1CC1 93B7 01E2"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channel</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-symbol">'gocix</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">url</span> <span class="syntax-string">"https://github.com/fishinthecalculator/gocix"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">branch</span> <span class="syntax-string">"main"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Enable signature verification:
</span> <span class="syntax-open">(</span><span class="syntax-symbol">introduction</span>
<span class="syntax-open">(</span><span class="syntax-symbol">make-channel-introduction</span>
<span class="syntax-string">"cdb78996334c4f63304ecce224e95bb96bfd4c7d"</span>
<span class="syntax-open">(</span><span class="syntax-symbol">openpgp-fingerprint</span>
<span class="syntax-string">"8D10 60B9 6BB8 292E 829B 7249 AED4 1CC1 93B7 01E2"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-symbol">%default-channels</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-backup-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">nginx-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">unattended-upgrade-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">unattended-upgrade-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 2 * * *"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">system-expiration</span>
<span class="syntax-comment">;; 30 days
</span> <span class="syntax-open">(</span><span class="syntax-symbol">*</span> <span class="syntax-symbol">30</span> <span class="syntax-symbol">24</span> <span class="syntax-symbol">3600</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channels</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">#$@</span><span class="syntax-open">(</span><span class="syntax-special">map</span> <span class="syntax-symbol">channel->code</span> <span class="syntax-symbol">%channels</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system-file</span>
<span class="syntax-comment">;; The path to your configuration file.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/config.scm"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>After reconfiguring, you should have a new Shepherd timer:</p><pre><code>
$ sudo herd status unattended-upgrade
● Status of unattended-upgrade:
It is running since Fri 13 Jun 2025 11:21:31 PM CEST (87 minutes ago).
Timed service.
Periodically running: /gnu/store/67mzs4f35yrbj224y2ygr73vy1s1iqis-unattended-upgrade
It is enabled.
Provides: unattended-upgrade
Requires: user-processes networking
Custom action: trigger
Will be respawned.
Upcoming timer alarms:
11:10:00 PM (in 22 hours)
Sun 15 Jun 2025 11:10:00 PM CEST (in 46 hours)
Mon 16 Jun 2025 11:10:00 PM CEST (in 3 days)
Tue 17 Jun 2025 11:10:00 PM CEST (in 4 days)
Wed 18 Jun 2025 11:10:00 PM CEST (in 5 days)</code></pre><p>Note, this does not mean you should run major upgrades overnight: you should be able to pin every package version either referencing a package variable that has the version in its symbol, or with one of the many Guix package <a href="https://guix.gnu.org/manual/devel/en/guix.html#Defining-Package-Variants">extension</a> and <a href="https://guix.gnu.org/manual/devel/en/guix.html#Inferiors">transformation mechanisms</a>. You can pin OCI services by specifying an explicit image, like so:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-bonfire-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">image</span>
<span class="syntax-string">"docker.io/bonfirenetworks/bonfire:1.0.0-rc.1.11-social-amd64"</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="enabling_automatic_reboots">Enabling automatic reboots</h3><p>Not all upgrades can be performed online and restarting sevices regularly sometimes helps (it's the classic magic happening inside computers, if you know, you know). In case you want to regularly reboot your system you can use the <code>unattended-reboot-service-type</code>: it will provision a Shepherd timer which will reboot the system once triggered. This allows updates, for example for the Shepherd, the kernel or core packages, to be automatically finalized. In the future this should probably add an health check to see whether the system is functional and roll back otherwise.</p><p>To enable regular reboots add the following to your configuration:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">small-guix</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">unattended-reboot</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'unattended-reboot-service-type'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-backup-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">nginx-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">unattended-upgrade-service-type</span>
<span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">unattended-reboot-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">unattended-reboot-configuration</span>
<span class="syntax-comment">;; Every day at 6AM.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 6 * * *"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><h3 id="summing_up">Summing up</h3><p>Let's try to see it all together:</p><pre><code><span class="syntax-open">(</span><span class="syntax-symbol">use-modules</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">packages</span> <span class="syntax-symbol">geo</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgis'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">packages</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">admin</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'unattended-upgrade-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">certbot</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'certbot-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql-service-type' and 'postgresql-role-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">containers</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'rootless-podman-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">dbus</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'dbus-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">desktop</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'elogind-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">networking</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'iptables-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">gnu</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">web</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'nginx-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">channels</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'channel->code'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">gexp</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'local-file' and 'plain-file'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">guix</span> <span