Increase the installer RAM amount to 8GiB.

With 4GiB guix pull fails. With 8GiB 'df -h /' returns the following:
    none            3.9G  1.6G  2.4G  40% /
so if we don't change the ramfs mount options it is pretty clear that
4GiB is not enough.

The issue here is that we are trying to do an install with the
following constraints:
- It needs to work without external access to the underlying
  storage. For instance I cannot become root and simply copy the image
  to the correct location and boot that because I lack the permissions
  but also because the machine doesn't have Guix.
- I also want the target rootfs to be up to date (especially with
  security updates) from the start.
- It needs to be relatively fast and not consume too much resources.
- It also needs to be relatively easy to deploy. Using the guix
  installer to install Guix is the easiest as it works out of the box
  with a read-only install media, but it also comes with resources
  costs as the files being created end up in RAM.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

Makefile.am

@@ -34,7 +34,7 @@ guix-commit.txt: Makefile
 %.html: %.html.tmpl guix-commit.txt Makefile
 	sed 's#DOMAIN#$(DOMAIN)#g' $< > $@
 
-%.scm: %.scm.tmpl guix-commit.txt Makefile
+%.scm: %.scm.tmpl guix-commit.txt id_ed25519.pub Makefile signing-key.pub
 	sed \
 		"s#DOMAIN#$(DOMAIN)#g ; \
 		s#ENABLE_WIREGUARD#$(ENABLE_WIREGUARD)#g ; \
@@ -55,7 +55,20 @@ guix-commit.txt: Makefile
 		s#VM_SSH_ADDRESS#$(VM_SSH_ADDRESS)#g" $< > $@
 	chmod +x $@
 
-IMAGE_SOURCE = \
+# Generate default key. Can be changed by replacing id_ed25519.pub.
+id_ed25519.pub:
+	printf "ssh-ed25519 %s %s" \
+	'AAAAC3NzaC1lZDI1NTE5AAAAIH2feuEj4asx0ImCG+cuiPv2WdKF6vMI+cJtZyG9cwUQ' \
+	'gnutoo@primary_laptop'
+	> $@
+
+# Generate default key. Can be changed by replacing signing-key.pub.
+signing-key.pub:
+	printf '(public-key (ecc (curve Ed25519) (q #%s#)))\n' \
+	'3A7E1F41E2D5784CFCABB39CB73F99E727D4A5C1ECA79D873587D63D093CC4B5' \
+	>$@
+
+TARBALL_SOURCE = \
 	first-boot.sh \
 	guix-commit.txt \
 	index.html \
@@ -66,12 +79,22 @@ IMAGE_SOURCE = \
 	signing-key.pub \
 	wireguard-post-up.sh
 
+IMAGE_SOURCE = \
+	$(TARBALL_SOURCE) \
+	mumble-vm.tar.xz
+
 mumble-vm.img: $(IMAGE_SOURCE)
-	sudo install \
+	install \
 		`guix system image \
 			--image-type=mbr-raw \
 			--image-size=6G mumble-vm-system.scm` \
 		$@
 
+mumble-vm.tar: $(TARBALL_SOURCE)
+	tar --exclude "id_ed25519" -cf $@ $(TARBALL_SOURCE)
+
+mumble-vm.tar.xz: mumble-vm.tar
+	xz -f -9e --verbose $<
+
 deploy: $(IMAGE_SOURCE)
 	guix deploy -L . mumble-vm-machine.scm

README

@@ -40,6 +40,45 @@ Once the image is booted:
   # first-boot.sh
 - You then need to set the root password.
 
+The mumble-vm-install.sh installation script
+============================================
+This script is supposed to only run inside a VM on the Guix installer
+and checks that it's the case through various ways. The specification
+of the VM it runs on is provided in guix-vm-installer.xml for
+reference. It is very specific to the Libre en communs infrastructure,
+so you might need to modify it to use it on your infrastructure.
+
+The Libre en Communs infrastructure on which this VM is being deployed
+has libvirt but it doesn't have Guix on the host. So the option
+provided by Libre en Communs was to do the installation from a
+VM.
+
+This is also common for many infrastructure providers due to security
+concerns with access outside the VM.
+
+Since the Guix installer is trusted and is now provided by Libre en
+communs, and that we also have access to the vm management interfaces
+we simply use a script to do all the installation work.
+
+If instead you have a VM with only SSH access you will also need to
+modify the script to fit that use case.
+
+It is also possible to convert an existing VM to Guix but that
+requires significantly more work (see gnu/machine/digital-ocean.scm
+inside the Guix source code for more detail on how to do that).
+
+To use this script, the admin with privileged access to the vm
+management interface needs to boot the installer and copy the script
+inside. This can be done by running the following command (the script
+can be named like you want):
+    # cat /dev/ttyS0 > i.sh
+and then by pasting the script through the first serial port, and
+typing ctrl+d at the end, so that the file is closed and written.
+
+The script can then run like that:
+    # chmod +x i.sh
+    # ./i.sh
+
 License
 =======
 This project is free software: you can redistribute it and/or modify

