Compare commits

..

75 Commits

Author SHA1 Message Date
Denis 'GNUtoo' Carikli 4fd848bbe7
trisquel-automatic-netinstall-qemu: make guix shell work after guix pull.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-16 02:55:45 +02:00
Denis 'GNUtoo' Carikli d4b6b56a60
README: update to the current status.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-16 02:39:39 +02:00
Denis 'GNUtoo' Carikli f8435274b4
README: fix typos.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-16 02:27:36 +02:00
Denis 'GNUtoo' Carikli d9b5b612c3
trisquel-automatic-netinstall-qemu: Remove forgetten Trisquel 11.0 netinstall.
I forgot to remove the trisquel-netinst_11.0_amd64.iso.asc file in the
commit fed7db636e
("trisquel-automatic-netinstall-qemu: Update to Trisquel 11.0.1.").

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-16 01:51:47 +02:00
Denis 'GNUtoo' Carikli 037cde820e
trisquel-automatic-netinstall-qemu: README: Update to Trisquel 11.0.1.
I forgot to update the README as well in the commit
fed7db636e
("trisquel-automatic-netinstall-qemu: Update to Trisquel 11.0.1.").

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-16 01:40:01 +02:00
Denis 'GNUtoo' Carikli fed7db636e
trisquel-automatic-netinstall-qemu: Update to Trisquel 11.0.1.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-09-14 13:59:02 +02:00
Denis 'GNUtoo' Carikli 858988e801
trisquel-automatic-netinstall-qemu: make mirror/http/proxy configurable.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-08-25 22:42:16 +02:00
Denis 'GNUtoo' Carikli 3785148831
trisquel-automatic-netinstall-qemu: fix typo.
Without that fix the rootfs.img is empty.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-08-08 23:19:11 +02:00
Denis 'GNUtoo' Carikli b4faf2a967
Really fix -cpu host issue with KVM.
The commit b264ddedb1
("trisquel-automatic-netinstall-qemu: Fix -cpu host without KVM.")
only contained part of the fix.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-08-06 20:23:43 +02:00
Denis 'GNUtoo' Carikli b264ddedb1
trisquel-automatic-netinstall-qemu: Fix -cpu host without KVM.
Without that fix, when KVM is disabled, we have the following:
    qemu-system-x86_64: CPU model 'host' requires KVM or HVF
and since HVF is only available on MacOS[1], and that MacOS is nonfree
we won't be using it when KVM isn't available.

[1]https://www.qemu.org/docs/master/system/introduction.html

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-08-06 18:35:41 +02:00
Denis 'GNUtoo' Carikli 7c66aaa96f
trisquel-automatic-netinstall-qemu: use -cpu host.
This should improve the performances a bit as this mostly pass through
the host CPU, and so the VM can benefit from some of the more advanced
CPU features. Depending on the CPU and host configuration, it can also
enable other features as well like nested KVM.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-08-06 18:25:10 +02:00
Denis 'GNUtoo' Carikli 2d2dd5d426
trisquel-automatic-netinstall-qemu: document deployments on libre en communs physical machines.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-21 22:03:55 +02:00
Denis 'GNUtoo' Carikli b9abe6c2b3
trisquel-automatic-netinstall-qemu: Reduce storage usage.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-06 03:04:46 +02:00
Denis 'GNUtoo' Carikli 37201a9361
trisquel-automatic-netinstall-qemu: Reduce memory usage.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-05 16:27:44 +02:00
Denis 'GNUtoo' Carikli 8e804b6b21
trisquel-automatic-netinstall-qemu: align preseed response values.
Some 'string' were aligned with the di-question. In addition I also
separated the response type and values in a different column to make
it easier to detect this kind of mistakes.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 15:48:35 +02:00
Denis 'GNUtoo' Carikli 32b17e3f7d
trisquel-netinstall: move scripts inside the Makefile
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 03:00:03 +02:00
Denis 'GNUtoo' Carikli 7d89a710c6
trisquel-manual-netinstall-lxc: Remove unused Trisquel iso.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 02:53:33 +02:00
Denis 'GNUtoo' Carikli 1feb087515
README: clarify software heritage backups
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 02:47:13 +02:00
Denis 'GNUtoo' Carikli 5ab7f768d6
audio.experimental.a-lec.org: use Guix for autogen.sh
The target server (anthea) where the images will now be deployed
doesn't have autoconf, automake and m4 installed.

Because of that we work around by using the Guix versions.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 02:45:59 +02:00
Denis 'GNUtoo' Carikli 647e421c21
Add trisquel-automatic-netinstall-qemu.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-04 01:06:49 +02:00
Denis 'GNUtoo' Carikli e7bda3409d
Rename to trisquel-install-guix-fai and clarify usage.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-02 18:26:28 +02:00
Denis 'GNUtoo' Carikli a458f0f005
Rename to trisquel-manual-netinstall-lxc.
This should make it more clear that the netinstall is to be done
manually and that it works with libvirt LXC.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-07-02 18:17:45 +02:00
Denis 'GNUtoo' Carikli f88a1f1672
Makefile.am: build: fix mumble-vm-system.scm update.
This was introduced by commit 390d56eedb
("audio.experimental.a-lec.org: Makefile.am: add target for guix
build.").

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-04-21 22:11:28 +02:00
Denis 'GNUtoo' Carikli 3b5d0f4d3e
audio.experimental.a-lec.org: fix website build.
Without that fix we have the following with guix
65e8472a4b6fc6f66871ba0dad518b7d4c63595e ("system: Remove nss-certs
from OS templates, adjust doc."):
    building /gnu/store/qcf2709aq1nzh709fg2jvdq56diw75rd-website-0.1.drv...
    Backtrace:
    In guix/store.scm:
      1409:13 19 (map/accumulate-builds #<store-connection 256.100 7f15…> …)
      1384:11 18 (map/accumulate-builds #<store-connection 256.100 7f15…> …)
       1302:8 17 (call-with-build-handler #<procedure 7f15cec04f00 at g…> …)
      2182:25 16 (run-with-store #<store-connection 256.100 7f15d0fd8140> …)
    In guix/gexp.scm:
       1205:2 15 (_ _)
       1072:2 14 (_ _)
        913:4 13 (_ _)
    In guix/store.scm:
      2067:12 12 (_ #<store-connection 256.100 7f15d0fd8140>)
      1409:13 11 (map/accumulate-builds #<store-connection 256.100 7f15…> …)
      1384:11 10 (map/accumulate-builds #<store-connection 256.100 7f15…> …)
       1302:8  9 (call-with-build-handler #<procedure 7f15cec04ea0 at g…> …)
      2182:25  8 (run-with-store #<store-connection 256.100 7f15d0fd8140> …)
    In guix/gexp.scm:
       918:13  7 (_ _)
    In guix/store.scm:
       2010:8  6 (_ _)
    In guix/gexp.scm:
       299:22  5 (_ _)
    In guix/store.scm:
       2010:8  4 (_ _)
      2054:38  3 (_ #<store-connection 256.100 7f15d0fd8140>)
    In guix/grafts.scm:
        336:4  2 (graft-derivation _ _ _ #:guile _ #:outputs _ #:system _)
    In ice-9/boot-9.scm:
      1685:16  1 (raise-exception _ #:continuable? _)
      1685:16  0 (raise-exception _ #:continuable? _)

    ice-9/boot-9.scm:1685:16: In procedure raise-exception:
    Throw to key `match-error' with args `("match" "no matching pattern" ())'.
    install: missing destination file operand after 'mumble-vm.img'
    Try 'install --help' for more information.
    make: *** [Makefile:707: mumble-vm.img] Error 1

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-04-21 22:04:24 +02:00
Denis 'GNUtoo' Carikli 390d56eedb
audio.experimental.a-lec.org: Makefile.am: add target for guix build.
This enables to test if modifications have guile syntax error way more
rapidely, and by using way less space than with full images.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-04-21 22:03:08 +02:00
Denis 'GNUtoo' Carikli 524a9abb28
Add script to change the keyboard layout.
Personally I'm used to the US keyboard, but Libre En Communs has other
sysadmins than me and they might want to use their preferred keyboard
layout instead.

This script has been tested on a Guix system installation.

Finding a way to launch the script at boot will be done later on.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2024-04-21 21:22:57 +02:00
Denis 'GNUtoo' Carikli 9cb75f6744
netinstall: Document use-serial-port.sh script
Where to find the values is probably not evident for everybody.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-09 23:41:51 +02:00
Denis 'GNUtoo' Carikli e57977a323
trisquel-guix-installer.experimental.a-lec.org: Add VM definition
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-08 01:04:03 +02:00
Denis 'GNUtoo' Carikli 9b6bb264d0
trisquel-guix-installer.experimental.a-lec.org: Add hostname
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-08 01:03:47 +02:00
Denis 'GNUtoo' Carikli 59dba6efc2
Rename Trisquel Guix installer
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-08 00:37:59 +02:00
Denis 'GNUtoo' Carikli 241505c33b
gnutoo-trisquel-installer: Add screen
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 06:52:32 +02:00
Denis 'GNUtoo' Carikli 952f043c1e
Add top level README
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 06:51:45 +02:00
Denis 'GNUtoo' Carikli 3d35226410
gnutoo-trisquel-installer: Add dependencies for installing Guix and the FAI tarball
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 06:48:11 +02:00
Denis 'GNUtoo' Carikli b2fe6d551d
Add gnutoo-trisquel-netinstall VM
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 06:14:32 +02:00
Denis 'GNUtoo' Carikli bc0b5e1dad
gnutoo-trisquel-installer: Use guix installer.
In Trisquel 11, we have Guix 1.3.0, and with that, guix pull fails.

I used the guix-install.sh script from Guix 1.4.0 and verified its
integrity through the Parabola PCR package for it.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 05:20:54 +02:00
Denis 'GNUtoo' Carikli dcb3a7cb72
gnutoo-trisquel-installer: Add SSH configuration
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 05:10:56 +02:00
Denis 'GNUtoo' Carikli 9d3aad54fa
gnutoo-trisquel-installer: Add network settings
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 05:02:10 +02:00
Denis 'GNUtoo' Carikli 6ff145857d
gnutoo-trisquel-installer: Add Makefile
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 04:58:20 +02:00
Denis 'GNUtoo' Carikli 791164c50a
guix-installer-vm: remove duplicated .gitignore
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 03:42:46 +02:00
Denis 'GNUtoo' Carikli 1afcc59c95
gnutoo-trisquel-installer: Add minimal FAI config
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 03:41:44 +02:00
Denis 'GNUtoo' Carikli 4937beac06
Bring in the guix-installer-vm.
Having several VM inside the same repository could help as some of the
fixes between the two repositories are extremely similar and could be
done in the same commit.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-07 01:42:12 +02:00
Denis 'GNUtoo' Carikli 2d58c051a7
Move VM into subdirectory
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-06 01:04:29 +02:00
Denis 'GNUtoo' Carikli 858c70fcd5
Automatic updates: restart basic daemons
By default only mcron is restarted. It was verified within the
guix-installer-vm that this change worked by looking at the pid of
guix-daemon, waiting for an automatic update to happen and looking at
the (new) pid of guix-daemon.

The mumble-server and nginx daemons were not added to the list because
we don't have the audio.experimental.a-lec.org domain setup yet in the
Libre en Communs DNS.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 16:04:04 +02:00
Denis 'GNUtoo' Carikli e18c55b064
Automatic updates: schedule it every hours.
This enables easier testing and updates typically takes less than one
hour.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 16:01:25 +02:00
Denis 'GNUtoo' Carikli a8e16c12d9
networking: Fix IPv6 gateway
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:17:44 +02:00
Denis 'GNUtoo' Carikli 0b1b9b15f5
networking: update the SSH VM public key
This uses the public key of the deployed VM.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:14:20 +02:00
Denis 'GNUtoo' Carikli 49c9a6f0ee
first-boot.sh: resize filesystem and add better status reporting.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:04 +02:00
Denis 'GNUtoo' Carikli bd5799967f
Add base64 tarball target
The tarball can be copied to the VM through the serial port with the
following command:
    # cat > mumble-vm.tar.xz.b64
the user then pastes the base64 content and types ctrl+d and this
results in the file being written.

