diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index af0c8c98..0edc4694 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,6 +11,7 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace args: [--markdown-linebreak-ext=md] + exclude: ^guix/resources/guix-acl-keys/ - repo: local hooks: diff --git a/guix/README.md b/guix/README.md new file mode 100644 index 00000000..9031cf3b --- /dev/null +++ b/guix/README.md @@ -0,0 +1,26 @@ +# DevOps Area 51 + +> This directory is a declarative deployment... and part of a system of +> declarative deployments... pay attention to it! + +Here we test out declarative deployments using Guix on Turing. It serves mainly +as a playground for ideas. + +## Deploying + +**Prerequisites** + +- Relevant SSH key (see `./ssh-keys/`) in your SSH agent +- Guix packaging ACL key deployed on turing + - This is usually at `/etc/guix/signing-key`. If not, run `guix archive + --generate-key` as root. + - This is needed for the remote Guix instance to accept packages we build + locally. + +**Deploying** + +```sh +# Optional, but recommended +# guix pull +guix deploy turing.scm +``` diff --git a/guix/deployment.scm b/guix/deployment.scm new file mode 100644 index 00000000..f156b1eb --- /dev/null +++ b/guix/deployment.scm @@ -0,0 +1,20 @@ +(define-module (deployment)) +(add-to-load-path (dirname (current-filename))) +(use-modules (gnu machine) + (gnu machine ssh) + (machines turing)) + + +; local deployments: +; SSHKEY=path/to/key USER=myuser guix deploy turing.scm +; USER is usually implicitly declared somewhere +(list (machine + (operating-system %turing-os) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "turing.box.chrisjl.dev") + (build-locally? #f) + (system "x86_64-linux") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvvi6P/G+rZ2qUZ+anluvFQwYM/WFZkERygd9X9+xqU") + (user (getenv "USER")) + (identity (getenv "SSHKEY")))))) diff --git a/guix/machines/turing.scm b/guix/machines/turing.scm new file mode 100644 index 00000000..c0a21b1c --- /dev/null +++ b/guix/machines/turing.scm @@ -0,0 +1,188 @@ +;; Module imports +(define-module (machines turing) + #:export (%turing-os)) +(use-modules (gnu) + (guix) + (gnu packages databases) + (gnu packages linux) + (gnu packages tmux) + (gnu packages vim) + (gnu services admin) + (gnu services certbot) + (gnu services databases) + (gnu services networking) + (gnu services web)) +(use-service-modules networking ssh) +(use-package-modules bootloaders) + +;; Getting "unauthorized public key"? +;; your key needs to be in the guix authorized-keys, search for `guix-archive-key`. +;; Add your key there, then: +;; scp -r . turing.box.chrisjl.dev:guix +;; ssh turing.box.chrisjl.dev +;; cd guix +;; vim turing.scm +;; # Delete the `(list (machine ...))` stuff +;; # Add %turing-os +;; # Save +;; sudo guix system reconfigure turing.scm + +(define %guix-dir (dirname (dirname (canonicalize-path (current-filename))))) + +(define (resource path) + (local-file (string-append %guix-dir "/resources/" path))) + +(define (ssh-key name) + (resource (string-append "/ssh-keys/" name ".pub"))) + +(define (guix-archive-key name) + (resource (string-append "/guix-acl-keys/" name ".pub"))) + +(define %hidden-service-turing + (simple-service 'hidden-service-turing tor-service-type + (list (tor-onion-service-configuration + (name "turing") + (mapping '((22 "127.0.0.1:22"))))))) + +(define %motd + (resource "/motd.txt")) + +(define %certbot-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + +(define (letsencrypt-path hostname filename) + (string-append "/etc/letsencrypt/live/" hostname "/" filename)) + +(define (letsencrypt-key hostname) + (letsencrypt-path hostname "privkey.pem")) + +(define (letsencrypt-cert hostname) + (letsencrypt-path hostname "fullchain.pem")) + +(define %services + (append (list (service openssh-service-type + (openssh-configuration + (permit-root-login #f) + (password-authentication? #f) + (authorized-keys `(("cj" ,(ssh-key "chris") + ,(ssh-key "chris-lovelace")) + ("jc" ,(ssh-key "jc")) + ("j" ,(ssh-key "jb") + ,(ssh-key "jb2") + ,(ssh-key "jb-lovelace")))))) + (service static-networking-service-type + (list + (static-networking + (addresses + (list + (network-address + (device "eth0") + (value "5.252.225.193/22")) + (network-address + (device "eth0") + (value "2a03:4000:40:2f2:7460:66ff:feda:145b/64")))) + (routes + (list + (network-route + (destination "default") + (gateway "5.252.224.1")))) + (name-servers + '("1.1.1.1" "1.0.0.1"))))) + (service postgresql-service-type + (postgresql-configuration + (postgresql postgresql-16))) + (service tor-service-type) + (service nftables-service-type) + (service ntp-service-type) + %hidden-service-turing + (service nginx-service-type + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (listen '("443 ssl http2")) + (server-name '("turing.box.pydis.wtf")) + (ssl-certificate (letsencrypt-cert "turing.box.pydis.wtf")) + (ssl-certificate-key (letsencrypt-key "turing.box.pydis.wtf")) + (root "/var/www/turing.box.pydis.wtf")))))) +; The below is added by the certbot role +; (listen '("80" "[::]:80")) +; (server-name '("turing.box.pydis.wtf")) +; (root "/var/www/owlcorp.uk") +; (locations +; (list +; (nginx-location-configuration +; ; Certbot webroot serving +; (uri "/.well-known") +; (body (list "root /var/www; ")))))))))) +; + (service certbot-service-type + (certbot-configuration + (email "ops@owlcorp.uk") + ; Do not add certbot configuration to nginx automatically + ; XXX: seems broken, report upstream? + ; (default-location #f) + (webroot "/var/www") + (certificates + (list + (certificate-configuration + (domains '("turing.box.pydis.wtf")) + (deploy-hook %certbot-deploy-hook)))))) + (service unattended-upgrade-service-type) + (simple-service 'motd etc-service-type + (list `("motd" ,%motd)))) + %base-services)) + +;; Operating system description +(define %turing-os + (operating-system + (locale "en_GB.utf8") + (timezone "UTC") + (keyboard-layout (keyboard-layout "gb")) + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/vda")) + (keyboard-layout keyboard-layout))) + (file-systems (cons* (file-system + (mount-point "/") + (device "/dev/vda2") + (type "ext4")) + %base-file-systems)) + (host-name "u-76") + (users (cons* (user-account + (name "cj") + (comment "Chris") + (group "users") + (home-directory "/home/cj") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "jc") + (comment "void") + (group "users") + (home-directory "/home/jc") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "j") + (comment "J") + (group "users") + (home-directory "/home/j") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + %base-user-accounts)) + (packages (cons* %base-packages)) + (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL +")) + (services (modify-services %services + (guix-service-type config => + (guix-configuration + (inherit config) + (authorized-keys + (append (list (guix-archive-key "jc") + (guix-archive-key "lovelace") + (guix-archive-key "joe-lovelace")) + %default-authorized-guix-keys)))))))) + +%turing-os diff --git a/guix/resources/guix-acl-keys/jc.pub b/guix/resources/guix-acl-keys/jc.pub new file mode 100644 index 00000000..c6e9ba75 --- /dev/null +++ b/guix/resources/guix-acl-keys/jc.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #4D454A6338DCC455670972224BC70BEB22BA45E5D90010B9982B8BADF3BF1391#) + ) + ) diff --git a/guix/resources/guix-acl-keys/joe-lovelace.pub b/guix/resources/guix-acl-keys/joe-lovelace.pub new file mode 100644 index 00000000..00cbdcde --- /dev/null +++ b/guix/resources/guix-acl-keys/joe-lovelace.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #D8779FCB5D4BDF0837560B19D534BE9188D8BEC24EC315A934B8350C5CC75BD8#) + ) +) diff --git a/guix/resources/guix-acl-keys/lovelace.pub b/guix/resources/guix-acl-keys/lovelace.pub new file mode 100644 index 00000000..c5f9fd82 --- /dev/null +++ b/guix/resources/guix-acl-keys/lovelace.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #C2F473C5A16D14256DC6CBE78DB3F2D782B7723AECCCBCB123BE84DB110BF348#) + ) + ) diff --git a/guix/resources/motd.txt b/guix/resources/motd.txt new file mode 100644 index 00000000..7513b700 --- /dev/null +++ b/guix/resources/motd.txt @@ -0,0 +1,16 @@ + .--, .--, + ( ( \.---./ ) ) + '.__/o o\__.' + {= ^ =} + > - < + ________________________.""`-------`"".________________________ +/ \ +\ R.I.P. Christopher J. Lovering / +/ \ +\ 'They popped a cap in his ass.' / +/ \ +\ Dec 26th 1991 - March 8th 2026 / +/ \ +\_______________________________________________________________/ + ___)( )(___ + (((__) (__))) diff --git a/guix/resources/ssh-keys/chris-lovelace.pub b/guix/resources/ssh-keys/chris-lovelace.pub new file mode 100644 index 00000000..c496d536 --- /dev/null +++ b/guix/resources/ssh-keys/chris-lovelace.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9bVRTi9UIihz9B2wRpnsyl/1NqXJXuea6aPrH/h+o2 cj@lovelace.box.pydis.wtf diff --git a/guix/resources/ssh-keys/chris.pub b/guix/resources/ssh-keys/chris.pub new file mode 100644 index 00000000..c7c2d104 --- /dev/null +++ b/guix/resources/ssh-keys/chris.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMxOPLzQEOJtBJJ6Od9ucrDUpAFOviqJaUAvoG8NzyM chris@neptune diff --git a/guix/resources/ssh-keys/jb-lovelace.pub b/guix/resources/ssh-keys/jb-lovelace.pub new file mode 100644 index 00000000..9e2acc67 --- /dev/null +++ b/guix/resources/ssh-keys/jb-lovelace.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFKEXZxjRHz7Isq6+XmwkVu+PLDtlVRWlWfvx1QFxCN joe@lovelace diff --git a/guix/resources/ssh-keys/jb.pub b/guix/resources/ssh-keys/jb.pub new file mode 100644 index 00000000..dffdbd8e --- /dev/null +++ b/guix/resources/ssh-keys/jb.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyNdEOw7tfOHWCM0w2A7UzspnYYpNiF+nak51dcx3d7 diff --git a/guix/resources/ssh-keys/jb2.pub b/guix/resources/ssh-keys/jb2.pub new file mode 100644 index 00000000..66ad73f7 --- /dev/null +++ b/guix/resources/ssh-keys/jb2.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAeclEz5F0yR4ip/cCbsJ6uHdo8QPK5FBPb6aH/e2Fg diff --git a/guix/resources/ssh-keys/jc.pub b/guix/resources/ssh-keys/jc.pub new file mode 100644 index 00000000..a4ac0573 --- /dev/null +++ b/guix/resources/ssh-keys/jc.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoHtDPD+w3rKGW4JVEDXidpRM1UXksC+/cMFgCykQBy jc@turing.box.chrisjl.dev