Provision turing with guix

.pre-commit-config.yaml

@@ -11,6 +11,7 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
         args: [--markdown-linebreak-ext=md]
+        exclude: ^guix/resources/guix-acl-keys/
 
   - repo: local
     hooks:

guix/README.md

@@ -0,0 +1,26 @@
+# DevOps Area 51
+
+> This directory is a declarative deployment... and part of a system of
+> declarative deployments... pay attention to it!
+
+Here we test out declarative deployments using Guix on Turing. It serves mainly
+as a playground for ideas.
+
+## Deploying
+
+**Prerequisites**
+
+- Relevant SSH key (see `./ssh-keys/`) in your SSH agent
+- Guix packaging ACL key deployed on turing
+  - This is usually at `/etc/guix/signing-key`. If not, run `guix archive
+    --generate-key` as root.
+  - This is needed for the remote Guix instance to accept packages we build
+    locally.
+
+**Deploying**
+
+```sh
+# Optional, but recommended
+# guix pull
+guix deploy turing.scm
+```

guix/deployment.scm

@@ -0,0 +1,20 @@
+(define-module (deployment))
+(add-to-load-path (dirname (current-filename)))
+(use-modules (gnu machine)
+             (gnu machine ssh)
+             (machines turing))
+
+
+; local deployments:
+; SSHKEY=path/to/key USER=myuser guix deploy turing.scm
+; USER is usually implicitly declared somewhere
+(list (machine
+        (operating-system %turing-os)
+        (environment managed-host-environment-type)
+        (configuration (machine-ssh-configuration
+                         (host-name "turing.box.chrisjl.dev")
+                         (build-locally? #f)
+                         (system "x86_64-linux")
+                         (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvvi6P/G+rZ2qUZ+anluvFQwYM/WFZkERygd9X9+xqU")
+                         (user (getenv "USER"))
+                         (identity (getenv "SSHKEY"))))))

guix/machines/turing.scm

@@ -0,0 +1,188 @@
+;; Module imports
+(define-module (machines turing)
+  #:export (%turing-os))
+(use-modules (gnu)
+             (guix)
+             (gnu packages databases)
+             (gnu packages linux)
+             (gnu packages tmux)
+             (gnu packages vim)
+             (gnu services admin)
+             (gnu services certbot)
+             (gnu services databases)
+             (gnu services networking)
+             (gnu services web))
+(use-service-modules networking ssh)
+(use-package-modules bootloaders)
+
+;; Getting "unauthorized public key"?
+;; your key needs to be in the guix authorized-keys, search for `guix-archive-key`.
+;; Add your key there, then:
+;;     scp -r . turing.box.chrisjl.dev:guix
+;;     ssh turing.box.chrisjl.dev
+;;     cd guix
+;;     vim turing.scm
+;;     # Delete the `(list (machine ...))` stuff
+;;     # Add %turing-os
+;;     # Save
+;;     sudo guix system reconfigure turing.scm
+
+(define %guix-dir (dirname (dirname (canonicalize-path (current-filename)))))
+
+(define (resource path)
+  (local-file (string-append %guix-dir "/resources/" path)))
+
+(define (ssh-key name)
+  (resource (string-append "/ssh-keys/" name ".pub")))
+
+(define (guix-archive-key name)
+  (resource (string-append "/guix-acl-keys/" name ".pub")))
+
+(define %hidden-service-turing
+    (simple-service 'hidden-service-turing tor-service-type
+                    (list (tor-onion-service-configuration
+                            (name "turing")
+                            (mapping '((22 "127.0.0.1:22")))))))
+
+(define %motd
+  (resource "/motd.txt"))
+
+(define %certbot-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
+(define (letsencrypt-path hostname filename)
+  (string-append "/etc/letsencrypt/live/" hostname "/" filename))
+
+(define (letsencrypt-key hostname)
+  (letsencrypt-path hostname "privkey.pem"))
+
+(define (letsencrypt-cert hostname)
+  (letsencrypt-path hostname "fullchain.pem"))
+
+(define %services
+  (append (list (service openssh-service-type
+                   (openssh-configuration
+                     (permit-root-login #f)
+                     (password-authentication?  #f)
+                     (authorized-keys `(("cj" ,(ssh-key "chris")
+                                              ,(ssh-key "chris-lovelace"))
+                                        ("jc" ,(ssh-key "jc"))
+                                        ("j" ,(ssh-key "jb")
+                                             ,(ssh-key "jb2")
+                                             ,(ssh-key "jb-lovelace"))))))
+                (service static-networking-service-type
+                         (list
+                           (static-networking
+                             (addresses
+                               (list
+                                 (network-address
+                                   (device "eth0")
+                                   (value "5.252.225.193/22"))
+                                 (network-address
+                                   (device "eth0")
+                                   (value "2a03:4000:40:2f2:7460:66ff:feda:145b/64"))))
+                             (routes
+                               (list
+                                 (network-route
+                                   (destination "default")
+                                   (gateway "5.252.224.1"))))
+                             (name-servers
+                               '("1.1.1.1" "1.0.0.1")))))
+                (service postgresql-service-type
+                         (postgresql-configuration
+                           (postgresql postgresql-16)))
+                (service tor-service-type)
+                (service nftables-service-type)
+                (service ntp-service-type)
+                %hidden-service-turing
+                (service nginx-service-type
+                         (nginx-configuration
+                           (server-blocks
+                             (list
+                               (nginx-server-configuration
+                                 (listen '("443 ssl http2"))
+                                 (server-name '("turing.box.pydis.wtf"))
+                                 (ssl-certificate (letsencrypt-cert "turing.box.pydis.wtf"))
+                                 (ssl-certificate-key (letsencrypt-key "turing.box.pydis.wtf"))
+                                 (root "/var/www/turing.box.pydis.wtf"))))))
+; The below is added by the certbot role
+;                                     (listen '("80" "[::]:80"))
+;                                     (server-name '("turing.box.pydis.wtf"))
+;                                     (root "/var/www/owlcorp.uk")
+;                                     (locations
+;                                       (list
+;                                         (nginx-location-configuration
+;                                           ; Certbot webroot serving
+;                                           (uri "/.well-known")
+;                                           (body (list "root /var/www; "))))))))))
+;
+                (service certbot-service-type
+                         (certbot-configuration
+                          (email "ops@owlcorp.uk")
+                          ; Do not add certbot configuration to nginx automatically
+                          ; XXX: seems broken, report upstream?
+                          ; (default-location #f)
+                          (webroot "/var/www")
+                          (certificates
+                           (list
+                            (certificate-configuration
+                             (domains '("turing.box.pydis.wtf"))
+                             (deploy-hook %certbot-deploy-hook))))))
+                (service unattended-upgrade-service-type)
+	        (simple-service 'motd etc-service-type
+				(list `("motd" ,%motd))))
+               %base-services))
+
+;; Operating system description
+(define %turing-os
+  (operating-system
+    (locale "en_GB.utf8")
+    (timezone "UTC")
+    (keyboard-layout (keyboard-layout "gb"))
+    (bootloader (bootloader-configuration
+                  (bootloader grub-bootloader)
+                  (targets '("/dev/vda"))
+                  (keyboard-layout keyboard-layout)))
+    (file-systems (cons* (file-system
+                           (mount-point "/")
+                           (device "/dev/vda2")
+                           (type "ext4"))
+                          %base-file-systems))
+    (host-name "u-76")
+    (users (cons* (user-account
+                    (name "cj")
+                    (comment "Chris")
+                    (group "users")
+                    (home-directory "/home/cj")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  (user-account
+                    (name "jc")
+                    (comment "void")
+                    (group "users")
+                    (home-directory "/home/jc")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  (user-account
+                    (name "j")
+                    (comment "J")
+                    (group "users")
+                    (home-directory "/home/j")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  %base-user-accounts))
+    (packages (cons* %base-packages))
+    (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL
+%wheel ALL=NOPASSWD: ALL
+"))
+    (services (modify-services %services
+                (guix-service-type config =>
+                                   (guix-configuration
+                                     (inherit config)
+                                     (authorized-keys
+                                       (append (list (guix-archive-key "jc")
+                                                     (guix-archive-key "lovelace")
+                                                     (guix-archive-key "joe-lovelace"))
+                                               %default-authorized-guix-keys))))))))
+
+%turing-os