The content can then be extracted with the following commands:
    # base64 -d mumble-vm.tar.xz.b64 > mumble-vm.tar.xz
    # tar xf mumble-vm.tar.xz

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:04 +02:00
Denis 'GNUtoo' Carikli aa3f17d69c
configure.ac: vm-ipv6-gateway: Fix copy-paste error in help
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:04 +02:00
Denis 'GNUtoo' Carikli 8c09af074b
Fix IPv4 netmask
Running dhclient on eth0 gives a /16, and this is necessary anyway to
reach the gateway.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:04 +02:00
Denis 'GNUtoo' Carikli 0bee712a15
Add nss-certs
We at least need nss-certs for running guix system reconfigure
manually, so it's a good idea to have it.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:04 +02:00
Denis 'GNUtoo' Carikli 7b663f9813
Fix automatic updates
According to the operating-system-file fileld of
unattended-upgrade-configuration in the manual, automatic updates
don't work when "/run/current-system/configuration.scm [...] refers to
extra files (SSH public keys, extra configuration files, etc.) via
local-file and similar constructs.".

So we need these files in the store and to point to them to make the
automatic updates work.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:03 +02:00
Denis 'GNUtoo' Carikli 61c1a2da98
Provide the service source code on the web page
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:03 +02:00
Denis 'GNUtoo' Carikli 026cbbd453
Add default id_ed25519.pub and signing-key.pub
This makes it easier to deploy the VM to the Libre En Communs
infrastructure as it doesn't require to also copy these files to the
VM producing the image.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 15:08:02 +02:00
Denis 'GNUtoo' Carikli 848d381d50
first-boot.sh: fix typo
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 14:38:56 +02:00
Denis 'GNUtoo' Carikli cd0e98f67e
Automatic updates: restart more daemons
By default only mcron is restarted. It was verified that it worked by
looking at the pid of guix-daemon, waiting for an automatic update to
happen and looking at the (new) pid of guix-daemon.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 13:15:38 +02:00
Denis 'GNUtoo' Carikli 97fa63d96a
Automatic updates: schedule it every hours.
This enables easier testing and updates typically takes less than one
hour.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:25:36 +02:00
Denis 'GNUtoo' Carikli f4e08a8408
gitignore: Add copyright header
While the README already has the license for everything, this
simplifies things when copying this file to another repository.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:13 +02:00
Denis 'GNUtoo' Carikli 631d72f9eb
Makefile: Add copyright header
While the README already has the license for everything, this
simplifies things when copying this file to another repository.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli 2ca0de59c0
Add deploy target
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli e470ac6490
packages: Add screen
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli 7668a92fa4
network: fix default IPv6 route
Without that fix the network didn't completely start, and because of
that the network was partially configured.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli 5f9a421a4a
Add base64 tarball target
The tarball can be copied to the VM through the serial port with the
following command:
    # cat > guix-installer-vm.tar.xz.b64
the user then pastes the base64 content and types ctrl+d and this
results in the file being written.

The content can then be extracted with the following commands:
    # base64 -d guix-installer-vm.tar.xz.b64 > guix-installer-vm.tar.xz
    # tar xf guix-installer-vm.tar.xz

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli 58d1164cf3
Fix IPv4 netmask
Running dhclient on eth0 gives a /16, and this is necessary anyway to
reach the gateway.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:12 +02:00
Denis 'GNUtoo' Carikli f5dca5c072
Fix automatic updates
According to the operating-system-file fileld of
unattended-upgrade-configuration in the manual, automatic updates
don't work when "/run/current-system/configuration.scm [...] refers to
extra files (SSH public keys, extra configuration files, etc.) via
local-file and similar constructs.".

So we need these files in the store and to point to them to make the
automatic updates work.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 12:04:06 +02:00
Denis 'GNUtoo' Carikli 368c4f55e2
packages: add parted
Without that fix, running first-boot.sh ends up with the following error:
    /run/current-system/profile/bin/first-boot.sh: line 28:
    partprobe: command not found

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 07:02:39 +02:00
Denis 'GNUtoo' Carikli 1bd04c1404
Add nss-certs
We at least need nss-certs for running guix system reconfigure
manually, so it's a good idea to have it.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 07:02:39 +02:00
Denis 'GNUtoo' Carikli 13090302b5
Fix tabs
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 07:02:39 +02:00
Denis 'GNUtoo' Carikli 20205a1a8e
Makefile: fix id_ed25519.pub file generation
Without that fix the id_ed25519.pub file is empty.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-03 07:02:39 +02:00
Denis 'GNUtoo' Carikli 90d97041e3
Update mumble-vm.xml to match the one deployed at Libre en Communs
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-02 21:25:08 +02:00
Denis 'GNUtoo' Carikli a25039268f
Makefile.am: mumble-vm.img: remove sudo
Copying an image from Guix should not require sudo, and make isn't
supposed to bypass permissions anyway.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-02 21:25:08 +02:00
Denis 'GNUtoo' Carikli 8b5be47720
index.html: Fix HTML compliance issues.
Icecat complained with the invalid syntax when looking at the
page source code.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-02 21:25:08 +02:00
Denis 'GNUtoo' Carikli f709ef6b0e
configure.ac: bail out if guix and sed are not detected
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-02 21:25:08 +02:00
Denis 'GNUtoo' Carikli bee3614a59
Whitespace and line length fixes
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-10-02 21:25:04 +02:00
Denis 'GNUtoo' Carikli 4e8ce8d02d
Initial import
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
2023-09-22 15:05:42 +02:00
51 changed files with 2444 additions and 354 deletions

18
.gitignore vendored
View File

@ -1,3 +1,13 @@
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
*~ *~
\#*\# \#*\#
aclocal.m4 aclocal.m4
@ -7,15 +17,21 @@ config.status
configure configure
first-boot.sh first-boot.sh
guix-commit.txt guix-commit.txt
guix-installer-vm.img
guix-installer-vm.tar
guix-installer-vm.tar.xz
guix-installer-vm.tar.xz.b64
id_ed25519 id_ed25519
id_ed25519.pub id_ed25519.pub
id_wireguard id_wireguard
index.html index.html
install-sh install-sh
Makefile
Makefile.in Makefile.in
missing missing
mumble-vm-machine.scm mumble-vm-machine.scm
mumble-vm-system.scm mumble-vm-system.scm
mumble-vm.tar
mumble-vm.tar.xz
mumble-vm.tar.xz.b64
signing-key.pub signing-key.pub
wireguard-post-up.sh wireguard-post-up.sh

120
README
View File

@ -1,95 +1,59 @@
Deployment Scope
========== =====
To build the virtual machine image you can use the following command: Until now the virtual machines were handled somewhat manually. This
$ ./autogen.sh && ./configure && make experimental project is meant to have everything needed to deploy the
virtual machines in git.
You can also check the configure option for configuring it for testing It also tries to be enable people to safely bootstrap all the
on another infrastructure (for instance by using another domain). VMs. This way there is no more chicken and egg issue, and in case of
compromise, the VMs can easily and safely be reinstalled.
To build an image you will also need at least id_ed25519.pub and Backups
signing-key.pub: =======
This repository is also backed up on software heritage from time to time.
- id_ed25519.pub can be genreated with the ssh-keygen -t ed25519 Virtual machines
command. See the ssh-keygen manual ('man 1 ssh-keygen') for more ================
details. If you're not confortable with that, backup your ~/.ssh
folder first.
- signing-key.pub can be generated with the 'guix archive In this git repositories, there are several virtual machines
--generate-key' command. See the "Invoking guix archive" in the definitions:
Guix manual for more details[1].
https://guix.gnu.org/en/manual/en/guix.html#Invoking-guix-archive
Other files are optional: - audio.experimental.a-lec.org: This is a Mumble server made with Guix.
- id_ed25519: It is used for guix deploy. It is also generated by - guix-installer-vm: This is meant to generate a template VM with
ssh-keygen. A good idea is to have a symlink to it in order not to Guix. Once deployed users are supposed to SSH inside and reconfigure
have scp copy it to the target machine by mistake as it is the SSH it with the Guix scheme configuration they need/want.
private key. Using separate SSH keys for separate machines also help
limiting the damage when such accident happen.
- id_wireguard: This is the wireguard private key. It can be generated - trisquel-automatic-netinstall-qemu: This is a Trisquel VM generated
with the 'wg genkey > id_wireguard' command. See the wg manual ('man automatically from the Trisquel netinstall with qemu and preseed.
8 wg') for more detail.
- trisquel-install-guix-fai: This is an example that can be used to
deploy configuration management with FAI (Fully Automated
Installation) inside a VM. Unlike regular FAI installations, here
things are simplified a lot, and we simply (ab)use FAI to store
configuration files inside a git repository. This also require to
run inside the VM once the VM has been created.
Note that letsencrypt has a limit of about 5 certificates per week, so - trisquel-manual-netinstall-lxc: This was meant to automatize the
it's a good idea to use test domains before deployments. creation of VM running the Trisquel netinstall, but it has been
superseded by trisquel-automatic-netinstall-qemu which does the
Once the image is booted: full installation automatically. Since
- You will need to login inside and run the following command: trisquel-automatic-netinstall-qemu is using preseed, it's also
# first-boot.sh possible to modify it not provide answers for some of the installer
- You then need to set the root password. questions, letting the user(s) choose instead.
The mumble-vm-install.sh installation script
============================================
This script is supposed to only run inside a VM on the Guix installer
and checks that it's the case through various ways. The specification
of the VM it runs on is provided in guix-vm-installer.xml for
reference. It is very specific to the Libre en communs infrastructure,
so you might need to modify it to use it on your infrastructure.
The Libre en Communs infrastructure on which this VM is being deployed
has libvirt but it doesn't have Guix on the host. So the option
provided by Libre en Communs was to do the installation from a
VM.
This is also common for many infrastructure providers due to security
concerns with access outside the VM.
Since the Guix installer is trusted and is now provided by Libre en
communs, and that we also have access to the vm management interfaces
we simply use a script to do all the installation work.
If instead you have a VM with only SSH access you will also need to
modify the script to fit that use case.
It is also possible to convert an existing VM to Guix but that
requires significantly more work (see gnu/machine/digital-ocean.scm
inside the Guix source code for more detail on how to do that).
To use this script, the admin with privileged access to the vm
management interface needs to boot the installer and copy the script
inside. This can be done by running the following command (the script
can be named like you want):
# cat /dev/ttyS0 > i.sh
and then by pasting the script through the first serial port, and
typing ctrl+d at the end, so that the file is closed and written.
The script can then run like that:
# chmod +x i.sh
# ./i.sh
License License
======= =======
This project is free software: you can redistribute it and/or modify All the projects in this git repository are free software: you can
it under the terms of the GNU General Public License as published by redistribute them and/or modify them under the terms of the GNU
the Free Software Foundation, either version 3 of the License, or General Public License as published by the Free Software Foundation,
(at your option) any later version. either version 3 of the License, or (at your option) any later
version.
This project is distributed in the hope that it will be useful, All the project are distributed in the hope that they will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
GNU General Public License for more details. General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>. along with this project. If not, see <http://www.gnu.org/licenses/>.

