diff --git a/.gitignore b/.gitignore index f80a3d3..391e409 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,13 @@ +# Copyright (C) 2023 Denis 'GNUtoo' Carikli +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . + *~ \#*\# aclocal.m4 @@ -7,6 +17,10 @@ config.status configure first-boot.sh guix-commit.txt +guix-installer-vm.img +guix-installer-vm.tar +guix-installer-vm.tar.xz +guix-installer-vm.tar.xz.b64 id_ed25519 id_ed25519.pub id_wireguard @@ -15,10 +29,10 @@ install-sh Makefile Makefile.in missing +mumble-vm-machine.scm +mumble-vm-system.scm mumble-vm.tar mumble-vm.tar.xz mumble-vm.tar.xz.b64 -mumble-vm-machine.scm -mumble-vm-system.scm signing-key.pub wireguard-post-up.sh diff --git a/guix-installer-vm/.gitignore b/guix-installer-vm/.gitignore new file mode 100644 index 0000000..dd59782 --- /dev/null +++ b/guix-installer-vm/.gitignore @@ -0,0 +1,20 @@ +# Copyright (C) 2023 Denis 'GNUtoo' Carikli +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . + +*~ +\#*\# +guix-commit.txt +guix-installer-vm.img +guix-installer-vm.tar +guix-installer-vm.tar.xz +guix-installer-vm.tar.xz.b64 +id_ed25519 +id_ed25519.pub +signing-key.pub diff --git a/guix-installer-vm/Makefile b/guix-installer-vm/Makefile new file mode 100644 index 0000000..96aeb29 --- /dev/null +++ b/guix-installer-vm/Makefile @@ -0,0 +1,69 @@ +# Copyright (C) 2023 Denis 'GNUtoo' Carikli +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . + +.PHONY: all deploy + +all: guix-installer-vm.img + +# Generate default key. Can be changed by replacing id_ed25519.pub. +id_ed25519.pub: + printf "ssh-ed25519 %s %s" \ + 'AAAAC3NzaC1lZDI1NTE5AAAAIH2feuEj4asx0ImCG+cuiPv2WdKF6vMI+cJtZyG9cwUQ' \ + 'gnutoo@primary_laptop' \ + > $@ + +# Generate default key. Can be changed by replacing signing-key.pub. +signing-key.pub: + printf '(public-key (ecc (curve Ed25519) (q #%s#)))\n' \ + '3A7E1F41E2D5784CFCABB39CB73F99E727D4A5C1ECA79D873587D63D093CC4B5' \ + >$@ + +# We want to only update the image when guix commit changes. The trick +# to make that work is to only create or update a file when the revision +# changes. +guix-commit.txt: Makefile + if [ ! -f $@ ] ; then \ + guix describe | grep '^ commit:' | awk '{print $$2}' > $@ ; \ + elif [ "$(cat $@)" != \ + "$(guix describe | \ + grep '^ commit:' | awk '{print $$2}')" ] ; then \ + guix describe | grep '^ commit:' | awk '{print $$2}' > $@ ; \ + fi + +TARBALL_SOURCE = \ + first-boot.sh \ + guix-commit.txt \ + guix-installer-vm-system.scm \ + id_ed25519.pub \ + Makefile \ + signing-key.pub + +guix-installer-vm.tar: $(TARBALL_SOURCE) + tar --exclude "id_ed25519" -cf $@ $(TARBALL_SOURCE) + +guix-installer-vm.tar.xz: guix-installer-vm.tar + xz -f -9e --verbose $< + +guix-installer-vm.tar.xz.b64: guix-installer-vm.tar.xz + base64 $< > $@ + +IMAGE_SOURCE = \ + $(TARBALL_SOURCE) \ + guix-installer-vm.tar.xz + +guix-installer-vm.img: $(IMAGE_SOURCE) + install \ + `guix system image \ + --image-type=mbr-raw \ + --image-size=4G guix-installer-vm-system.scm` \ + $@ + +deploy: + guix deploy -L . guix-installer-vm-machine.scm diff --git a/guix-installer-vm/README b/guix-installer-vm/README new file mode 100644 index 0000000..4aa9de8 --- /dev/null +++ b/guix-installer-vm/README @@ -0,0 +1,14 @@ +License +======= +This project is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This project is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this project. If not, see . diff --git a/guix-installer-vm/first-boot.sh b/guix-installer-vm/first-boot.sh new file mode 100755 index 0000000..d4120f9 --- /dev/null +++ b/guix-installer-vm/first-boot.