configure.ac

@@ -21,7 +21,12 @@ AC_PROG_MKDIR_P
 AM_INIT_AUTOMAKE([foreign])
 
 AC_CHECK_PROG([GUIX], [guix], [guix])
+AS_IF([test x"$GUIX" = x""],
+      [AC_MSG_ERROR([guix was not found in PATH ($PATH)])])
+
 AC_CHECK_PROG([SED], [sed], [sed])
+AS_IF([test x"$SED" = x""],
+      [AC_MSG_ERROR([sed was not found in PATH ($PATH)])])
 
 AC_SUBST([DOMAIN], [])
 AC_SUBST([ENABLE_WIREGUARD], [])

guix-vm-installer.xml

@@ -0,0 +1,111 @@
+<domain type="kvm">
+  <name>guix-vm-installer</name>
+  <memory unit="KiB">16777216</memory>
+  <currentMemory unit="KiB">16777216</currentMemory>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch="x86_64" machine="pc-i440fx-5.1">hvm</type>
+    <boot dev="hd"/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state="off"/>
+  </features>
+  <cpu mode="host-passthrough" check="none" migratable="on"/>
+  <clock offset="utc">
+    <timer name="rtc" tickpolicy="catchup"/>
+    <timer name="pit" tickpolicy="delay"/>
+    <timer name="hpet" present="no"/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled="no"/>
+    <suspend-to-disk enabled="no"/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="raw"/>
+      <source file="/srv/vmverse/installation/guix-system-install-1.4.0.x86_64-linux.iso"/>
+      <target dev="sda" bus="usb" removable="on"/>
+      <readonly/>
+      <address type="usb" bus="0" port="1"/>
+    </disk>
+    <disk type="file" device="disk">
+      <driver name="qemu" type="raw"/>
+      <source file="/srv/vmverse/noyau/audio.experimental.a-lec.org.raw"/>
+      <target dev="vda" bus="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
+    </disk>
+    <controller type="usb" index="0" model="ich9-ehci1">
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci1">
+      <master startport="0"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0" multifunction="on"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci2">
+      <master startport="2"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x1"/>
+    </controller>
+    <controller type="usb" index="0" model="ich9-uhci3">
+      <master startport="4"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x2"/>
+    </controller>
+    <controller type="pci" index="0" model="pci-root"/>
+    <interface type="bridge">
+      <source bridge="br0"/>
+      <model type="virtio"/>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
+    </interface>
+    <serial type="pty">
+      <target type="isa-serial" port="0">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <serial type="pty">
+      <target type="isa-serial" port="1">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <serial type="pty">
+      <target type="isa-serial" port="2">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <serial type="pty">
+      <target type="isa-serial" port="3">
+        <model name="isa-serial"/>
+      </target>
+    </serial>
+    <console type="pty">
+      <target type="serial" port="0"/>
+    </console>
+    <input type="keyboard" bus="ps2"/>
+    <input type="mouse" bus="ps2"/>
+    <graphics type="spice" autoport="yes" listen="127.0.0.1">
+      <listen type="address" address="127.0.0.1"/>
+      <gl enable="no"/>
+    </graphics>
+    <audio id="1" type="spice"/>
+    <video>
+      <model type="virtio" heads="1" primary="yes">
+        <acceleration accel3d="no"/>
+      </model>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
+    </video>
+    <memballoon model="virtio">
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>
+    </memballoon>
+    <rng model="virtio">
+      <backend model="random">/dev/urandom</backend>
+      <address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/>
+    </rng>
+  </devices>
+  <seclabel type="dynamic" model="dac" relabel="yes"/>
+</domain>

index.html.tmpl

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8" ?>
+<!doctype html>
 <!--
   -- Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
   --
@@ -10,11 +10,10 @@
   -- You should have received a copy of the GNU General Public License
   -- along with this file.  If not, see <http://www.gnu.org/licenses/>.
   -->
-<html xmlns="http://www.w3.org/1999/xhtml">
+<html lang="fr-FR">
   <head>
     <title>DOMAIN</title>
-    <meta name="keywords" content="a-lec, Libre en communs, logiciel libre" />
+    <meta charset="utf-8" />
-    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
   </head>
   <body>
     <h2>Experimental</h2>
@@ -100,9 +99,20 @@
       laquelle il tourne, etc.
     </p>
 