View File

@ -0,0 +1 @@
/Makefile

View File

@ -42,7 +42,7 @@ guix-commit.txt: Makefile
s#VM_IPV4_ADDRESS#$(VM_IPV4_ADDRESS)#g ; \ s#VM_IPV4_ADDRESS#$(VM_IPV4_ADDRESS)#g ; \
s#VM_IPV6_ADDRESS#$(VM_IPV6_ADDRESS)#g ; \ s#VM_IPV6_ADDRESS#$(VM_IPV6_ADDRESS)#g ; \
s#VM_IPV4_GATEWAY#$(VM_IPV4_GATEWAY)#g ; \ s#VM_IPV4_GATEWAY#$(VM_IPV4_GATEWAY)#g ; \
s#VM_IPV6_GATEWAY#$(VM_IPV4_GATEWAY)#g ; \ s#VM_IPV6_GATEWAY#$(VM_IPV6_GATEWAY)#g ; \
s#VM_IPV4_DNS#$(VM_IPV4_DNS)#g ; \ s#VM_IPV4_DNS#$(VM_IPV4_DNS)#g ; \
s#VM_IPV6_DNS#$(VM_IPV6_DNS)#g ; \ s#VM_IPV6_DNS#$(VM_IPV6_DNS)#g ; \
s#VM_SSH_PUB_KEY#$(VM_SSH_PUB_KEY)#g ; \ s#VM_SSH_PUB_KEY#$(VM_SSH_PUB_KEY)#g ; \
@ -59,7 +59,7 @@ guix-commit.txt: Makefile
id_ed25519.pub: id_ed25519.pub:
printf "ssh-ed25519 %s %s" \ printf "ssh-ed25519 %s %s" \
'AAAAC3NzaC1lZDI1NTE5AAAAIH2feuEj4asx0ImCG+cuiPv2WdKF6vMI+cJtZyG9cwUQ' \ 'AAAAC3NzaC1lZDI1NTE5AAAAIH2feuEj4asx0ImCG+cuiPv2WdKF6vMI+cJtZyG9cwUQ' \
'gnutoo@primary_laptop' 'gnutoo@primary_laptop' \
> $@ > $@
# Generate default key. Can be changed by replacing signing-key.pub. # Generate default key. Can be changed by replacing signing-key.pub.
@ -89,6 +89,10 @@ mumble-vm.img: $(IMAGE_SOURCE)
--image-type=mbr-raw \ --image-type=mbr-raw \
--image-size=6G mumble-vm-system.scm` \ --image-size=6G mumble-vm-system.scm` \
$@ $@
build: $(IMAGE_SOURCE)
guix system build \
--image-type=mbr-raw \
--image-size=6G mumble-vm-system.scm
mumble-vm.tar: $(TARBALL_SOURCE) mumble-vm.tar: $(TARBALL_SOURCE)
tar --exclude "id_ed25519" -cf $@ $(TARBALL_SOURCE) tar --exclude "id_ed25519" -cf $@ $(TARBALL_SOURCE)
@ -96,5 +100,8 @@ mumble-vm.tar: $(TARBALL_SOURCE)
mumble-vm.tar.xz: mumble-vm.tar mumble-vm.tar.xz: mumble-vm.tar
xz -f -9e --verbose $< xz -f -9e --verbose $<
mumble-vm.tar.xz.b64: mumble-vm.tar.xz
base64 $< > $@
deploy: $(IMAGE_SOURCE) deploy: $(IMAGE_SOURCE)
guix deploy -L . mumble-vm-machine.scm guix deploy -L . mumble-vm-machine.scm

View File

@ -0,0 +1,56 @@
Deployment
==========
To build the virtual machine image you can use the following command:
$ ./autogen.sh && ./configure && make
You can also check the configure option for configuring it for testing
on another infrastructure (for instance by using another domain).
To build an image you will also need at least id_ed25519.pub and
signing-key.pub:
- id_ed25519.pub can be genreated with the ssh-keygen -t ed25519
command. See the ssh-keygen manual ('man 1 ssh-keygen') for more
details. If you're not confortable with that, backup your ~/.ssh
folder first.
- signing-key.pub can be generated with the 'guix archive
--generate-key' command. See the "Invoking guix archive" in the
Guix manual for more details[1].
https://guix.gnu.org/en/manual/en/guix.html#Invoking-guix-archive
Other files are optional:
- id_ed25519: It is used for guix deploy. It is also generated by
ssh-keygen. A good idea is to have a symlink to it in order not to
have scp copy it to the target machine by mistake as it is the SSH
private key. Using separate SSH keys for separate machines also help
limiting the damage when such accident happen.
- id_wireguard: This is the wireguard private key. It can be generated
with the 'wg genkey > id_wireguard' command. See the wg manual ('man
8 wg') for more detail.
Note that letsencrypt has a limit of about 5 certificates per week, so
it's a good idea to use test domains before deployments.
Once the image is booted:
- You will need to login inside and run the following command:
# first-boot.sh
- You then need to set the root password.
License
=======
This project is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This project is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>.

View File

@ -1,5 +1,4 @@
#!/bin/sh #!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> # Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
# #
# This file is free software; you can redistribute it and/or modify it # This file is free software; you can redistribute it and/or modify it
@ -9,8 +8,7 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>. # along with this file. If not, see <http://www.gnu.org/licenses/>.
set -e guix shell -C \
autoconf automake coreutils grep m4 sed \
certbot certonly --standalone -d DOMAIN -m LETSENCRYPT_EMAIL -- \
herd restart mumble-server autoreconf -fi $@
herd restart nginx

View File

@ -61,9 +61,9 @@ AC_ARG_WITH([letsencrypt-email],
AC_ARG_WITH([vm-ipv4-address], AC_ARG_WITH([vm-ipv4-address],
[AS_HELP_STRING([--with-vm-ipv4-address=VM_IPV4_ADDRESS], [Use custom VM [AS_HELP_STRING([--with-vm-ipv4-address=VM_IPV4_ADDRESS], [Use custom VM
IPv4 address. (default=192.168.1.117/24)])], IPv4 address. (default=192.168.1.117/16)])],
[VM_IPV4_ADDRESS=$withval], [VM_IPV4_ADDRESS=$withval],
[VM_IPV4_ADDRESS="192.168.1.117/24"]) [VM_IPV4_ADDRESS="192.168.1.117/16"])
AC_ARG_WITH([vm-ipv6-address], AC_ARG_WITH([vm-ipv6-address],
[AS_HELP_STRING([--with-vm-ipv6-address=VM_IPV6_ADDRESS], [Use custom VM [AS_HELP_STRING([--with-vm-ipv6-address=VM_IPV6_ADDRESS], [Use custom VM
@ -79,7 +79,7 @@ AC_ARG_WITH([vm-ipv4-gateway],
AC_ARG_WITH([vm-ipv6-gateway], AC_ARG_WITH([vm-ipv6-gateway],
[AS_HELP_STRING([--with-vm-ipv6-gateway=VM_IPV6_GATEWAY], [Use custom VM [AS_HELP_STRING([--with-vm-ipv6-gateway=VM_IPV6_GATEWAY], [Use custom VM
IPv6 gateway address. (default=192.168.0.1)])], IPv6 gateway address. (default=2001:910:1021::1)])],
[VM_IPV6_GATEWAY=$withval], [VM_IPV6_GATEWAY=$withval],
[VM_IPV6_GATEWAY="2001:910:1021::1"]) [VM_IPV6_GATEWAY="2001:910:1021::1"])
@ -99,11 +99,11 @@ AC_ARG_WITH([vm-ssh-public-key],
[AS_HELP_STRING([--with-ssh-vm-public-key=VM_SSH_PUB_KEY], [Use custom VM [AS_HELP_STRING([--with-ssh-vm-public-key=VM_SSH_PUB_KEY], [Use custom VM
SSH public key for use with 'guix deploy'. (default=\ SSH public key for use with 'guix deploy'. (default=\
ssh-ed25519\ ssh-ed25519\
AAAAC3NzaC1lZDI1NTE5AAAAIEjLYbJ+47MTte960IbOUTRzOD012ewt1IZgOOc+NqDa)])], AAAAC3NzaC1lZDI1NTE5AAAAIGeMeRMT4l5mxi8snZYM+jcZ/N/EfJ25L2FU88fdbuhC)])],
[VM_SSH_PUB_KEY=$withval], [VM_SSH_PUB_KEY=$withval],
[VM_SSH_PUB_KEY="\ [VM_SSH_PUB_KEY="\
ssh-ed25519\ ssh-ed25519\
AAAAC3NzaC1lZDI1NTE5AAAAIEjLYbJ+47MTte960IbOUTRzOD012ewt1IZgOOc+NqDa"]) AAAAC3NzaC1lZDI1NTE5AAAAIGeMeRMT4l5mxi8snZYM+jcZ/N/EfJ25L2FU88fdbuhC"])
AC_ARG_WITH([vm-ssh-address], AC_ARG_WITH([vm-ssh-address],
[AS_HELP_STRING([--with-vm-ssh-address=VM_SSH_ADDRESS], [Use custom VM [AS_HELP_STRING([--with-vm-ssh-address=VM_SSH_ADDRESS], [Use custom VM

View File

@ -0,0 +1,33 @@
#!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
set -e
report()
{
ret=$?
message="$@"
if [ ${ret} -eq 0 ] ; then
echo "[ OK ] ${message}"
else
echo "[ !! ] ${message} failed"
exit ${ret}
fi
}
echo ';;L;*' | sfdisk -f /dev/vda ; report "Resizing /dev/vda1 partition" ; \
partprobe
resize2fs /dev/vda1 ; report "Growing /dev/vda1 filesystem"
certbot certonly --standalone -d DOMAIN -m LETSENCRYPT_EMAIL ; report "Obtaining Lets's Encrypt certificate"
herd restart mumble-server ; report "Restarting Mumble server"
herd restart nginx ; report "Restarting Nginx server"

View File

@ -11,6 +11,7 @@
(define-module (mumble-vm-system) (define-module (mumble-vm-system)
#:use-module (gnu) #:use-module (gnu)
#:use-module (gnu packages admin) #:use-module (gnu packages admin)
#:use-module (gnu packages certs)
#:use-module (gnu packages dns) #:use-module (gnu packages dns)
#:use-module (gnu packages linux) #:use-module (gnu packages linux)
#:use-module (gnu packages ssh) #:use-module (gnu packages ssh)
@ -30,6 +31,35 @@
(define enable-wireguard? (string=? "yes" "ENABLE_WIREGUARD")) (define enable-wireguard? (string=? "yes" "ENABLE_WIREGUARD"))
(define mumble-vm-config
(package
(name "mumble-vm-config")
(version "0.1")
;; TODO: Make that tarball reproducible
(source (local-file "mumble-vm.tar.xz"))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~(list
'("first-boot.sh" "share/mumble-vm/configs/")
'("guix-commit.txt" "share/mumble-vm/configs/")
'("index.html" "share/mumble-vm/configs/")
'("mumble-vm-machine.scm" "share/mumble-vm/configs/")
'("mumble-vm-system.scm" "share/mumble-vm/configs/")
'("id_ed25519.pub" "share/mumble-vm/configs/")
'("Makefile" "share/mumble-vm/configs/")
'("signing-key.pub" "share/mumble-vm/configs/")
'(#$source
"share/mumble-vm/configs/mumble-vm.tar.xz")
'("wireguard-post-up.sh" "share/mumble-vm/configs/"))))
(synopsis "Full machine configuration.")
(description
"This contains all the configuration files of this machine. This is
needed for unattended upgrades to work.")
(home-page "DOMAIN")
(license license:gpl3+)))
(define website (define website
(package (package
(name "website") (name "website")
@ -40,8 +70,8 @@
(arguments (arguments
(list (list
#:install-plan #:install-plan
#~(list '("index.html" "var/www/DOMAIN/") #~(list '("first-boot.sh" "var/www/DOMAIN/")
'(#$source "var/www/DOMAIN/")))) '(#$source "var/www/DOMAIN/mumble-vm.tar.xz"))))
(synopsis "The DOMAIN website.") (synopsis "The DOMAIN website.")
(description (description
"The website contains how to use the service, and how to "The website contains how to use the service, and how to
@ -138,8 +168,10 @@ the services after that.")
htop htop
iftop iftop
`(,isc-bind "utils") `(,isc-bind "utils")
mumble-vm-config
net-tools net-tools
nmon nmon
nss-certs
openssh-sans-x openssh-sans-x
website) website)
(if enable-wireguard? (if enable-wireguard?
@ -194,13 +226,13 @@ https://DOMAIN/
(addresses (list (network-address (addresses (list (network-address
(device "eth0") (device "eth0")
(value "VM_IPV4_ADDRESS")) (value "VM_IPV4_ADDRESS"))
(network-address (network-address
(device "eth0") (device "eth0")
(value "VM_IPV6_ADDRESS")))) (value "VM_IPV6_ADDRESS"))))
(routes (list (network-route (routes (list (network-route
(destination "default") (destination "default")
(gateway "VM_IPV4_GATEWAY")) (gateway "VM_IPV4_GATEWAY"))
(network-route (network-route
(destination "default") (destination "default")
(gateway "VM_IPV6_GATEWAY")))) (gateway "VM_IPV6_GATEWAY"))))
(name-servers (list "VM_IPV4_DNS" "VM_IPV6_DNS"))))) (name-servers (list "VM_IPV4_DNS" "VM_IPV6_DNS")))))
@ -238,14 +270,21 @@ https://DOMAIN/
`(("root" , (local-file "id_ed25519.pub")) `(("root" , (local-file "id_ed25519.pub"))
("gnutoo" ,(local-file "id_ed25519.pub")))))) ("gnutoo" ,(local-file "id_ed25519.pub"))))))
;; Unattended Upgrades ;; Unattended Upgrades
(service unattended-upgrade-service-type)) (service
unattended-upgrade-service-type
(unattended-upgrade-configuration
(operating-system-file (string-append "/run/current-system/profile"
"/share/mumble-vm/configs/"
"mumble-vm-system.scm"))
(schedule "30 * * * * ")
(services-to-restart (list 'guix-daemon 'mcron 'ssh-daemon)))))
(if enable-wireguard? (if enable-wireguard?
(list (list
(service wireguard-service-type (service wireguard-service-type
(wireguard-configuration (wireguard-configuration
(addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128")) (addresses '("79.143.250.36/32" "2001:678:938:3ff::36/128"))
(dns '("79.143.250.1" "79.143.250.2" (dns '("79.143.250.1" "79.143.250.2"
"2001:678:938::53:1" "2001:678:938::53:2")) "2001:678:938::53:1" "2001:678:938::53:2"))
(port 0) (port 0)
(post-up %wireguard-post-up) (post-up %wireguard-post-up)
(private-key (local-file "id_wireguard")) (private-key (local-file "id_wireguard"))
@ -254,9 +293,10 @@ https://DOMAIN/
(wireguard-peer (wireguard-peer
(name "stephanie.franciliens.net") (name "stephanie.franciliens.net")
(endpoint "stephanie.franciliens.net:51820") (endpoint "stephanie.franciliens.net:51820")
(public-key "Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=") (public-key
"Ybfh3twyBpj7wx/lo9AVBsBKNAUMSQqAWWV0LfywSDI=")
(allowed-ips '("0.0.0.0/0" "::/0")))))))) (allowed-ips '("0.0.0.0/0" "::/0"))))))))
(list )) (list ))
(modify-services (modify-services
%base-services %base-services
(guix-service-type config => (guix-configuration (guix-service-type config => (guix-configuration