class="syntax-symbol">utils</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'current-source-directory'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">oci</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">containers</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'oci-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">oci</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">bonfire</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'oci-bonfire-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">oci</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">meilisearch</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'oci-meilisearch-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">small-guix</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">databases</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'postgresql-backup-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">small-guix</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">unattended-reboot</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'unattended-reboot-service-type'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">sops</span> <span class="syntax-symbol">services</span> <span class="syntax-symbol">sops</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'sops-secrets-service-type' and 'sops-sops-secret->secret-file'
</span> <span class="syntax-open">(</span><span class="syntax-symbol">sops</span> <span class="syntax-symbol">secrets</span><span class="syntax-close">)</span> <span class="syntax-comment">;for 'sops-secret'
</span> <span class="syntax-symbol">...</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%project-root</span>
<span class="syntax-open">(</span><span class="syntax-symbol">current-source-directory</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">sops.yaml</span>
<span class="syntax-open">(</span><span class="syntax-symbol">local-file</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/.sops.yaml"</span><span class="syntax-close">)</span>
<span class="syntax-string">"sops.yaml"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">yoursystem.yaml</span>
<span class="syntax-open">(</span><span class="syntax-symbol">local-file</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/yoursystem.yaml"</span><span class="syntax-close">)</span>
<span class="syntax-string">"yoursystem.yaml"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; PostgreSQL
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-postgres-password-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"postgres"</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"postgres"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o440</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Meilisearch
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">meilisearch-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"meilisearch"</span> <span class="syntax-string">"master"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-mail-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"mail"</span> <span class="syntax-string">"bonfire"</span> <span class="syntax-string">"key"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-mail-private-key-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"mail"</span> <span class="syntax-string">"bonfire"</span> <span class="syntax-string">"private_key"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-secret-key-base-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"secret_key_base"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-signing-salt-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"signing_salt"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-special">define-public</span> <span class="syntax-symbol">bonfire-encryption-salt-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret</span>
<span class="syntax-open">(</span><span class="syntax-symbol">key</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span> <span class="syntax-string">"encryption_salt"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">user</span> <span class="syntax-string">"oci-container"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">group</span> <span class="syntax-string">"users"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">file</span> <span class="syntax-symbol">yoursystem.yaml</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">permissions</span> <span class="syntax-symbol">#o400</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Channels
</span><span class="syntax-open">(</span><span class="syntax-special">define</span> <span class="syntax-symbol">%channels</span>
<span class="syntax-open">(</span><span class="syntax-symbol">cons*</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channel</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-symbol">'small-guix</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">url</span> <span class="syntax-string">"https://codeberg.org/fishinthecalculator/small-guix.git"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">branch</span> <span class="syntax-string">"main"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Enable signature verification:
</span> <span class="syntax-open">(</span><span class="syntax-symbol">introduction</span>
<span class="syntax-open">(</span><span class="syntax-symbol">make-channel-introduction</span>
<span class="syntax-string">"f260da13666cd41ae3202270784e61e062a3999c"</span>
<span class="syntax-open">(</span><span class="syntax-symbol">openpgp-fingerprint</span>
<span class="syntax-string">"8D10 60B9 6BB8 292E 829B 7249 AED4 1CC1 93B7 01E2"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channel</span>
<span class="syntax-open">(</span><span class="syntax-symbol">name</span> <span class="syntax-symbol">'gocix</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">url</span> <span class="syntax-string">"https://github.com/fishinthecalculator/gocix"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">branch</span> <span class="syntax-string">"main"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Enable signature verification:
</span> <span class="syntax-open">(</span><span class="syntax-symbol">introduction</span>
<span class="syntax-open">(</span><span class="syntax-symbol">make-channel-introduction</span>
<span class="syntax-string">"cdb78996334c4f63304ecce224e95bb96bfd4c7d"</span>
<span class="syntax-open">(</span><span class="syntax-symbol">openpgp-fingerprint</span>
<span class="syntax-string">"8D10 60B9 6BB8 292E 829B 7249 AED4 1CC1 93B7 01E2"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-symbol">%default-channels</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system</span>
<span class="syntax-symbol">...</span> <span class="syntax-comment">;; Bootloader, filesystems, users, packages, sudoers and so on...