-    <!-- TODO:
+    <h2>Code source</h2>
-      -- * Fournir un lien vers le code source qui est déployé
+    <ul>
-      -- * Expliquer comment contribuer
+      <li>Code source du service qui tourne:
-      -->
+	<a href="mumble-vm.tar.xz">mumble-vm.tar.xz</a>
+      </li>
+      <li> git:
+	<a href="https://git.a-lec.org/GNUtoo/guix-mumble-vm.git">
+	  https://git.a-lec.org/GNUtoo/guix-mumble-vm.git
+	</a>
+      </li>
+      <li> Comment contribuer: envoyer un patch par mail à l'auteur
+      principal en attendant qu'on mette en place un meilleur système
+      pour les contributions.
+      </li>
+    </ul>
   </body>
 </html>

mumble-vm-install.sh

@@ -0,0 +1,236 @@
+#!/bin/sh
+# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see <http://www.gnu.org/licenses/>.
+
+report()
+{
+    ret=$?
+    message="$@"
+
+    if [ ${ret} -eq 0 ] ; then
+	echo "[ OK ] ${message}"
+    else
+	echo "[ !! ] ${message}"
+	exit ${ret}
+    fi
+}
+
+environment_checks()
+{
+    [ "$(id -u)" = "0" ] ; report "Running as root"
+
+    # Try to detect the installer
+    _mount="none / overlay"
+    _mount="${_mount} rw,relatime"
+    _mount="${_mount},lowerdir=/real-root"
+    _mount="${_mount},upperdir=/rw-root/upper"
+    _mount="${_mount},workdir=/rw-root/work"
+    _mount="${_mount} 0 0"
+
+    grep "${_mount}" "/proc/mounts" 2>&1 > /dev/null ; report "Mount check"
+
+    [ "${HOSTNAME}" = "gnu" ] ; report "Hostname check"
+}
+
+
+# FB31DBA3AB8DB76A4157329F7651568F80374459:
+# uid           [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>
+# uid           [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@riseup.net>
+# uid           [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@makefreedom.org>
+# uid           [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+import_gpg_key()
+{
+    cat <<EOF > FB31DBA3AB8DB76A4157329F7651568F80374459.asc
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFksJcEBEADYjwYOrJmv5TX7NPItWRT7W+XNMe53NXoSZa9bEiHnTv8PoQaw
+ldPpHn3TTtN1Iq4QgvNVzr0uoxPAdxFUkcvF3bFH7u/aQoXoBXxl/HH3DAoR+HIa
+0XE1vPGEzUTybR2CmH3vMkfWsErEJuPxRPSTV0qouRGUU21FTuBy8x/HLyoO9L2M
+YZX98Y3hWHP4V6P/tSsGaNg73l4oIbVv1SLJdASPRG7FF/UyWZzf1mZjmjbEuju1
+z8Fcu/urGxiSQO2DPiCpPOIQwUjeaRQbvZQz7d7q6QLZ+lT8YhuFsIjVXDqOiuZ3
+t2c3Dgg+++RIW1w9KW2xOJHg7rDRA2RqSwf8t51xE/CVLXcWDGqiMG7hjVAO1iW4
+G31QvUWxDxvyzOTvGDuPb+5eHaGj1uM/ncLfxlPyc4LPRucxNDO426grMdUL9P1S