View File

@ -0,0 +1,69 @@
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
.PHONY: all deploy
all: guix-installer-vm.img
# Generate default key. Can be changed by replacing id_ed25519.pub.
id_ed25519.pub:
printf "ssh-ed25519 %s %s" \
'AAAAC3NzaC1lZDI1NTE5AAAAIH2feuEj4asx0ImCG+cuiPv2WdKF6vMI+cJtZyG9cwUQ' \
'gnutoo@primary_laptop' \
> $@
# Generate default key. Can be changed by replacing signing-key.pub.
signing-key.pub:
printf '(public-key (ecc (curve Ed25519) (q #%s#)))\n' \
'3A7E1F41E2D5784CFCABB39CB73F99E727D4A5C1ECA79D873587D63D093CC4B5' \
>$@
# We want to only update the image when guix commit changes. The trick
# to make that work is to only create or update a file when the revision
# changes.
guix-commit.txt: Makefile
if [ ! -f $@ ] ; then \
guix describe | grep '^ commit:' | awk '{print $$2}' > $@ ; \
elif [ "$(cat $@)" != \
"$(guix describe | \
grep '^ commit:' | awk '{print $$2}')" ] ; then \
guix describe | grep '^ commit:' | awk '{print $$2}' > $@ ; \
fi
TARBALL_SOURCE = \
first-boot.sh \
guix-commit.txt \
guix-installer-vm-system.scm \
id_ed25519.pub \
Makefile \
signing-key.pub
guix-installer-vm.tar: $(TARBALL_SOURCE)
tar --exclude "id_ed25519" -cf $@ $(TARBALL_SOURCE)
guix-installer-vm.tar.xz: guix-installer-vm.tar
xz -f -9e --verbose $<
guix-installer-vm.tar.xz.b64: guix-installer-vm.tar.xz
base64 $< > $@
IMAGE_SOURCE = \
$(TARBALL_SOURCE) \
guix-installer-vm.tar.xz
guix-installer-vm.img: $(IMAGE_SOURCE)
install \
`guix system image \
--image-type=mbr-raw \
--image-size=4G guix-installer-vm-system.scm` \
$@
deploy:
guix deploy -L . guix-installer-vm-machine.scm

14
guix-installer-vm/README Normal file
View File

@ -0,0 +1,14 @@
License
=======
This project is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This project is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>.

29
guix-installer-vm/first-boot.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
set -e
report()
{
ret=$?
message="$@"
if [ ${ret} -eq 0 ] ; then
echo "[ OK ] ${message}"
else
echo "[ !! ] ${message} failed"
exit ${ret}
fi
}
echo ';;L;*' | sfdisk -f /dev/vda ; report "Resizing /dev/vda1 partition" ; \
partprobe
resize2fs /dev/vda1 ; report "Growing /dev/vda1 filesystem"

View File

@ -0,0 +1,35 @@
;;; Copyright © Guix documentation authors
;;; Copyright © 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
;;;
;;; This file is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; This file is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with this file. If not, see <http://www.gnu.org/licenses/>.
(use-modules (gnu)
(gnu machine)
(gnu machine ssh))
(list
(machine
(operating-system
(@ (guix-installer-vm-system) guix-installer-vm-operating-system))
(environment managed-host-environment-type)
(configuration
(machine-ssh-configuration
(authorize? #t)
(build-locally? #f)
(host-key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJGgswfvxxErFStqBGY81N0uuLndjA5l9bGd4DGlcK9F")
(host-name "2001:910:1021::118")
(identity "./id_ed25519")
(port 222)
(system "x86_64-linux")
(user "root")))))

View File

@ -0,0 +1,172 @@
;; Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
;;
;; This file is free software; you can redistribute it and/or modify it
;; under the terms of the GNU General Public License as published by
;; the Free Software Foundation; either version 3 of the License, or (at
;; your option) any later version.
;;
;; You should have received a copy of the GNU General Public License
;; along with this file. If not, see <http://www.gnu.org/licenses/>.
(define-module (guix-installer-vm-system)
#:use-module (gnu)
#:use-module (gnu packages admin)
#:use-module (gnu packages certs)
#:use-module (gnu packages disk)
#:use-module (gnu packages dns)
#:use-module (gnu packages linux)
#:use-module (gnu packages screen)
#:use-module (gnu packages ssh)
#:use-module (gnu packages tls)
#:use-module (gnu services admin)
#:use-module (gnu services certbot)
#:use-module (gnu services ssh)
#:use-module (gnu services telephony)
#:use-module (gnu services vpn)
#:use-module (gnu services web)
#:use-module (guix build-system copy)
#:use-module (guix build-system gnu)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix utils)
#:export (guix-installer-vm-operating-system))
(define guix-installer-vm-config
(package
(name "guix-installer-vm-config")
(version "0.1")
;; TODO: Make that tarball reproducible
(source (local-file "guix-installer-vm.tar.xz"))
(build-system copy-build-system)
(arguments
(list
#:install-plan
#~(list
'("first-boot.sh" "share/guix-installer-vm/configs/")
'("guix-commit.txt" "share/guix-installer-vm/configs/")
'("guix-installer-vm-system.scm" "share/guix-installer-vm/configs/")
'("id_ed25519.pub" "share/guix-installer-vm/configs/")
'("Makefile" "share/guix-installer-vm/configs/")
'("signing-key.pub" "share/guix-installer-vm/configs/")
'(#$source
"share/guix-installer-vm/configs/guix-installer-vm.tar.xz"))))
(synopsis "Full machine configuration.")
(description
"This contains all the configuration files of this machine. This is
needed for unattended upgrades to work.")
(home-page "DOMAIN")
(license license:gpl3+)))
(define first-boot-script
(package
(name "first-boot-script")
(version "0.1")
(source (local-file "first-boot.sh" ))
(build-system gnu-build-system)
(arguments
(list #:tests? #f ;no tests
#:phases
#~(modify-phases
%standard-phases
(delete 'build)
(delete 'configure)
(replace 'install
(lambda _
(chmod "first-boot.sh" #o755)
(install-file
"first-boot.sh"
(string-append (string-append #$output "/bin"))))))))
(inputs (list e2fsprogs parted util-linux))
(synopsis "Script to run on first boot.")
(description
"The first-boot.sh script resize the rootfs and updates the system.")
(home-page #f)
(license license:gpl3+)))
(define guix-installer-vm-operating-system
(operating-system
(bootloader (bootloader-configuration
(bootloader grub-minimal-bootloader)
(targets '("/dev/vda"))
(terminal-outputs '(serial_0))))
(kernel-arguments (append '("console=ttyS0")))
(file-systems (cons (file-system
(device (file-system-label "Guix_image"))
(mount-point "/")
(type "ext4")) %base-file-systems))
(host-name "guix-installer-vm")
(timezone "Europe/Paris")
(packages (append (list first-boot-script
guix-installer-vm-config
htop
net-tools
nss-certs
parted
screen)
%base-packages))
(services
(append
(list
;; Agetty
;; ttyS0 is already setup automatically due to the console=ttyS0
;; kernel argument
(service agetty-service-type
(agetty-configuration (term "xterm-256color")
(tty "ttyS1")))
(service agetty-service-type
(agetty-configuration (term "xterm-256color")
(tty "ttyS2")))
(service agetty-service-type
(agetty-configuration (term "xterm-256color")
(tty "ttyS3")))
;; Networking
(service
static-networking-service-type
(list
(static-networking
(addresses (list (network-address
(device "eth0")
(value "192.168.1.118/16"))
(network-address
(device "eth0")
(value "2001:910:1021::118/64"))))
(routes (list (network-route
(destination "default")
(gateway "192.168.0.1"))
(network-route
(destination "default")
(gateway "2001:910:1021::1"))))
(name-servers (list "192.168.0.1" "2001:910:1021::1")))))
;; OpenSSH
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(use-pam? #f)
(port-number 222)
(permit-root-login #t)
(password-authentication? #f)
(challenge-response-authentication? #f)
(authorized-keys
`(("root" , (local-file "id_ed25519.pub"))
("gnutoo" ,(local-file "id_ed25519.pub"))))))
;; Unattended Upgrades
(service
unattended-upgrade-service-type
(unattended-upgrade-configuration
(operating-system-file
(string-append "/run/current-system/profile"
"/share/guix-installer-vm/configs/"
"guix-installer-vm-system.scm"))
(schedule "0 * * * * ")
(services-to-restart (list 'guix-daemon 'mcron 'ssh-daemon)))))
(modify-services
%base-services
(guix-service-type config => (guix-configuration
(authorized-keys
(append
(list
(local-file
"signing-key.pub"))
%default-authorized-guix-keys)))))))))
guix-installer-vm-operating-system