</span>
<span class="syntax-open">(</span><span class="syntax-symbol">services</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-symbol">...</span> <span class="syntax-comment">;; Here you will most probably have to append to %base-sytem if this
</span> <span class="syntax-comment">;; is a headless machine
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">certbot-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">certbot-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">email</span> <span class="syntax-string">"your@email.org"</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your email
</span> <span class="syntax-open">(</span><span class="syntax-symbol">certificates</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">certificate-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">domains</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">sops-secrets-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-service-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">config</span> <span class="syntax-symbol">sops.yaml</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql</span> <span class="syntax-symbol">postgresql</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire requires postgis.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">extension-packages</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">postgis</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-symbol">5432</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-role-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-role-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span>
<span class="syntax-comment">;; Allow database passwords to be provisioned through SOPS secrets
</span> <span class="syntax-open">(</span><span class="syntax-symbol">append</span>
<span class="syntax-symbol">%default-postgresql-role-shepherd-requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">sops-secrets</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">postgresql-backup-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgresql-backup-configuration</span>
<span class="syntax-comment">;; Every day at 5 AM.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 5 * * *"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Databases to backup.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">databases</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span><span class="syntax-symbol">'</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Which day to take the weekly backup from (1-7 = Monday-Sunday).
</span> <span class="syntax-open">(</span><span class="syntax-symbol">day-of-week-to-keep</span> <span class="syntax-symbol">6</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Number of days to keep daily backups.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">days-to-keep</span> <span class="syntax-symbol">7</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; How many weeks to keep weekly backups.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">weeks-to-keep</span> <span class="syntax-symbol">5</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">iptables-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">iptables-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">ipv4-rules</span> <span class="syntax-open">(</span><span class="syntax-symbol">plain-file</span> <span class="syntax-string">"iptables.rules"</span> <span class="syntax-string">"*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">ipv6-rules</span> <span class="syntax-open">(</span><span class="syntax-symbol">plain-file</span> <span class="syntax-string">"ip6tables.rules"</span> <span class="syntax-string">"*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; The DBus clique
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">elogind-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">dbus-root-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">rootless-podman-service-type</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">runtime</span> <span class="syntax-symbol">'podman</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; meilisearch
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-meilisearch-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-meilisearch-configuration</span>
<span class="syntax-comment">;; We use the host network since we have a firewall.
</span> <span class="syntax-comment">;; An OCI network could be used between Bonfire and meilisearch.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">network</span> <span class="syntax-string">"host"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-string">"7700"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Since secrets are provisioned by sops-guix
</span> <span class="syntax-comment">;; sops-secrets must be added as a Shepherd dependency.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">user-processes</span> <span class="syntax-symbol">sops-secrets</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">master-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">meilisearch-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Bonfire
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">oci-bonfire-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">oci-bonfire-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">bonfire-configuration</span>
<span class="syntax-comment">;; Networking
</span> <span class="syntax-open">(</span><span class="syntax-symbol">hostname</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">port</span> <span class="syntax-string">"4000"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">public-port</span> <span class="syntax-string">"443"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">network</span> <span class="syntax-string">"host"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Postgres
</span> <span class="syntax-open">(</span><span class="syntax-symbol">postgres-user</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgres-db</span> <span class="syntax-string">"bonfire"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Mail
</span> <span class="syntax-open">(</span><span class="syntax-symbol">mail-domain</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">mail-from</span> <span class="syntax-string">"friendlyadmin@bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span> <span class="syntax-comment">;replace with your domain
</span> <span class="syntax-comment">;; Shepherd
</span> <span class="syntax-open">(</span><span class="syntax-symbol">upload-data-directory</span> <span class="syntax-string">"/var/lib/bonfire/uploads"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">user-processes</span> <span class="syntax-symbol">postgresql</span> <span class="syntax-symbol">postgres-roles</span> <span class="syntax-symbol">sops-secrets</span> <span class="syntax-symbol">podman-meilisearch</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">extra-variables</span>
<span class="syntax-symbol">`</span><span class="syntax-open">(</span><span class="syntax-open">(</span><span class="syntax-string">"MAIL_BACKEND"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"mailjet"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"SERVER_PORT"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"4000"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-string">"SEARCH_MEILI_INSTANCE"</span> <span class="syntax-symbol">.</span> <span class="syntax-string">"http://localhost:7700"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Secrets