+MMUNWOt7Yg3Y4aKFA+/ukBdyoExgC3iubh4QoGuX+SKP46DXTlqQTPj3Fyp3tRWi
+VhFdMNCRTIDinN3S//KToZ7OxIkgsRG9sw2lGc4JzJxMpv6N++nZJuTFhc3cA3QE
+E0YGjAmPc2cgwoeGiWrxugWm6B0BWOzHlxzwwtEsK8TsDg4ifyp5erHPDGQ3rV3x
+gR5Jbf1p6VZE8IdTYoqP1gv+x5/0dK+2Nl2IHfgJ5FX0mKg9BD4+/JbtSwARAQAB
+tCpEZW5pcyAnR05VdG9vJyBDYXJpa2xpIDxHTlV0b29Abm8tbG9nLm9yZz6JAlQE
+EwEIAD4CGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQT7Mdujq423akFXMp92
+UVaPgDdEWQUCY0g+1gUJC/1MigAKCRB2UVaPgDdEWV8mD/4icDedQRUNdOlBNroP
+p161qyYgMeQCOqpeUBVqQOZjXD75PyRWO5HZUjmzZb2+gAOBfRa2dlJGMEc2YzGz
+916WHq9sjcV6aZG1kTzgKVFo8PeStbvvhGCEIZ3jnfsfbZYvF6GvBzNWeTGoK+w3
+6wtzdfqI8ySjpy1Ul+V2TtJQAegCWee1qlLmRc49Zzi/s3ohw10FH5PnzcfPfxcB
+XaFSWV9dj4T9C89Ij2jpPMIVp2zZzWRZUHkw8e12xzdkDukLgDhmdLsOCFcIGw1a
+dgQNoZdRgTpxacNxrZssGTdaKNjXUSDTIb55SyCZzJNJli7Ict52RVXexUDwHTBn
+XQbL4MQNwR+gH7WqCMGnNjn/0j6jsnjXn+a+oLiSUHkfz6g+OZh9mNqV7TQfrRDv
+bj39GqAQVwt31rr1CcAkPLe99R6JPVCdli5ZhuJF00+D8hcwdNtWkZQheOHQM/k4
+0Lxn+VJKyoAhW/akI6iuNl+twS2vay3Y2G+dSIkCdwioYfe9buI1x7gAyP513kcC
+HFxHwCFEyfG9cmIaLEiIyO+4YJLgI4S22t9A20nZUawae4lDfunWtCj88hqPRAUB
+tgSLFkcKXmFQI0UoQXrLqdQAMKhOmXLHrOA03ZR+NCzf/FczP7jGTKdcNXUApvUZ
+iF37I1gkuZUMxMNDDjSVHQq1rLQqRGVuaXMgJ0dOVXRvbycgQ2FyaWtsaSA8R05V
+dG9vQHJpc2V1cC5uZXQ+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
+AheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3RFkFAmNIPtUFCQv9TIoACgkQdlFWj4A3
+RFmypg//XGUDW+m5nJMYbmYCyMQf3RPks4h7ncV8KBJg9zZZT/FKG1FVyUgQzMPe
+pjysvirmRMDrjPzcQRl2Io48eLQvExZALtGUONsPtuY409JW+nIqt5MeuKlcCiY6
+11c6fDEkt5/Bxa4640VAFNmUOXTWy/pl/ELH7W/RCsuOPDGmeRhBkkMm3EUGnZef
+7y6AZko3b02IvB35K1nt+eTZ+E2oYmNaiEI/Tfih5R5P31QCrrC9VCuJBmkoqanZ
+pvxUBgFbfgfv3QFLlXrXTWma/+kxQKoWsdunkXWOoFjJcgWl8eJ4bB1+JmMB1/S1
+AjQB4jqKjxGaka/cxJG4A1Sd9ad09m+IUW0k9ZlGYGm4ZiRwE26NNlMK0O/3czQX
+nKC0qmTUTpDey6A9H1w4cybQAX1PIYJZDR+5ipz+UWHrWhYsXzK71BbbxlXo0zgd
+uc8hSKhYm7tewUKticqrPAeuyEcBZkY1sGcuK+Up5rF3dQYaHGXgIxec9AoZpE2W
+PMRE4M7jEPU5XFI9g6Jx1YOxht7PXoqyyabjKQgIV9lyWHU2BQ+SyJ4QtRLeMN/v
+uI7dEvqyWXuX0JBdIU9DLpFfMlC7CY3ysPHN7M6FHWnEj+S2+qyBApUhOWFB5FHW
+QteCSXXf/OiaUDwTwqvV4vwYHU/tYHZbgnPNK1dBZ5+3IYbupm60L0RlbmlzICdH
+TlV0b28nIENhcmlrbGkgPEdOVXRvb0BtYWtlZnJlZWRvbS5vcmc+iQJUBBMBCAA+
+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3
+RFkFAmNIPssFCQv9TIoACgkQdlFWj4A3RFl25xAAw586zSEpR674/CZpT+vXf4RL
+phSxTWHFdBej3uy21coo5zMpJKFwe9IFKGK/tG2JhV/pGwmdPH3LKW4Hwuo77L5z
+p4iK5vdrQdhNKybICdAt58FtV2Pkv7GWZHCQpVwQFujp/f37CgCxSeobve2Rkfg4
+ZNABP3EHsXn0kDpBkavBVuCADn7EGbHVcCDExl0sXar4hyPMG/tOi9Q63LmNhdxx
+KsLI/BFmiPjePUekyYEh4mYjo+ZVOW+1r9dPXdR8vusBx486TcsfldcAMccUZWvo
+8UYOiebLSXnU1pDnUTQvOKr52rLInt2rAWpnpOsBt8RLPS6youqN1qakvgV+iMdA
+ujQAAAuV8SCF/FazHgoH2drtNNMVESeQHkJz0cR60ONWVhiHL/9HcZC0ot81Sypp
+Xwzddigz97c3O3V/GSxz2OjuKh5rbyPffD1eHR2/PVa55OL3wKAVlx228VFP2SUC
+XL3Pc+s/NTg365npwQh3Lw8FtSdnMt+EMCzu89alUu5Ei+w+oRCRC9v34eYNtzNN
+4CntgVnPvXLJV1gMImIlKkRzmrQn1x1VR0nEhY7928fwETutZcxJQmVCYug0rT4g
+crVuDnsqR1p0R+uNKcvMUkdFt9JWezSPjpS/tBSD2RsXeX55z+fS/HrvU0YfaRRH
+7EVrUJHRQPY7EC8xinK0MkRlbmlzICdHTlV0b28nIENhcmlrbGkgPEdOVXRvb0Bj
+eWJlcmRpbWVuc2lvbi5vcmc+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3RFkFAmNIPtUFCQv9TIoACgkQdlFW
+j4A3RFnhhw//QMHYtFMbR3XI7oXw82RiyjnHrStSsFckW2kbocK+7KV1Yli2u2SN
+3SGWBAP5LlqwLL1OoJ03nRDY81z193WrO0Kr3vFZAZXfMnD4t+bY6O1aFSoADb79
+7iFDwTjsyJvQ1Rw1siJQb1PQWrxHkNAfd0iU7x6GLhdU5s1nq4kvTP4SwhOmZ9AN
+tGrtHpnGUVZv705D2Xu7mnntiApsvxMzrwx2Fo9zNXTWX65nOyOXFufgYwtMPPOZ
+4jMitV+RFC/mChHwn6U0xn/exSSq/Xwi9DabH24kb466OLkTCew5DBEH+GSyY7+F
+BYO46lAFVLeAq3TnnkrfAZn/ildAKYTpv2VFZRjO2poG2Pax/0tA/8eO86ih+IxU
+mU10ddMyRHICA2OH56QFwFLgi4mktDiO11HeMF569VbNADnIls/1HDTTAqsZk9uf
+I/ZMyjNF8FoZa8AXwrLd1M+KAKNhZqvN1vVp2CF792z4VNMxfD/gzvsW/fq+lpgR
+n6Qn9BqDe6NoeRsI7u/lfJvDwciMZ2OvcQf+XkaBkMxeYXJXoG+zHqmW5Io+7xdX
+Ay619mKBm411exJTDMipoJU5djiEdNGrHFqvjKNAz/LGHmgL0m+saWc71a9fcAG8
+0i75TUpQOleBh/tkSYPHa+Gv7dF0ZQE657lWK3VZmdmSGXgSAtBt3ua5Ag0EWXPU
+7wEQALjMcmaRsGR1wFgR3RyIoCFNvmCBxDGaPb/X4TG10N5GXZFE1X7I9cZha+QF
+zF9hFAmN4FnKoWCWaobEhXG5ufoqvj2J3UBDW2s3Enwrhyva3kszMUBzv1dXwwrF
+qxp6Er73W7Semh64GRLjJo/tPA/mPnu/9qjumfOfydIFVnqYM7ZBx0aAhxzUyBjb
+okryIct3BEjPmRf+e8SfvFaqFJCNcvmvOVGOCVoz7N3cgLUTK12njj/Qak3nLabv
+9oQbNtngOYDAIWNPhDM+AUml5mw5Auab92aZyDJ4hmTPhov9OWoWeJFD5xR0R7RX
+Ol4PvRpA5O5qUa05PoLbp7pBOFmh52aUlaXc37QsgewJpDcCkzw4oZaQiVXwimjy
+hNAsv6lEYoSDNqPCIbUNmnrFljCMcRtfqtYKLCXNvUOG7+MjfYQ/nEVrPCPgUoQM
+5nbILxcHHWbECqYIQ4MLgBMEOEzEcp1mXdp+BJBbZiOSuofpMGDF4mbkzjgQOop4
+aBxzDLd+MjKPuD2uhhloLbf5kUGGBQXc9MNYbWno4c11AR3XLrgoLt2lAYTNX0lI
+zAjR08gulZlGHcuhoY5brFTtKEy92lUfwSAScvp8NAp6lEsroNqbPw0DdMe2Thpd
+Vmu9ztHoq0Z7nz0aRt3lQss9zLzphXGKh3Rv81R+QNOd988zABEBAAGJAjwEGAEI
+ACYCGwwWIQT7Mdujq423akFXMp92UVaPgDdEWQUCY0g/XAUJC7Wd7QAKCRB2UVaP
+gDdEWXu1D/931OK7RgkP0Nq9gDn6/IwXX+Dtl0JF3Ip3Oy2q6uHxu3YHK1Ezx9kV
+6T3sOb2MdtGL08qWfQlKRLU3dC7k85z6IAdhTrDOMTBeUssnY5Xgxl3cfJqBfQTW
+MZG3vqMlsJfUVOAueShUelzpOtYV/s3wm4UYR0zPP2+QDZgIDX8LHhdd3Ela1kgZ