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Copyright (C) 2023 Denis 'GNUtoo' Carikli +# +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . +set -e + +report() +{ + ret=$? + message="$@" + + if [ ${ret} -eq 0 ] ; then + echo "[ OK ] ${message}" + else + echo "[ !! ] ${message} failed" + exit ${ret} + fi +} + +echo ';;L;*' | sfdisk -f /dev/vda ; report "Resizing /dev/vda1 partition" ; \ +partprobe +resize2fs /dev/vda1 ; report "Growing /dev/vda1 filesystem" diff --git a/guix-installer-vm/guix-installer-vm-machine.scm b/guix-installer-vm/guix-installer-vm-machine.scm new file mode 100644 index 0000000..25fc7e5 --- /dev/null +++ b/guix-installer-vm/guix-installer-vm-machine.scm @@ -0,0 +1,35 @@ +;;; Copyright © Guix documentation authors +;;; Copyright © 2023 Denis 'GNUtoo' Carikli +;;; +;;; This file is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; This file is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with this file. If not, see . + +(use-modules (gnu) + (gnu machine) + (gnu machine ssh)) +(list + (machine + (operating-system + (@ (guix-installer-vm-system) guix-installer-vm-operating-system)) + (environment managed-host-environment-type) + (configuration + (machine-ssh-configuration + (authorize? #t) + (build-locally? #f) + (host-key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJGgswfvxxErFStqBGY81N0uuLndjA5l9bGd4DGlcK9F") + (host-name "2001:910:1021::118") + (identity "./id_ed25519") + (port 222) + (system "x86_64-linux") + (user "root"))))) diff --git a/guix-installer-vm/guix-installer-vm-system.scm b/guix-installer-vm/guix-installer-vm-system.scm new file mode 100644 index 0000000..1528d6c --- /dev/null +++ b/guix-installer-vm/guix-installer-vm-system.scm @@ -0,0 +1,172 @@ +;; Copyright (C) 2023 Denis 'GNUtoo' Carikli +;; +;; This file is free software; you can redistribute it and/or modify it +;; under the terms of the GNU General Public License as published by +;; the Free Software Foundation; either version 3 of the License, or (at +;; your option) any later version. +;; +;; You should have received a copy of the GNU General Public License +;; along with this file. If not, see . + +(define-module (guix-installer-vm-system) + #:use-module (gnu) + #:use-module (gnu packages admin) + #:use-module (gnu packages certs) + #:use-module (gnu packages disk) + #:use-module (gnu packages dns) + #:use-module (gnu packages linux) + #:use-module (gnu packages screen) + #:use-module (gnu packages ssh) + #:use-module (gnu packages tls) + #:use-module (gnu services admin) + #:use-module (gnu services certbot) + #:use-module (gnu services ssh) + #:use-module (gnu services telephony) + #:use-module (gnu services vpn) + #:use-module (gnu services web) + #:use-module (guix build-system copy) + #:use-module (guix build-system gnu) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix utils) + #:export (guix-installer-vm-operating-system)) + +(define guix-installer-vm-config + (package + (name "guix-installer-vm-config") + (version "0.1") + ;; TODO: Make that tarball reproducible + (source (local-file "guix-installer-vm.tar.xz")) + (build-system copy-build-system) + (arguments + (list + #:install-plan + #~(list + '("first-boot.sh" "share/guix-installer-vm/configs/") + '("guix-commit.txt" "share/guix-installer-vm/configs/") + '("guix-installer-vm-system.scm" "share/guix-installer-vm/configs/") + '("id_ed25519.pub" "share/guix-installer-vm/configs/") + '("Makefile" "share/guix-installer-vm/configs/") + '("signing-key.pub" "share/guix-installer-vm/configs/") + '(#$source + "share/guix-installer-vm/configs/guix-installer-vm.tar.xz")))) + (synopsis "Full machine configuration.") + (description + "This contains all the configuration