</span> <span class="syntax-open">(</span><span class="syntax-symbol">meili-master-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">meilisearch-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">postgres-password</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-postgres-password-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mail-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-mail-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">mail-private-key</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-mail-private-key-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">secret-key-base</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-secret-key-base-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">signing-salt</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-signing-salt-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">encryption-salt</span>
<span class="syntax-open">(</span><span class="syntax-symbol">sops-secret->secret-file</span> <span class="syntax-symbol">bonfire-encryption-salt-secret</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Reverse proxy
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">nginx-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-configuration</span>
<span class="syntax-comment">;; Wait for bonfire to start
</span> <span class="syntax-open">(</span><span class="syntax-symbol">shepherd-requirement</span>
<span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-symbol">podman-bonfire</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">server-blocks</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-server-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">server-name</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"bonfire.fishinthecalculator.me"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">listen</span> <span class="syntax-symbol">'</span><span class="syntax-open">(</span><span class="syntax-string">"443 ssl"</span> <span class="syntax-string">"[::]:443 ssl"</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">ssl-certificate</span> <span class="syntax-string">"/etc/certs/bonfire.fishinthecalculator.me/fullchain.pem"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Replace with your domain
</span> <span class="syntax-open">(</span><span class="syntax-symbol">ssl-certificate-key</span> <span class="syntax-string">"/etc/certs/bonfire.fishinthecalculator.me/privkey.pem"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">locations</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span>
<span class="syntax-open">(</span><span class="syntax-symbol">nginx-location-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">uri</span> <span class="syntax-string">"/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">body</span> <span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-open">(</span><span class="syntax-symbol">string-append</span> <span class="syntax-string">"proxy_pass http://localhost:4000;"</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Taken from https://www.nginx.com/resources/wiki/start/topics/examples/full/
</span> <span class="syntax-comment">;; Those settings are used when proxies are involved
</span> <span class="syntax-string">"proxy_redirect off;"</span>
<span class="syntax-string">"proxy_set_header Host $host;"</span>
<span class="syntax-string">"proxy_set_header X-Real-IP $remote_addr;"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"</span>
<span class="syntax-string">"proxy_http_version 1.1;"</span>
<span class="syntax-string">"proxy_cache_bypass $http_upgrade;"</span>
<span class="syntax-string">"proxy_set_header Upgrade $http_upgrade;"</span>
<span class="syntax-string">"proxy_set_header Connection \"upgrade\";"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-Proto $scheme;"</span>
<span class="syntax-string">"proxy_set_header X-Forwarded-Host $host;"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Statically serve uploads media.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">nginx-location-configuration</span>
<span class="syntax-open">(</span><span class="syntax-symbol">uri</span> <span class="syntax-string">"/data/uploads/"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">body</span>
<span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-string">"alias /var/lib/bonfire/uploads/;"</span><span class="syntax-close">)</span>
<span class="syntax-string">"index index.html index.htm;"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Automatic upgrades.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">unattended-upgrade-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">unattended-upgrade-configuration</span>
<span class="syntax-comment">;; Every night at 2AM.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 2 * * *"</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">system-expiration</span>
<span class="syntax-comment">;; 30 days
</span> <span class="syntax-open">(</span><span class="syntax-symbol">*</span> <span class="syntax-symbol">30</span> <span class="syntax-symbol">24</span> <span class="syntax-symbol">3600</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">channels</span>
<span class="syntax-symbol">#~</span><span class="syntax-open">(</span><span class="syntax-symbol">list</span> <span class="syntax-symbol">#$@</span><span class="syntax-open">(</span><span class="syntax-special">map</span> <span class="syntax-symbol">channel->code</span> <span class="syntax-symbol">%channels</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-open">(</span><span class="syntax-symbol">operating-system-file</span>
<span class="syntax-comment">;; The path to your configuration file.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">file-append</span> <span class="syntax-symbol">%project-root</span> <span class="syntax-string">"/config.scm"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span>
<span class="syntax-comment">;; Automatic reboots.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">service</span> <span class="syntax-symbol">unattended-reboot-service-type</span>
<span class="syntax-open">(</span><span class="syntax-symbol">unattended-reboot-configuration</span>
<span class="syntax-comment">;; Every day at 6AM.
</span> <span class="syntax-open">(</span><span class="syntax-symbol">schedule</span> <span class="syntax-string">"0 6 * * *"</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span><span class="syntax-close">)</span></code></pre><p>This post has still many assumptions baked in which will require some experimentation on your side, if you have questions let me know. You can also look at <a href="https://codeberg.org/fishinthecalculator/guix-deployments/src/branch/main/modules/fishinthecalculator/virtual-nellone/system/config.scm">the configuration</a> for the machine running <code>bonfire.fishinthecalculator.me</code>.</p><h2 id="future_work">Future work</h2><p>Currently <code>bonfire.fishinthecalculator.me</code> runs pretty smoothly but the users are very few and the machine hosts other services. Next steps would probably be setup monitoring with Prometheus and Grafana for the VM and the Bonfire instance.</p>