+cz5OKbeBa30fHWIUQDybJmKFi8y+5629X7TeyFqsQ8CPXW317/eBpY3Q6mkp6pyZ
+iEEjeca/FQb9q9DsAIdkovfBSNnTZQAFePwIp1nR67LHuxMclxRPoAPtkym3rIWA
+y6w3n68fKUOIj92OhCBE/FE/nLl+BoFYOuYRoN3C7a7t3U4cAPW+9jl89w4zzvfg
+QvnAVKKba7szYcjSdyWbeMsIdq8Fe9T/6bdzs5ugR1yu0V618Foa6rPhDEiYjriG
+KoynZA4hZ9l83hT/kktu2jNYeIeXUqgWUFLZ3EeXynVDzqgN9buWzEZO8wZG2tNS
+sqTW9ZHZUuR6L9wUCjgPpRz4kREYdYmm5dm1uqXkQTwjo7vA1HRtGSun1FNYOl+w
+22tKNcU4erBZcKYUfyUP6gTQ4ojZN0rVb5AzT9wQoLcrljllDP9qQ45ndlov+0DD
+ccixs3PPK1ClY3puCyxX8QT7zROYhck9n0+YmuS/9TUnu19Az//aCbkCDQRZc9Sk
+ARAAsCIq2++gqtU8Z/lMDDAwVbNoq++FCA2apR4Lxj0G+jEog++8uJYawWDLpJ14
+Lvlm+OygM3s70RHyLKWiDWkdwDLbZ4b8MlHATBanEHeGsxQK9Td7VB0O3MQ/ICVs
+OjgTG8PJSv02HmNoGp/Zj3rbNSfXhomIq44aXRrw2ZxoNckj0xuHFSV85QlVy93f
+BgQiIozEPDJK8xGGn7a2gXwj6+hAaKTF1tOAWKHqInJpNduOZfVzpY5dHSUU4qjU
+TyvTEJhROA2QEo3qE5VZL2o/2rCapzqC+7pRzxEPDwcDGr2g/RFNLFSf3PvkH48M
+J66bid6aeI2uPdL9geWk6MJUCj03X2ylfFCKG0Bo0vWbv2wcJrZBCfHm256LTKHO
+lkBbvBrauzu1cTtivt8wtjm2wOiTII7nyyVvdhYuAirpYJfIFGV3iY8MJ7cdO7rI
+VRO1wkLiuE606zNJ3WCGJNwlhyFt+z8aYjB6UQwMhs1JztLFrghW+JsjzfgEXWvs
+d089woZR45PiF2Krm42E6tNBhhcJOmNFXHs5KN6oz8vAOrJ+Obw9HvBWTh5kMhdT
+ZdbGt3BZmtLfIFsEmvS+RCe5fGSiuPxudbfFzih04aXPG1wM8O4F0SFhzkwTrxGp
+46VyXZTH5xT1R56xbu44qvtYS2O8IhNKzLPROIOVqD9ey0kAEQEAAYkEcgQYAQgA
+JgIbAhYhBPsx26OrjbdqQVcyn3ZRVo+AN0RZBQJjSD9cBQkLtZ44AkDBdCAEGQEI
+AB0WIQR4L53b42un89TeSQZfXfzBQXfiYwUCWXPUpAAKCRBfXfzBQXfiY/ObD/4i
+x5aFvTz4OMAkhvOugcDekpVHC9gQU92j2boyZO4zi2RhB0JpGWWNU90WgUxorla3
+p31L44DYfg/ZoDG5zL7liykgAItt+Mwnf+hkNJZnm+dfj2lFAkBEXqpesZ8vyO6m
+BUOLhXSXd2N8+3XLwStAhC1OWE7ZcuCWmBtnbJad1HNujPhbW7tiddXhdSLbj/kG
+bjWTUdpH1TS9RNrp2tBqTCvLeXOr7NV+0FAuulO/6+m2OkRuuoj+5nVUmhmPqg4z
+z2hARiocg1nFca50uO5zbvYkbcggmN1hXrgEkKpThKnTEHaa/tFnfPSU5olPBpVX
+KP4u+e5ksMKvcLesLpFmqxz02ie1SQk17lZqMw35tHUBP+ZLlO5msdABUfmDpQ4j
+exTAFN0vfXkMc6MinFtO3WQtZ6Gf9r2oqlR+1siCAtX9l/zL2out4OTwFN7ekEE6
+7/pFhjDnQEUnY4MdcbAmOR5s3qs6YP+CUabGhkkyH8h4ffpZlNGLlJAz82oxK64A
+/Wbq5jFMn46nPM/m39+0QvcJD05gmF5PZJ7SXjf2z9Obt1RHPQJJ7+wvYHsQVZAI
+e8kT/PB74/jPzHYppF3EIFidf1fnRdguZZmG0DTXOUtTAdOAAdqt0MrtkjFzM2eD
+/3hy110zWKjd4tk7LQAeqYWPM5lzDrQ3ObdPT1+ysQkQdlFWj4A3RFnslw//QbwB
+PMuaPG9LlcoR8qSQtyXcn5TflVVH1wYa7iL9WSG5NPpx5/FFZKScWMJjjhHUDtc6
+jnICjLw+83gDOxeFIVyMg/9yT0DS7UPxc904c6G9WRyIdQqA5sRq7Iuk45S30LEZ
+v2c0+RYk8m0zSlD7vqiRY9myZKrRiWkfylAq/VL/HR6S5eKrPRgEbcQDXsoqyhnM
+n9cDc+81eOPpKW9S2+xqmo+x3WCISdi2Nr6R3WkyabWkikvlTcd7can/4amKPmIN