files of this machine. This is +needed for unattended upgrades to work.") + (home-page "DOMAIN") + (license license:gpl3+))) + +(define first-boot-script + (package + (name "first-boot-script") + (version "0.1") + (source (local-file "first-boot.sh" )) + (build-system gnu-build-system) + (arguments + (list #:tests? #f ;no tests + #:phases + #~(modify-phases + %standard-phases + (delete 'build) + (delete 'configure) + (replace 'install + (lambda _ + (chmod "first-boot.sh" #o755) + (install-file + "first-boot.sh" + (string-append (string-append #$output "/bin")))))))) + (inputs (list e2fsprogs parted util-linux)) + (synopsis "Script to run on first boot.") + (description + "The first-boot.sh script resize the rootfs and updates the system.") + (home-page #f) + (license license:gpl3+))) + +(define guix-installer-vm-operating-system + (operating-system + (bootloader (bootloader-configuration + (bootloader grub-minimal-bootloader) + (targets '("/dev/vda")) + (terminal-outputs '(serial_0)))) + (kernel-arguments (append '("console=ttyS0"))) + (file-systems (cons (file-system + (device (file-system-label "Guix_image")) + (mount-point "/") + (type "ext4")) %base-file-systems)) + (host-name "guix-installer-vm") + (timezone "Europe/Paris") + (packages (append (list first-boot-script + guix-installer-vm-config + htop + net-tools + nss-certs + parted + screen) + %base-packages)) + (services + (append + (list + ;; Agetty + + ;; ttyS0 is already setup automatically due to the console=ttyS0 + ;; kernel argument + (service agetty-service-type + (agetty-configuration (term "xterm-256color") + (tty "ttyS1"))) + (service agetty-service-type + (agetty-configuration (term "xterm-256color") + (tty "ttyS2"))) + (service agetty-service-type + (agetty-configuration (term "xterm-256color") + (tty "ttyS3"))) + ;; Networking + (service + static-networking-service-type + (list + (static-networking + (addresses (list (network-address + (device "eth0") + (value "192.168.1.118/16")) + (network-address + (device "eth0") + (value "2001:910:1021::118/64")))) + (routes (list (network-route + (destination "default") + (gateway "192.168.0.1")) + (network-route + (destination "default") + (gateway "2001:910:1021::1")))) + (name-servers (list "192.168.0.1" "2001:910:1021::1"))))) + ;; OpenSSH + (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (use-pam? #f) + (port-number 222) + (permit-root-login #t) + (password-authentication? #f) + (challenge-response-authentication? #f) + (authorized-keys + `(("root" , (local-file "id_ed25519.pub")) + ("gnutoo" ,(local-file "id_ed25519.pub")))))) + ;; Unattended Upgrades + (service + unattended-upgrade-service-type + (unattended-upgrade-configuration + (operating-system-file + (string-append "/run/current-system/profile" + "/share/guix-installer-vm/configs/" + "guix-installer-vm-system.scm")) + (schedule "0 * * * * ") + (services-to-restart (list 'guix-daemon 'mcron 'ssh-daemon))))) + (modify-services + %base-services + (guix-service-type config => (guix-configuration + (authorized-keys + (append + (list + (local-file + "signing-key.pub")) + %default-authorized-guix-keys))))))))) +guix-installer-vm-operating-system diff --git a/guix-installer-vm/guix-installer-vm.xml b/guix-installer-vm/guix-installer-vm.xml new file mode 100644 index 0000000..81cb64f --- /dev/null +++ b/guix-installer-vm/guix-installer-vm.xml @@ -0,0 +1,102 @@ + + guix-vm-installer + 2097152 + 2097152 + + /machine + + + hvm + + + + + + + + + + + + + + destroy + restart + destroy + + + + + + /usr/bin/qemu-system-x86_64 + + + + + +
+ + +
+ + + +
+ + + +
+ + + +
+ + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +