Add machine definition

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
This commit is contained in:
Denis 'GNUtoo' Carikli 2023-09-12 17:59:05 +02:00
parent 3b8d7f2763
commit 7fe191c90d
Signed by: GNUtoo
GPG Key ID: 5F5DFCC14177E263
5 changed files with 266 additions and 0 deletions

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
*~
\#*\#
id_ed25519
id_ed25519.pub
signing-key.pub

40
Makefile Normal file
View File

@ -0,0 +1,40 @@
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
DESTDIR ?= .
.PHONY: all help install update $(DESTDIR)/mumble-vm.img
IMAGE_SOURCE = \
mumble-vm-system.scm \
id_ed25519.pub \
Makefile \
signing-key.pub
all: help
help:
@printf "Available commands:\n\
make help # prints this help\n\
make install # install image to $(DESTDIR)/ \n\
make deploy # update existing vm with guix deploy through SSH\n\
"
$(DESTDIR)/mumble-vm.img: $(IMAGE_SOURCE)
sudo install \
`guix system image \
--image-type=mbr-raw \
--image-size=6G mumble-vm-system.scm` \
$@
install: $(DESTDIR)/mumble-vm.img
deploy:
guix deploy -L . mumble-vm-machine.scm

38
mumble-vm-machine.scm Normal file
View File

@ -0,0 +1,38 @@
;;; Copyright © Guix documentation authors
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
;;;
;;; This file is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; This file is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this file. If not, see <http://www.gnu.org/licenses/>.
(use-modules (gnu)
(gnu machine)
(gnu machine ssh))
(list
(machine
(operating-system
(@ (mumble-vm-system) mumble-vm-operating-system))
(environment managed-host-environment-type)
(configuration
(machine-ssh-configuration
(authorize? #t)
(build-locally? #f)
(host-key
(string-append
"ssh-ed25519"
" "
"AAAABBBBCCCCDDDDEEEEFFFFF1111222233334444555566667777888899990000ABC"))
(host-name "audio.experimental.a-lec.org")
(identity "./id_ed25519")
(port 222)
(system "x86_64-linux")
(user "root")))))

93
mumble-vm-system.scm Normal file
View File

@ -0,0 +1,93 @@
;; Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
;;
;; This file is free software; you can redistribute it and/or modify it
;; under the terms of the GNU General Public License as published by
;; the Free Software Foundation; either version 3 of the License, or (at
;; your option) any later version.
;;
;; You should have received a copy of the GNU General Public License
;; along with this file. If not, see <http://www.gnu.org/licenses/>.
(define-module (mumble-vm-system)
#:use-module (gnu)
#:use-module (gnu packages admin)
#:use-module (gnu packages dns)
#:use-module (gnu packages linux)
#:use-module (gnu packages ssh)
#:use-module (gnu services admin)
#:use-module (gnu services ssh)
#:export (mumble-vm-operating-system))
(define-public %nginx-deploy-hook
(program-file
"nginx-deploy-hook"
#~(let
((nginx-pid (call-with-input-file "/var/run/nginx/pid" read))
(mumble-server-pid
(call-with-input-file
"/var/run/mumble-server/mumble-server.pid" read)))
((lambda _
(kill nginx-pid SIGHUP)
(kill mumble-server-pid SIGUSR1))))))
(define mumble-vm-operating-system
(operating-system
(bootloader (bootloader-configuration
(bootloader grub-minimal-bootloader)
(targets '("/dev/vda"))))
;; TODO: Does Mumble have some data? Is BTRFS safer than using ext4
;; without doing many fsck?
(file-systems (cons (file-system
(device (file-system-label "Guix_image"))
(mount-point "/")
(type "ext4")) %base-file-systems))
(host-name "mumble-vm")
(timezone "Europe/Paris")
(packages
(append
(list htop
iftop
`(,isc-bind "utils")
net-tools
nmon
openssh-sans-x)
%base-packages))
(services
(append
(list
;; Networking
(service
static-networking-service-type
(list
(static-networking
(addresses (list (network-address
(device "eth0")
(value "192.168.10.37/24"))))
(routes (list (network-route
(destination "default")
(gateway "192.168.10.1"))))
(name-servers '("192.168.10.1")))))
;; OpenSSH
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(use-pam? #f)
(port-number 222)
(permit-root-login #t)
(password-authentication? #f)
(challenge-response-authentication? #f)
(authorized-keys
`(("root" , (local-file "id_ed25519.pub"))
("gnutoo" ,(local-file "id_ed25519.pub"))))))
;; Unattended Upgrades
(service unattended-upgrade-service-type))
(modify-services
%base-services
(guix-service-type config => (guix-configuration
(authorized-keys
(append
(list
(local-file
"signing-key.pub"))
%default-authorized-guix-keys)))))))))
mumble-vm-operating-system

90
mumble-vm.xml Normal file
View File

@ -0,0 +1,90 @@
<domain type="kvm">
<name>mumble-vm</name>
<memory unit="KiB">4194304</memory>
<currentMemory unit="KiB">4194304</currentMemory>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch="x86_64" machine="pc-i440fx-5.1">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<vmport state="off"/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
<timer name="hpet" present="no"/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled="no"/>
<suspend-to-disk enabled="no"/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="raw"/>
<source file="/var/lib/libvirt/images/distros/mumble-vm.img"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
</disk>
<controller type="usb" index="0" model="ich9-ehci1">
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci1">
<master startport="0"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0" multifunction="on"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci2">
<master startport="2"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x1"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci3">
<master startport="4"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x2"/>
</controller>
<controller type="pci" index="0" model="pci-root"/>
<interface type="bridge">
<source bridge="lan0"/>
<model type="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
</interface>
<serial type="pty">
<target type="isa-serial" port="0">
<model name="isa-serial"/>
</target>
</serial>
<console type="pty">
<target type="serial" port="0"/>
</console>
<input type="keyboard" bus="ps2"/>
<input type="mouse" bus="ps2"/>
<graphics type="spice" autoport="yes" listen="127.0.0.1">
<listen type="address" address="127.0.0.1"/>
<gl enable="no"/>
</graphics>
<audio id="1" type="spice"/>
<video>
<model type="virtio" heads="1" primary="yes">
<acceleration accel3d="no"/>
</model>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
</video>
<memballoon model="virtio">
<address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>
</memballoon>
<rng model="virtio">
<backend model="random">/dev/urandom</backend>
<address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/>
</rng>
</devices>
<seclabel type="dynamic" model="dac" relabel="yes"/>
</domain>