+i2vUVSfhsWaFGvgb8nv0Ebd6yjeDLZ8FI32KCeAYGh6FiJPC5DiFvMlbLXi4SJwu
+5p0j36xa+jJrylK/4XEJqQn6MrQ9+zdROT6bc3YlxkRXflEnE2uJshT8nSLE/j3v
+ydSHxgxAbdQ14oocvr7CltS7t0xup/YiOUtcHhprCB02PYdpT/XhZjW0pi/vyhdX
+6sGFRuCueLRf1cJiCJhISYbR4VyoMLcnvdcoKUa+/ikC6CkyZGxwAH1JGcEVjzD+
+4xG8l8/ubA3DSguKNpI1dGzVxpWgJnJzMCXBcwxp5c+kKH94QbKAUVt+16dUaY9k
+0hhucHQnbTHS3w9jY7rZ6sAZHufb9LQMMWunerecL6WvAR+XUydMd1rJS93j4y1W
+fNHj/507Jk+Ogk89eojQYjZNHCF+Zhyk6IRyI84=
+=4ncY
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+
+    guix shell gnupg -- \
+	 gpg --import FB31DBA3AB8DB76A4157329F7651568F80374459.asc && \
+    rm -f FB31DBA3AB8DB76A4157329F7651568F80374459.asc
+}
+
+environment_checks
+
+tmpdir="$(mktemp -d)"
+cd "${tmpdir}"
+
+guix pull ; report "Guix pull"
+hash guix ; report "hash guix"
+
+import_gpg_key ; report "Import GPG key"
+
+guix shell -C --network git nss-certs -- \
+    git clone https://git.a-lec.org/GNUtoo/guix-mumble-vm.git -b guix-installer ; \
+    report "Cloning machine configuration git"
+
+cd "guix-mumble-vm" ; report "cd guix-mumble-vm"
+
+guix shell git gnupg -- \
+    git verify-commit HEAD ; report "check git signature"
+
+guix shell -C --nesting autoconf automake bash coreutils grep sed -- \
+     ./autogen.sh ; report "./autogen.sh"
+
+guix shell -C --nesting bash coreutils gawk grep sed -- \
+     ./configure ; report "./configure"
+
+guix shell -C --nesting automake coreutils gawk grep make sed tar xz -- \
+     make mumble-vm.tar.xz ; report "Generating VM definition"
+
+cp mumble-vm.tar.xz ../ && \
+    cd ../ && \
+    rm -rf mumble-vm && \
+    guix shell -C tar xz -- tar xf mumble-vm.tar.xz && \
+    rm -f mumble-vm.tar.xz ; report "Removing git repository"
+
+guix gc ; report "guix gc"
+
+echo 'label: gpt' | sfdisk /dev/vda ; report "GPT creation on /dev/vda" ; \
+    report "GPT formating"
+
+echo ';;L;*' | sfdisk /dev/vda  ; report "/dev/vda1 creation" ; \
+    report "Adding partition"
+
+mkfs.ext4 -F -L Guix_image /dev/vda1 ; report "EXT4 formating"
+
+mount /dev/vda1 /mnt ; report "mount /dev/vda1 /mnt" ; report "mounting rootfs"
+
+herd start cow-store /mnt ; report "Using /mnt for storing guix system init packages"
+guix system init mumble-vm-system.scm /mnt ; report "guix system init"
+umount /mnt ; report "umount rootfs"
+
+printf "Installation done: %s\n" \
+       "you can remove the install media and reboot to the new VM"