View File

@ -1,7 +1,7 @@
<domain type="kvm"> <domain type="kvm">
<name>guix-vm-installer</name> <name>guix-vm-installer</name>
<memory unit="KiB">16777216</memory> <memory unit="KiB">2097152</memory>
<currentMemory unit="KiB">16777216</currentMemory> <currentMemory unit="KiB">2097152</currentMemory>
<resource> <resource>
<partition>/machine</partition> <partition>/machine</partition>
</resource> </resource>
@ -31,17 +31,11 @@
<emulator>/usr/bin/qemu-system-x86_64</emulator> <emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk"> <disk type="file" device="disk">
<driver name="qemu" type="raw"/> <driver name="qemu" type="raw"/>
<source file="/srv/vmverse/installation/guix-system-install-1.4.0.x86_64-linux.iso"/> <source file="/srv/vmverse/installation/guix-installer-vm.img"/>
<target dev="sda" bus="usb" removable="on"/> <target dev="sda" bus="usb" removable="on"/>
<readonly/> <readonly/>
<address type="usb" bus="0" port="1"/> <address type="usb" bus="0" port="1"/>
</disk> </disk>
<disk type="file" device="disk">
<driver name="qemu" type="raw"/>
<source file="/srv/vmverse/noyau/audio.experimental.a-lec.org.raw"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
</disk>
<controller type="usb" index="0" model="ich9-ehci1"> <controller type="usb" index="0" model="ich9-ehci1">
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/>
</controller> </controller>
@ -88,16 +82,13 @@
</console> </console>
<input type="keyboard" bus="ps2"/> <input type="keyboard" bus="ps2"/>
<input type="mouse" bus="ps2"/> <input type="mouse" bus="ps2"/>
<graphics type="spice" autoport="yes" listen="127.0.0.1"> <graphics type="spice">
<listen type="address" address="127.0.0.1"/> <listen type="none"/>
<gl enable="no"/> <gl enable="no"/>
</graphics> </graphics>
<audio id="1" type="spice"/> <audio id="1" type="spice"/>
<video> <video>
<model type="virtio" heads="1" primary="yes"> <model type="none"/>
<acceleration accel3d="no"/>
</model>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
</video> </video>
<memballoon model="virtio"> <memballoon model="virtio">
<address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>