guix/resources/guix-acl-keys/jc.pub

@@ -0,0 +1,6 @@
+(public-key 
+ (ecc 
+  (curve Ed25519)
+  (q #4D454A6338DCC455670972224BC70BEB22BA45E5D90010B9982B8BADF3BF1391#)
+  )
+ )

guix/resources/guix-acl-keys/joe-lovelace.pub

@@ -0,0 +1,6 @@
+(public-key
+ (ecc
+  (curve Ed25519)
+  (q #D8779FCB5D4BDF0837560B19D534BE9188D8BEC24EC315A934B8350C5CC75BD8#)
+  )
+)

guix/resources/guix-acl-keys/lovelace.pub

@@ -0,0 +1,6 @@
+(public-key 
+ (ecc 
+  (curve Ed25519)
+  (q #C2F473C5A16D14256DC6CBE78DB3F2D782B7723AECCCBCB123BE84DB110BF348#)
+  )
+ )

guix/resources/motd.txt

@@ -0,0 +1,16 @@
+                         .--,       .--,
+                        ( (  \.---./  ) )
+                         '.__/o   o\__.'
+                            {=  ^  =}
+                             >  -  <
+ ________________________.""`-------`"".________________________
+/                                                               \
+\ R.I.P. Christopher J. Lovering                                /
+/                                                               \
+\ 'They popped a cap in his ass.'                               /
+/                                                               \
+\ Dec 26th 1991 - March 8th 2026                                /
+/                                                               \
+\_______________________________________________________________/
+                           ___)( )(___
+                          (((__) (__)))

guix/resources/ssh-keys/chris-lovelace.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9bVRTi9UIihz9B2wRpnsyl/1NqXJXuea6aPrH/h+o2 cj@lovelace.box.pydis.wtf

guix/resources/ssh-keys/chris.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMxOPLzQEOJtBJJ6Od9ucrDUpAFOviqJaUAvoG8NzyM chris@neptune

guix/resources/ssh-keys/jb-lovelace.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFKEXZxjRHz7Isq6+XmwkVu+PLDtlVRWlWfvx1QFxCN joe@lovelace

guix/resources/ssh-keys/jb.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyNdEOw7tfOHWCM0w2A7UzspnYYpNiF+nak51dcx3d7

guix/resources/ssh-keys/jb2.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAeclEz5F0yR4ip/cCbsJ6uHdo8QPK5FBPb6aH/e2Fg

guix/resources/ssh-keys/jc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoHtDPD+w3rKGW4JVEDXidpRM1UXksC+/cMFgCykQBy jc@turing.box.chrisjl.dev