mumble-vm-system.scm.tmpl

@@ -34,12 +34,14 @@
   (package
     (name "website")
     (version "0.1")
-    (source (local-file "index.html" ))
+    ;; TODO: Make that tarball reproducible
+    (source (local-file "mumble-vm.tar.xz"))
     (build-system copy-build-system)
     (arguments
      (list
      #:install-plan
-     #~(list '("index.html" "var/www/DOMAIN/"))))
+     #~(list '("index.html" "var/www/DOMAIN/")
+             '(#$source  "var/www/DOMAIN/"))))
     (synopsis "The DOMAIN website.")
     (description
      "The website contains how to use the service, and how to

mumble-vm.xml

@@ -1,7 +1,8 @@
 <domain type="kvm">
-  <name>mumble-vm</name>
+  <name>audio.experimental.a-lec.org</name>
   <memory unit="KiB">4194304</memory>
   <currentMemory unit="KiB">4194304</currentMemory>
+  <vcpu placement="static">1</vcpu>
   <resource>
     <partition>/machine</partition>
   </resource>
@@ -31,7 +32,7 @@
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
     <disk type="file" device="disk">
       <driver name="qemu" type="raw"/>
-      <source file="/var/lib/libvirt/images/distros/mumble-vm.img"/>
+      <source file="/srv/vmverse/noyau/audio.experimental.a-lec.org"/>
       <target dev="vda" bus="virtio"/>
       <address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
     </disk>
@@ -52,7 +53,7 @@
     </controller>
     <controller type="pci" index="0" model="pci-root"/>
     <interface type="bridge">
-      <source bridge="lan0"/>
+      <source bridge="br0"/>
       <model type="virtio"/>
       <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
     </interface>
@@ -81,16 +82,13 @@
     </console>
     <input type="keyboard" bus="ps2"/>
     <input type="mouse" bus="ps2"/>
-    <graphics type="spice" autoport="yes" listen="127.0.0.1">
+    <graphics type="spice">
-      <listen type="address" address="127.0.0.1"/>
+      <listen type="none"/>
       <gl enable="no"/>
     </graphics>
     <audio id="1" type="spice"/>
     <video>
-      <model type="virtio" heads="1" primary="yes">
+      <model type="none"/>
-        <acceleration accel3d="no"/>
-      </model>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
     </video>
     <memballoon model="virtio">
       <address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>