View File

@ -1,236 +0,0 @@
#!/bin/sh
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
report()
{
ret=$?
message="$@"
if [ ${ret} -eq 0 ] ; then
echo "[ OK ] ${message}"
else
echo "[ !! ] ${message}"
exit ${ret}
fi
}
environment_checks()
{
[ "$(id -u)" = "0" ] ; report "Running as root"
# Try to detect the installer
_mount="none / overlay"
_mount="${_mount} rw,relatime"
_mount="${_mount},lowerdir=/real-root"
_mount="${_mount},upperdir=/rw-root/upper"
_mount="${_mount},workdir=/rw-root/work"
_mount="${_mount} 0 0"
grep "${_mount}" "/proc/mounts" 2>&1 > /dev/null ; report "Mount check"
[ "${HOSTNAME}" = "gnu" ] ; report "Hostname check"
}
# FB31DBA3AB8DB76A4157329F7651568F80374459:
# uid [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>
# uid [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@riseup.net>
# uid [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@makefreedom.org>
# uid [ultimate] Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
import_gpg_key()
{
cat <<EOF > FB31DBA3AB8DB76A4157329F7651568F80374459.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFksJcEBEADYjwYOrJmv5TX7NPItWRT7W+XNMe53NXoSZa9bEiHnTv8PoQaw
ldPpHn3TTtN1Iq4QgvNVzr0uoxPAdxFUkcvF3bFH7u/aQoXoBXxl/HH3DAoR+HIa
0XE1vPGEzUTybR2CmH3vMkfWsErEJuPxRPSTV0qouRGUU21FTuBy8x/HLyoO9L2M
YZX98Y3hWHP4V6P/tSsGaNg73l4oIbVv1SLJdASPRG7FF/UyWZzf1mZjmjbEuju1
z8Fcu/urGxiSQO2DPiCpPOIQwUjeaRQbvZQz7d7q6QLZ+lT8YhuFsIjVXDqOiuZ3
t2c3Dgg+++RIW1w9KW2xOJHg7rDRA2RqSwf8t51xE/CVLXcWDGqiMG7hjVAO1iW4
G31QvUWxDxvyzOTvGDuPb+5eHaGj1uM/ncLfxlPyc4LPRucxNDO426grMdUL9P1S
MMUNWOt7Yg3Y4aKFA+/ukBdyoExgC3iubh4QoGuX+SKP46DXTlqQTPj3Fyp3tRWi
VhFdMNCRTIDinN3S//KToZ7OxIkgsRG9sw2lGc4JzJxMpv6N++nZJuTFhc3cA3QE
E0YGjAmPc2cgwoeGiWrxugWm6B0BWOzHlxzwwtEsK8TsDg4ifyp5erHPDGQ3rV3x
gR5Jbf1p6VZE8IdTYoqP1gv+x5/0dK+2Nl2IHfgJ5FX0mKg9BD4+/JbtSwARAQAB
tCpEZW5pcyAnR05VdG9vJyBDYXJpa2xpIDxHTlV0b29Abm8tbG9nLm9yZz6JAlQE
EwEIAD4CGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQT7Mdujq423akFXMp92
UVaPgDdEWQUCY0g+1gUJC/1MigAKCRB2UVaPgDdEWV8mD/4icDedQRUNdOlBNroP
p161qyYgMeQCOqpeUBVqQOZjXD75PyRWO5HZUjmzZb2+gAOBfRa2dlJGMEc2YzGz
916WHq9sjcV6aZG1kTzgKVFo8PeStbvvhGCEIZ3jnfsfbZYvF6GvBzNWeTGoK+w3
6wtzdfqI8ySjpy1Ul+V2TtJQAegCWee1qlLmRc49Zzi/s3ohw10FH5PnzcfPfxcB
XaFSWV9dj4T9C89Ij2jpPMIVp2zZzWRZUHkw8e12xzdkDukLgDhmdLsOCFcIGw1a
dgQNoZdRgTpxacNxrZssGTdaKNjXUSDTIb55SyCZzJNJli7Ict52RVXexUDwHTBn
XQbL4MQNwR+gH7WqCMGnNjn/0j6jsnjXn+a+oLiSUHkfz6g+OZh9mNqV7TQfrRDv
bj39GqAQVwt31rr1CcAkPLe99R6JPVCdli5ZhuJF00+D8hcwdNtWkZQheOHQM/k4
0Lxn+VJKyoAhW/akI6iuNl+twS2vay3Y2G+dSIkCdwioYfe9buI1x7gAyP513kcC
HFxHwCFEyfG9cmIaLEiIyO+4YJLgI4S22t9A20nZUawae4lDfunWtCj88hqPRAUB
tgSLFkcKXmFQI0UoQXrLqdQAMKhOmXLHrOA03ZR+NCzf/FczP7jGTKdcNXUApvUZ
iF37I1gkuZUMxMNDDjSVHQq1rLQqRGVuaXMgJ0dOVXRvbycgQ2FyaWtsaSA8R05V
dG9vQHJpc2V1cC5uZXQ+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
AheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3RFkFAmNIPtUFCQv9TIoACgkQdlFWj4A3
RFmypg//XGUDW+m5nJMYbmYCyMQf3RPks4h7ncV8KBJg9zZZT/FKG1FVyUgQzMPe
pjysvirmRMDrjPzcQRl2Io48eLQvExZALtGUONsPtuY409JW+nIqt5MeuKlcCiY6
11c6fDEkt5/Bxa4640VAFNmUOXTWy/pl/ELH7W/RCsuOPDGmeRhBkkMm3EUGnZef
7y6AZko3b02IvB35K1nt+eTZ+E2oYmNaiEI/Tfih5R5P31QCrrC9VCuJBmkoqanZ
pvxUBgFbfgfv3QFLlXrXTWma/+kxQKoWsdunkXWOoFjJcgWl8eJ4bB1+JmMB1/S1
AjQB4jqKjxGaka/cxJG4A1Sd9ad09m+IUW0k9ZlGYGm4ZiRwE26NNlMK0O/3czQX
nKC0qmTUTpDey6A9H1w4cybQAX1PIYJZDR+5ipz+UWHrWhYsXzK71BbbxlXo0zgd
uc8hSKhYm7tewUKticqrPAeuyEcBZkY1sGcuK+Up5rF3dQYaHGXgIxec9AoZpE2W
PMRE4M7jEPU5XFI9g6Jx1YOxht7PXoqyyabjKQgIV9lyWHU2BQ+SyJ4QtRLeMN/v
uI7dEvqyWXuX0JBdIU9DLpFfMlC7CY3ysPHN7M6FHWnEj+S2+qyBApUhOWFB5FHW
QteCSXXf/OiaUDwTwqvV4vwYHU/tYHZbgnPNK1dBZ5+3IYbupm60L0RlbmlzICdH
TlV0b28nIENhcmlrbGkgPEdOVXRvb0BtYWtlZnJlZWRvbS5vcmc+iQJUBBMBCAA+
AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3
RFkFAmNIPssFCQv9TIoACgkQdlFWj4A3RFl25xAAw586zSEpR674/CZpT+vXf4RL
phSxTWHFdBej3uy21coo5zMpJKFwe9IFKGK/tG2JhV/pGwmdPH3LKW4Hwuo77L5z
p4iK5vdrQdhNKybICdAt58FtV2Pkv7GWZHCQpVwQFujp/f37CgCxSeobve2Rkfg4
ZNABP3EHsXn0kDpBkavBVuCADn7EGbHVcCDExl0sXar4hyPMG/tOi9Q63LmNhdxx
KsLI/BFmiPjePUekyYEh4mYjo+ZVOW+1r9dPXdR8vusBx486TcsfldcAMccUZWvo
8UYOiebLSXnU1pDnUTQvOKr52rLInt2rAWpnpOsBt8RLPS6youqN1qakvgV+iMdA
ujQAAAuV8SCF/FazHgoH2drtNNMVESeQHkJz0cR60ONWVhiHL/9HcZC0ot81Sypp
Xwzddigz97c3O3V/GSxz2OjuKh5rbyPffD1eHR2/PVa55OL3wKAVlx228VFP2SUC
XL3Pc+s/NTg365npwQh3Lw8FtSdnMt+EMCzu89alUu5Ei+w+oRCRC9v34eYNtzNN
4CntgVnPvXLJV1gMImIlKkRzmrQn1x1VR0nEhY7928fwETutZcxJQmVCYug0rT4g
crVuDnsqR1p0R+uNKcvMUkdFt9JWezSPjpS/tBSD2RsXeX55z+fS/HrvU0YfaRRH
7EVrUJHRQPY7EC8xinK0MkRlbmlzICdHTlV0b28nIENhcmlrbGkgPEdOVXRvb0Bj
eWJlcmRpbWVuc2lvbi5vcmc+iQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAFiEE+zHbo6uNt2pBVzKfdlFWj4A3RFkFAmNIPtUFCQv9TIoACgkQdlFW
j4A3RFnhhw//QMHYtFMbR3XI7oXw82RiyjnHrStSsFckW2kbocK+7KV1Yli2u2SN
3SGWBAP5LlqwLL1OoJ03nRDY81z193WrO0Kr3vFZAZXfMnD4t+bY6O1aFSoADb79
7iFDwTjsyJvQ1Rw1siJQb1PQWrxHkNAfd0iU7x6GLhdU5s1nq4kvTP4SwhOmZ9AN
tGrtHpnGUVZv705D2Xu7mnntiApsvxMzrwx2Fo9zNXTWX65nOyOXFufgYwtMPPOZ
4jMitV+RFC/mChHwn6U0xn/exSSq/Xwi9DabH24kb466OLkTCew5DBEH+GSyY7+F
BYO46lAFVLeAq3TnnkrfAZn/ildAKYTpv2VFZRjO2poG2Pax/0tA/8eO86ih+IxU
mU10ddMyRHICA2OH56QFwFLgi4mktDiO11HeMF569VbNADnIls/1HDTTAqsZk9uf
I/ZMyjNF8FoZa8AXwrLd1M+KAKNhZqvN1vVp2CF792z4VNMxfD/gzvsW/fq+lpgR
n6Qn9BqDe6NoeRsI7u/lfJvDwciMZ2OvcQf+XkaBkMxeYXJXoG+zHqmW5Io+7xdX
Ay619mKBm411exJTDMipoJU5djiEdNGrHFqvjKNAz/LGHmgL0m+saWc71a9fcAG8
0i75TUpQOleBh/tkSYPHa+Gv7dF0ZQE657lWK3VZmdmSGXgSAtBt3ua5Ag0EWXPU
7wEQALjMcmaRsGR1wFgR3RyIoCFNvmCBxDGaPb/X4TG10N5GXZFE1X7I9cZha+QF
zF9hFAmN4FnKoWCWaobEhXG5ufoqvj2J3UBDW2s3Enwrhyva3kszMUBzv1dXwwrF
qxp6Er73W7Semh64GRLjJo/tPA/mPnu/9qjumfOfydIFVnqYM7ZBx0aAhxzUyBjb
okryIct3BEjPmRf+e8SfvFaqFJCNcvmvOVGOCVoz7N3cgLUTK12njj/Qak3nLabv
9oQbNtngOYDAIWNPhDM+AUml5mw5Auab92aZyDJ4hmTPhov9OWoWeJFD5xR0R7RX
Ol4PvRpA5O5qUa05PoLbp7pBOFmh52aUlaXc37QsgewJpDcCkzw4oZaQiVXwimjy
hNAsv6lEYoSDNqPCIbUNmnrFljCMcRtfqtYKLCXNvUOG7+MjfYQ/nEVrPCPgUoQM
5nbILxcHHWbECqYIQ4MLgBMEOEzEcp1mXdp+BJBbZiOSuofpMGDF4mbkzjgQOop4
aBxzDLd+MjKPuD2uhhloLbf5kUGGBQXc9MNYbWno4c11AR3XLrgoLt2lAYTNX0lI
zAjR08gulZlGHcuhoY5brFTtKEy92lUfwSAScvp8NAp6lEsroNqbPw0DdMe2Thpd
Vmu9ztHoq0Z7nz0aRt3lQss9zLzphXGKh3Rv81R+QNOd988zABEBAAGJAjwEGAEI
ACYCGwwWIQT7Mdujq423akFXMp92UVaPgDdEWQUCY0g/XAUJC7Wd7QAKCRB2UVaP
gDdEWXu1D/931OK7RgkP0Nq9gDn6/IwXX+Dtl0JF3Ip3Oy2q6uHxu3YHK1Ezx9kV
6T3sOb2MdtGL08qWfQlKRLU3dC7k85z6IAdhTrDOMTBeUssnY5Xgxl3cfJqBfQTW
MZG3vqMlsJfUVOAueShUelzpOtYV/s3wm4UYR0zPP2+QDZgIDX8LHhdd3Ela1kgZ
cz5OKbeBa30fHWIUQDybJmKFi8y+5629X7TeyFqsQ8CPXW317/eBpY3Q6mkp6pyZ
iEEjeca/FQb9q9DsAIdkovfBSNnTZQAFePwIp1nR67LHuxMclxRPoAPtkym3rIWA
y6w3n68fKUOIj92OhCBE/FE/nLl+BoFYOuYRoN3C7a7t3U4cAPW+9jl89w4zzvfg
QvnAVKKba7szYcjSdyWbeMsIdq8Fe9T/6bdzs5ugR1yu0V618Foa6rPhDEiYjriG
KoynZA4hZ9l83hT/kktu2jNYeIeXUqgWUFLZ3EeXynVDzqgN9buWzEZO8wZG2tNS
sqTW9ZHZUuR6L9wUCjgPpRz4kREYdYmm5dm1uqXkQTwjo7vA1HRtGSun1FNYOl+w
22tKNcU4erBZcKYUfyUP6gTQ4ojZN0rVb5AzT9wQoLcrljllDP9qQ45ndlov+0DD
ccixs3PPK1ClY3puCyxX8QT7zROYhck9n0+YmuS/9TUnu19Az//aCbkCDQRZc9Sk
ARAAsCIq2++gqtU8Z/lMDDAwVbNoq++FCA2apR4Lxj0G+jEog++8uJYawWDLpJ14
Lvlm+OygM3s70RHyLKWiDWkdwDLbZ4b8MlHATBanEHeGsxQK9Td7VB0O3MQ/ICVs
OjgTG8PJSv02HmNoGp/Zj3rbNSfXhomIq44aXRrw2ZxoNckj0xuHFSV85QlVy93f
BgQiIozEPDJK8xGGn7a2gXwj6+hAaKTF1tOAWKHqInJpNduOZfVzpY5dHSUU4qjU
TyvTEJhROA2QEo3qE5VZL2o/2rCapzqC+7pRzxEPDwcDGr2g/RFNLFSf3PvkH48M
J66bid6aeI2uPdL9geWk6MJUCj03X2ylfFCKG0Bo0vWbv2wcJrZBCfHm256LTKHO
lkBbvBrauzu1cTtivt8wtjm2wOiTII7nyyVvdhYuAirpYJfIFGV3iY8MJ7cdO7rI
VRO1wkLiuE606zNJ3WCGJNwlhyFt+z8aYjB6UQwMhs1JztLFrghW+JsjzfgEXWvs
d089woZR45PiF2Krm42E6tNBhhcJOmNFXHs5KN6oz8vAOrJ+Obw9HvBWTh5kMhdT
ZdbGt3BZmtLfIFsEmvS+RCe5fGSiuPxudbfFzih04aXPG1wM8O4F0SFhzkwTrxGp
46VyXZTH5xT1R56xbu44qvtYS2O8IhNKzLPROIOVqD9ey0kAEQEAAYkEcgQYAQgA
JgIbAhYhBPsx26OrjbdqQVcyn3ZRVo+AN0RZBQJjSD9cBQkLtZ44AkDBdCAEGQEI
AB0WIQR4L53b42un89TeSQZfXfzBQXfiYwUCWXPUpAAKCRBfXfzBQXfiY/ObD/4i
x5aFvTz4OMAkhvOugcDekpVHC9gQU92j2boyZO4zi2RhB0JpGWWNU90WgUxorla3
p31L44DYfg/ZoDG5zL7liykgAItt+Mwnf+hkNJZnm+dfj2lFAkBEXqpesZ8vyO6m
BUOLhXSXd2N8+3XLwStAhC1OWE7ZcuCWmBtnbJad1HNujPhbW7tiddXhdSLbj/kG
bjWTUdpH1TS9RNrp2tBqTCvLeXOr7NV+0FAuulO/6+m2OkRuuoj+5nVUmhmPqg4z
z2hARiocg1nFca50uO5zbvYkbcggmN1hXrgEkKpThKnTEHaa/tFnfPSU5olPBpVX
KP4u+e5ksMKvcLesLpFmqxz02ie1SQk17lZqMw35tHUBP+ZLlO5msdABUfmDpQ4j
exTAFN0vfXkMc6MinFtO3WQtZ6Gf9r2oqlR+1siCAtX9l/zL2out4OTwFN7ekEE6
7/pFhjDnQEUnY4MdcbAmOR5s3qs6YP+CUabGhkkyH8h4ffpZlNGLlJAz82oxK64A
/Wbq5jFMn46nPM/m39+0QvcJD05gmF5PZJ7SXjf2z9Obt1RHPQJJ7+wvYHsQVZAI
e8kT/PB74/jPzHYppF3EIFidf1fnRdguZZmG0DTXOUtTAdOAAdqt0MrtkjFzM2eD
/3hy110zWKjd4tk7LQAeqYWPM5lzDrQ3ObdPT1+ysQkQdlFWj4A3RFnslw//QbwB
PMuaPG9LlcoR8qSQtyXcn5TflVVH1wYa7iL9WSG5NPpx5/FFZKScWMJjjhHUDtc6
jnICjLw+83gDOxeFIVyMg/9yT0DS7UPxc904c6G9WRyIdQqA5sRq7Iuk45S30LEZ
v2c0+RYk8m0zSlD7vqiRY9myZKrRiWkfylAq/VL/HR6S5eKrPRgEbcQDXsoqyhnM
n9cDc+81eOPpKW9S2+xqmo+x3WCISdi2Nr6R3WkyabWkikvlTcd7can/4amKPmIN
i2vUVSfhsWaFGvgb8nv0Ebd6yjeDLZ8FI32KCeAYGh6FiJPC5DiFvMlbLXi4SJwu
5p0j36xa+jJrylK/4XEJqQn6MrQ9+zdROT6bc3YlxkRXflEnE2uJshT8nSLE/j3v
ydSHxgxAbdQ14oocvr7CltS7t0xup/YiOUtcHhprCB02PYdpT/XhZjW0pi/vyhdX
6sGFRuCueLRf1cJiCJhISYbR4VyoMLcnvdcoKUa+/ikC6CkyZGxwAH1JGcEVjzD+
4xG8l8/ubA3DSguKNpI1dGzVxpWgJnJzMCXBcwxp5c+kKH94QbKAUVt+16dUaY9k
0hhucHQnbTHS3w9jY7rZ6sAZHufb9LQMMWunerecL6WvAR+XUydMd1rJS93j4y1W
fNHj/507Jk+Ogk89eojQYjZNHCF+Zhyk6IRyI84=
=4ncY
-----END PGP PUBLIC KEY BLOCK-----
EOF
guix shell gnupg -- \
gpg --import FB31DBA3AB8DB76A4157329F7651568F80374459.asc && \
rm -f FB31DBA3AB8DB76A4157329F7651568F80374459.asc
}
environment_checks
tmpdir="$(mktemp -d)"
cd "${tmpdir}"
guix pull ; report "Guix pull"
hash guix ; report "hash guix"
import_gpg_key ; report "Import GPG key"
guix shell -C --network git nss-certs -- \
git clone https://git.a-lec.org/GNUtoo/guix-mumble-vm.git -b guix-installer ; \
report "Cloning machine configuration git"
cd "guix-mumble-vm" ; report "cd guix-mumble-vm"
guix shell git gnupg -- \
git verify-commit HEAD ; report "check git signature"
guix shell -C --nesting autoconf automake bash coreutils grep sed -- \
./autogen.sh ; report "./autogen.sh"
guix shell -C --nesting bash coreutils gawk grep sed -- \
./configure ; report "./configure"
guix shell -C --nesting automake coreutils gawk grep make sed tar xz -- \
make mumble-vm.tar.xz ; report "Generating VM definition"
cp mumble-vm.tar.xz ../ && \
cd ../ && \
rm -rf mumble-vm && \
guix shell -C tar xz -- tar xf mumble-vm.tar.xz && \
rm -f mumble-vm.tar.xz ; report "Removing git repository"
guix gc ; report "guix gc"
echo 'label: gpt' | sfdisk /dev/vda ; report "GPT creation on /dev/vda" ; \
report "GPT formating"
echo ';;L;*' | sfdisk /dev/vda ; report "/dev/vda1 creation" ; \
report "Adding partition"
mkfs.ext4 -F -L Guix_image /dev/vda1 ; report "EXT4 formating"
mount /dev/vda1 /mnt ; report "mount /dev/vda1 /mnt" ; report "mounting rootfs"
herd start cow-store /mnt ; report "Using /mnt for storing guix system init packages"
guix system init mumble-vm-system.scm /mnt ; report "guix system init"
umount /mnt ; report "umount rootfs"
printf "Installation done: %s\n" \
"you can remove the install media and reboot to the new VM"

93
scripts/kbd.sh Executable file
View File

@ -0,0 +1,93 @@
#!/usr/bin/env bash
#
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
keymaps="/run/current-system/profile/share/keymaps/i386"
ask_keymap_type()
{
index=0
keymap_type_list=""
for keymap_type in "${keymaps}"/* ; do
# shellcheck disable=SC2001 # For ^ or $ regex.
keymap_type="$(echo "${keymap_type}" | sed "s#^${keymaps}/##")"
if [ "${keymap_type}" = "include" ] ; then
continue
fi
keymap_type_list="${keymap_type_list} ${index} ${keymap_type}"
index=$((index + 1))
done
IFS=' ' read -r -a keymap_type_list_array <<< "${keymap_type_list}"
# shellcheck disable=SC2086
result=$(dialog --stdout \
--menu "Keyboard layout type:" \
0 0 0 \
${keymap_type_list})
if [ "${result}" = "" ] ; then
exit 0
fi
result=$((result * 2))
result=$((result + 1))
directory=${keymap_type_list_array[${result}]}
echo "${directory}"
}
ask_keymap()
{
directory="$1"
index=0
keymap_list=""
for keymap in "${keymaps}"/"${directory}"/* ; do
# shellcheck disable=SC2001 # For ^ or $ regex.
mapname=$(echo "${keymap}" | \
sed "s#^${keymaps}/${directory}/##" | \
sed 's#\.map\.gz$##')
keymap_list="${keymap_list} ${index} ${mapname}"
index=$((index + 1))
done
IFS=' ' read -r -a keymap_list_array <<< "${keymap_list}"
# shellcheck disable=SC2086
result=$(dialog --stdout --menu "Keyboard layout:" 0 0 0 ${keymap_list})
if [ "${result}" = "" ] ; then
exit 0
fi
result=$((result * 2))
result=$((result + 1))
keymap_name=${keymap_list_array[${result}]}
echo "${keymaps}/${directory}/${keymap_name}.map.gz"
}
directory="$(ask_keymap_type)"
if [ -z "${directory}" ] ; then
exit 0
fi
keymap_path="$(ask_keymap "${directory}")"
if [ -z "${keymap_path}" ] ; then
exit 0
fi
loadkeys "${keymap_path}"

View File

@ -0,0 +1,20 @@
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# You should have received a copy of the GNU General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
# Files produced by the build system.
/autom4te.cache/**
/gnupg/**
/grub/**
/grub.iso
/Makefile
/preseed.cfg
/preseed.img
/rootfs.img
/rootfs.img.tmp

View File

@ -0,0 +1,30 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGNQMswBEACpaLnL36fWyve4zXHKrN7AjXl+g5cafQyei4j1saTLfQatdJed
ubvcscZ3yERB+R0+8xuH2UqvR0E57ohZZaTiwcUWJ3VemxCZhwKy+Xvt1ZUNxBrh
2qAJBcP0+UCskSfWb+QQ1twNIeQ8Raj+kRPGphlNmjYxF2CFOsw9c56Lz+jNyty9
RC3Bg4l+Kcdhw23w5XBUXpHOyL6lsG317PWgEHUIQzNhXZfHL9GzwtTVQV8tVPyu
MOQIa7KDFXUEEnRN31mVLzfNHqKtTgFfP2LnSiD3LsBYsqJUtAnFGyORHgKhddRg
AKLrn1h0dEzkN+XsMaAWPrJg87ks7qXhhNz3SEI+t7dL4ozfUryRY9/8t/rXuQK+
ffRO/63i8SaHdu1Sl8MgHsNZRFOlbYGPw73TpdJ3JvfmfPNrRcTzsU1arMML8GWs
q6/QYDTWVYBYXy0kEqJQmeb3yJRvnIdVfiAdu9fyDPY8FCTUTcsxKe88u2bgrIaY
pNdoNFXojIC9JvMUM5QakMeog+ocTrZFOyhRMKfq5KEV/IDvsx6BfQzpjvK27LgX
LcdlP9HUVb9ZkKUgMGV1trqSA7kKrkDtfw+BInReTeSEnr4jsAwwiG62kDmmA4mo
dFq1MsWTAJTvpeeK+86gYliZukt6076zPrszmDJIyJWwHCLFn1jVkn1tlQARAQAB
tFpUcmlzcXVlbCBHTlUvTGludXggQXJjaGl2ZSBBdXRvbWF0aWMgU2lnbmluZyBL
ZXkgKDExL2FyYW1vKSA8dHJpc3F1ZWwtZGV2ZWxAdHJpc3F1ZWwuaW5mbz6JAk4E
EwEKADgCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AWIQTSTdrJIm1bpenzvtP1
2qr3StTJOAUCY1AzAgAKCRD12qr3StTJOIxbD/44B7Kv+26TBW6BIiUlp1iDsvoX
yHk9yau41g6HjJR53KrFID4uszN9B+Cl+R0PjywfgC9OSSTKOjJq4/yQE00JpuF+
HtWieshZJs8QFKLD+mZQfRVCQweqj9HZS8AFH02LYkdsXiv4LZLaNljcHEPC3Y34
61xcg3viATgHL1ZJIPGT/vk425jQkEv9wjCjIvKsMhoE9EcqDBft9jKBC6H8LQwZ
iIYYNf28WRIW/EbutPe+0B3YOuw3PT/o/x40ySLWIJARODxBCqJ0wEC4PI7lUiLg
DGV0cUUykZz7BXKaIZIj+3wViR5zDGqIWx5TwdW2MJpDi9ove8N/3HaAc6BwQQXH
acZohOBqf/BjTKXQufVzx1sMBxB+a5zp284uICX54y/mm9tPHWcOOtl+NYj5qk4A
qn+vh433kNW622qJ8tt72kbcfaRekBnCj/A10U46TyWgZgMc7XxCc5r8slJWlhYZ
bRgbWWvkyH1s0mzbkAyNwrNa0vafcxOxO9psc7LG4mLPBqLoKKPmYY5Vgu8fdlbb
OLLFVvNhuTSX2ugkPfAp/XeWucQPJv3een1C1AWNcufhKYm1DZkYTGBeT8cbsw3T
0JnpRad+Sm2VhLcQ8PHKHUUeklVqUMjyCHo32sydo+I1MjC3QWycolljno2un9HU
TNAXG/1k2DzsqFPFjw==
=LJyh
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,85 @@
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
dist_pkgdata_DATA = rootfs.img
EXTRA_QEMU_ARGS =
if WANT_KVM
EXTRA_QEMU_ARGS += -enable-kvm -cpu host
endif # WANT_KVM
gnupg/pubring.kbx: ${srcdir}/D24DDAC9226D5BA5E9F3BED3F5DAAAF74AD4C938.asc
install -d gnupg
gpg \
--home=gnupg \
--import \
${srcdir}/D24DDAC9226D5BA5E9F3BED3F5DAAAF74AD4C938.asc || \
rm -rf gnupg
.PHONY: check-trisquel-installation-image
check-trisquel-installation-image: $(TRISQUEL_NETINSTALL) gnupg/pubring.kbx
gpg --home=gnupg \
--verify trisquel-netinst_11.0.1_amd64.iso.asc \
$(TRISQUEL_NETINSTALL)
grub/boot/linux: Makefile check-trisquel-installation-image
install -D -d grub/boot
xorriso -osirrox on \
-indev $(TRISQUEL_NETINSTALL) \
-extract /linux $@
chmod 770 $@
grub/boot/initrd.gz: Makefile check-trisquel-installation-image
install -D -d grub/boot
xorriso -osirrox on \
-indev $(TRISQUEL_NETINSTALL) \
-extract /initrd.gz $@
chmod 770 $@
grub/boot/grub/grub.cfg: Makefile grub.cfg
install -D -m 660 grub.cfg $@
# It is way more simple to just extract the kernel and initramfs and
# write some grub.cfg by hand than to somehow modify an existing
# installer iso.
grub.iso: Makefile grub/boot/linux grub/boot/initrd.gz grub/boot/grub/grub.cfg
grub-mkrescue -o $@ grub
preseed.cfg: preseed.cfg.tmpl
sed 's#\@MIRROR_HTTP_PROXY\@#$(MIRROR_HTTP_PROXY)#g' \
preseed.cfg.tmpl > $@
preseed.img: Makefile preseed.cfg
dd if=/dev/zero of=$@.tmp count=2048
mkfs.vfat --mbr=y -n MEDIA $@.tmp
mcopy -i $@.tmp preseed.cfg ::/preseed.cfg
mv $@.tmp $@
rootfs.img.tmp: Makefile
qemu-img create -f qcow2 $@ $(TRISQUEL_ROOTFS_SIZE)
# The 790M were found by trial and error. At 789M the netinstall
# complains about "low memory".
rootfs.img: preseed.img rootfs.img.tmp grub.iso
install -m 644 rootfs.img.tmp rootfs.img || rm -f rootfs.img
qemu-system-x86_64 \
-M q35 \
-m 807M \
-nographic \
-drive file=grub.iso,index=2,media=cdrom,if=ide \
-drive file=rootfs.img,index=1,media=disk,if=virtio \
-drive file=preseed.img,index=0,media=disk,if=none,format=raw,id=usb \
-usb -device usb-ehci,id=ehci -device usb-storage,bus=ehci.0,drive=usb \
$(EXTRA_QEMU_ARGS) || \
\
rm -f rootfs.img

View File

@ -0,0 +1,42 @@
Deployment and limitations.
===========================
Creating an image is similar to the build of other software as you use
similar commands:
$ git clone https://forge.a-lec.org/cominfra/experimental-vms
$ cd experimental-vms/trisquel-automatic-netinstall-qemu
$ ./autogen.sh
$ ./configure --prefix=/ \
--with-trisquel-netinstall=~/Downloads/trisquel-netinst_11.0.1_amd64.iso
$ make
Since your account on a physical machines from Libre en communs might
lack permissions for accessing /dev/kvm, you might need to pass
'--disable-kvm' to ./configure, and since these machines also lack
many tools, you will need to workaround by using the provided
./libre-en-communs-guix-shell.sh script. For instance the following
should work:
$ git clone https://forge.a-lec.org/cominfra/experimental-vms
$ cd experimental-vms/trisquel-automatic-netinstall-qemu
$ wget https://cdimage.trisquel.info/trisquel-images/trisquel-netinst_11.0.1_amd64.iso
$ ./libre-en-communs-guix-shell.sh ./autogen.sh
$ ./libre-en-communs-guix-shell.sh ./configure --prefix=/ --disable-kvm
$ ./libre-en-communs-guix-shell.sh make
The image should then be in rootfs.img.
License
=======
This project is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or (at
your option) any later version.
This project is distributed in the hope that they will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>.

View File

@ -0,0 +1,151 @@
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
AC_PREREQ([2.69])
AC_INIT([trisquel-automatic-netinstall-qemu], [0.1],
[GNUtoo@cyberdimension.org])
AC_CONFIG_SRCDIR([configure.ac])
AC_PROG_AWK
AC_PROG_MKDIR_P
AM_INIT_AUTOMAKE([foreign])
AC_SUBST([ENABLE_KVM], [])
AC_SUBST([MIRROR_HTTP_PROXY], [])
AC_SUBST([TRISQUEL_ROOTFS_SIZE], [])
AC_SUBST([TRISQUEL_NETINSTALL], [])
AC_ARG_ENABLE(kvm,
[AS_HELP_STRING([--disable-kvm],
[Use Kvm to obtain a public IP address (default=enabled)])],
[kvm="$enableval"],
[kvm="yes"])
AM_CONDITIONAL( [WANT_KVM], [test x"$kvm" = x"yes"])
AC_ARG_WITH(
[mirror-http-proxy],
[AS_HELP_STRING(
[--with-mirror-http-proxy=URL],
[URL to the mirror HTTP proxy (default: not set (no mirror)).
The proxy configuration is then used during both the netinstall
installation and after as well (it's added to /etc/apt/apt.conf).
The chosen URL should be reachable from QEMU. As an example, if
you use the apt-cacher-ng default configuration and make it
listen on localhost, you should use http://10.0.2.2:3142 because
localhost becomes 10.0.2.2 with the current QEMU configuration
and because the port 3142 is the default port for apt-cacher-ng.])],
[MIRROR_HTTP_PROXY=$withval],
[MIRROR_HTTP_PROXY=])
AC_ARG_WITH(
[--with-trisquel-target-rootfs-size],
[AS_HELP_STRING(
[--trisquel-target-rootfs-size=SIZE],
[Size of the target image (default=3.5G). The size will be passed
as-is to the 'qemu-img create' command. See 'man 1 qemu-img' for
more details.])],
[TRISQUEL_ROOTFS_SIZE=$withval],
[TRISQUEL_ROOTFS_SIZE=3.5G]) dnl 3.4G: Fail, 3.5G: OK
AC_ARG_WITH(
[trisquel-netinstall],
[AS_HELP_STRING(
[--with-trisquel-netinstall=PATH],
[Path to trisquel netinstall image
(default=trisquel-netinst_11.0.1_amd64.iso). Note that at the moment
only trisquel-netinst_11.0.1_amd64.iso is supported. If you use
another image the signature verification will fail.])],
[TRISQUEL_NETINSTALL=$withval],
[TRISQUEL_NETINSTALL=trisquel-netinst_11.0.1_amd64.iso])
AC_CHECK_PROG([CHMOD], [chmod], [chmod])
AS_IF([test x"$CHMOD" = x""],
[AC_MSG_ERROR([chmod was not found in PATH ($PATH)])])
AC_CHECK_PROG([GPG], [gpg], [gpg])
AS_IF([test x"$GPG" = x""],
[AC_MSG_ERROR([gpg was not found in PATH ($PATH)])])
AC_CHECK_PROG([INSTALL], [install], [install])
AS_IF([test x"$INSTALL" = x""],
[AC_MSG_ERROR([install was not found in PATH ($PATH)])])
AC_CHECK_PROG([RM], [rm], [rm])
AS_IF([test x"$RM" = x""],
[AC_MSG_ERROR([rm was not found in PATH ($PATH)])])
AC_CHECK_PROG([XORRISO], [xorriso], [xorriso])
AS_IF([test x"$XORRISO" = x""],
[AC_MSG_ERROR([xorriso was not found in PATH ($PATH)])])
AC_CHECK_PROG([GRUB_MKRESCUE], [grub-mkrescue], [grub-mkrescue])
AS_IF([test x"$GRUB_MKRESCUE" = x""],
[AC_MSG_ERROR([grub-mkrescue was not found in PATH ($PATH)])])
AC_CHECK_PROG([DD], [dd], [dd])
AS_IF([test x"$DD" = x""],
[AC_MSG_ERROR([dd was not found in PATH ($PATH)])])
AC_CHECK_PROG([MKFS_VFAT], [mkfs.vfat], [mkfs.vfat])
AS_IF([test x"$MKFS_VFAT" = x""],
[AC_MSG_ERROR([mkfs.vfat was not found in PATH ($PATH)])])
AC_CHECK_PROG([MCOPY], [mcopy], [mcopy])
AS_IF([test x"$MCOPY" = x""],
[AC_MSG_ERROR([mcopy was not found in PATH ($PATH)])])
AC_CHECK_PROG([MV], [mv], [mv])
AS_IF([test x"$MV" = x""],
[AC_MSG_ERROR([mv was not found in PATH ($PATH)])])
AC_CHECK_PROG([QEMU_IMG], [qemu-img], [qemu-img])
AS_IF([test x"$QEMU_IMG" = x""],
[AC_MSG_ERROR([qemu-img was not found in PATH ($PATH)])])
AC_CHECK_PROG([QEMU_SYSTEM_X86_64], [qemu-system-x86_64], [qemu-system-x86_64])
AS_IF([test x"$QEMU_SYSTEM_X86_64" = x""],
[AC_MSG_ERROR([qemu-system-x86_64 was not found in PATH ($PATH)])])
# Check for the netinstall iso file
AS_IF([test x"`echo "$TRISQUEL_NETINSTALL" | cut -c1`" = x"~"],
[AC_MSG_ERROR([~ not supported in --with-trisquel-netinstall.
Use paths without '~'.])])
AC_CHECK_FILE([$TRISQUEL_NETINSTALL],
[],
[AC_MSG_ERROR([trisquel-netinst_11.0.1_amd64.iso was not found in
$TRISQUEL_NETINSTALL])])
AS_IF([test x"$kvm" = x"yes"],
[AS_IF([test -c /dev/kvm], [], AC_MSG_ERROR([/dev/kvm not found.]))
AS_IF([echo quit | qemu-system-x86_64 -display none -vga none -enable-kvm -monitor stdio],
[],
[AC_MSG_ERROR([KVM test with qemu-system-x86_64 failed.
Check permissions on /dev/kvm.])])])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT
echo
echo "Configuration options:"
echo "======================"
AS_IF([test x"$kvm" = x"yes"],
[echo "- Kvm: enabled"],
[echo "- Kvm: disabled"])
echo "- Trisquel netinstall path: $TRISQUEL_NETINSTALL"
echo "- Trisquel target rootfs size: $TRISQUEL_ROOTFS_SIZE"
AS_IF([test x"$MIRROR_HTTP_PROXY" = x""],
[echo "- Trisquel mirror http proxy: disabled"],
[echo "- Trisquel mirror http proxy: $MIRROR_HTTP_PROXY"])

View File

@ -0,0 +1,18 @@
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
set timeout=1
menuentry "Trisquel 11 netinstall with custom preseed" {
linux /boot/linux auto=true priority=critical preseed/file=/media/preseed.cfg --- console=ttyS0,115200 quiet
initrd /boot/initrd.gz
}

View File

@ -0,0 +1,34 @@
#!/bin/sh
#
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# Libre en communs physical machines have Trisquel and just installed
# Guix through the package manager. So we end up with Guix 1.3.0 which
# doesn't have guix shell. Once Guix is upgraded with 'guix pull', we
# still don't have 'guix shell' without exporting the variables below.
GUIX_PROFILE="${HOME}/.config/guix/current"
. "$GUIX_PROFILE/etc/profile"
# The Libre en communs physical machines lack many packages, so when
# this is the case we can simply use Guix to get these packages, but
# at the same time resources are also very constrained (because the
# hosts typically run many virtual machines), so if some host packages
# are available, we prefer to use that as this uses way less space.
guix_packages=" \
autoconf \
automake \
make \
mtools \
xorriso \
"
guix shell ${guix_packages} -- $@

View File

@ -0,0 +1,63 @@
#_preseed_V1
# Copyright (C) 2024 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# Accounts
d-i passwd/root-login boolean false
d-i passwd/username string admin666
d-i passwd/user-fullname string admin666
d-i passwd/user-password password password
d-i passwd/user-password-again password password
# Keyboard layout
d-i keyboard-configuration/xkb-keymap select us
# Locales
d-i debian-installer/locale string en_US
# Network
d-i netcfg/choose_interface select auto
d-i netcfg/get_domain string test
d-i netcfg/get_hostname string test
# Package management
d-i mirror/country string manual
d-i mirror/http/directory string /trisquel
d-i mirror/http/hostname string mirror.fsf.org
d-i mirror/http/proxy string @MIRROR_HTTP_PROXY@
popularity-contest popularity-contest/participate boolean false
# Partitioning
d-i grub-installer/bootdev string /dev/vda
d-i partman-auto-lvm/guided_size string max
d-i partman-auto/choose_recipe select atomic
d-i partman-auto/disk string /dev/vda
d-i partman-auto/method string regular
d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman/confirm_nooverwrite boolean true
# Timezone
d-i clock-setup/ntp boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Europe/Paris
# Shutdown at the end
d-i finish-install/reboot_in_progress note
d-i debian-installer/exit/poweroff boolean true

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE0k3aySJtW6Xp877T9dqq90rUyTgFAmZZOJ0ACgkQ9dqq90rU
yTiNqA/8DrgLZAPDKksGsHeFs73nIdHdeN0BWUrsRGjYnI64XunMCLjPOcA2BbqJ
4rfgseuP+2t8AvWn+erIqJMQD67pYL0j5J5cP9I2DvaIvssr3uxaKSuf+U4JMuGt
Izsw21BUAn8Yg1NnFish7ByYLmCWTbui3LYUKdjhCOjee0qj0aWOjBnaIW8Uvb6Z
KvIDjItMxakCLfw2/DXg7wDPt/BXRZNpYW4P8my1IK12pguaDtg1SFQf5sbtjelH
AEK4LOR5GiSh81ve75i4G/KtcqTf4PzNGJfBwvXPJ3ZclR8+FENp8YdG93AagRJS
c/tQwzy2vMV1VGMqI63EFzl/DiepOdX6aCf2rhQZpgc37Q+pbfSCtOZXcch0feYD
F8pCH4FLU3SOy9vERahBrTmfIWCTQMe6G8G8zQA4rjT7JOAH+PywFik89whzwmgE
kgM62EWyRL0VkkeYY2aYCq+WJLs8V4sNyaPqNFmQF/7MhYp/sMuxSwqs8pcAd7TG
NhBWolB/YWZPI+TqToLd/K8qQkimBI9cw7uGpc2NBovKVqS/GQlCW59L7d4xMaK1
lJhKLqDs3cZVtQrqrT0UEpbIzHY+3yZo5UondgjzVWrHHHPKRMtFIeua8A8yKTI/
Lc+G7IFIcyhdK9F0KrQFijsDRZ83WYjGJPhfArIOgT6QNgZgDBk=
=Q9Eh
-----END PGP SIGNATURE-----

3
trisquel-install-guix-fai/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
/config.tar
/config.tar.xz
/config.tar.xz.b64

View File

@ -0,0 +1,48 @@
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
.PHONY: install
all: config.tar.xz.b64
TARBALL_SOURCE = \
config/class/50-host-classes \
config/files/etc/cron.d/fai/FAIBASE \
config/files/etc/fai/fai.conf/FAIBASE \
config/files/etc/hostname/FAIBASE \
config/files/etc/hosts/FAIBASE \
config/files/etc/network/interfaces.d/enp1s0.conf \
config/files/etc/network/interfaces.d/lo.conf \
config/files/etc/resolv.conf \
config/files/etc/ssh/sshd_config \
config/files/usr/local/bin/guix-install.sh/FAIBASE \
config/package_config/FAIBASE \
config/scripts/FAIBASE/01-files \
Makefile
config.tar: $(TARBALL_SOURCE)
tar -cf $@ $(TARBALL_SOURCE)
config.tar.xz: config.tar
xz -f -9e --verbose $<
config.tar.xz.b64: config.tar.xz
base64 $< > $@
install:
apt install fai-client
install -m644 config/files/etc/fai/fai.conf/FAIBASE /etc/fai/fai.conf
@# For some reasons fai returns 2 but the install works fine.
/usr/sbin/fai -vNu $$HOSTNAME softupdate || true

View File

@ -0,0 +1,38 @@
What does it do
===============
Long time ago, the Libre en communs host didn't have Guix installed in
its physical machines. Because of that I tried to find a way to
cleanly bootstrap a Guix VM reproducibily from code, directly on the
machines.
Nowadays Guix is installed on the physical machines so we don't need
an intermediate VM anymore.
But it is kept to show how to use FAI in a very simple way for a
single machine.
How to deploy
=============
This was meant to customize an existing VM. So once Libre en commun
provided you with a VM, you can apply the customization within the VM
with the following commands:
$ git clone https://forge.a-lec.org/GNUtoo/experimental-vms
$ cd experimental-vms/trisquel-install-guix-fai
$ sudo make install
License
=======
This project is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This project is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>.

View File

@ -0,0 +1,23 @@
#!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
case $HOSTNAME in
*)
echo "FAIBASE" ;;
esac

View File

@ -0,0 +1 @@
40 * * * * root /usr/sbin/fai -vNu $HOSTNAME softupdate

View File

@ -0,0 +1,17 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
FAI_CONFIG_SRC=file:///root/config

View File

@ -0,0 +1 @@
trisquel-guix-installer.experimental.a-lec.org

View File

@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 trisquel-guix-installer.experimental.a-lec.org
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

View File

@ -0,0 +1,24 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
auto enp1s0
iface enp1s0 inet static
address 192.168.1.119/16
gateway 192.168.0.1
iface enp1s0 inet static
address 2001:910:1021::119/64
gateway 2001:910:1021::1

View File

@ -0,0 +1,19 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
# The loopback network interface
auto lo
iface lo inet loopback

View File

@ -0,0 +1,18 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
nameserver 2001:910:1021::1
nameserver 127.0.0.53

View File

@ -0,0 +1,23 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
KbdInteractiveAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
Port 222
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no

View File

@ -0,0 +1,676 @@
#!/bin/sh
# GNU Guix --- Functional package management for GNU
# Copyright © 2017 sharlatan <sharlatanus@gmail.com>
# Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
# Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
# Copyright © 20192020, 2022 Tobias Geerinckx-Rice <me@tobias.gr>
# Copyright © 2020 Morgan Smith <Morgan.J.Smith@outlook.com>
# Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
# Copyright © 2020 Daniel Brooks <db48x@db48x.net>
# Copyright © 2021 Jakub Kądziołka <kuba@kadziolka.net>
# Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
# Copyright © 2021, 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
# Copyright © 2022 Prafulla Giri <prafulla.giri@protonmail.com>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
# We require Bash but for portability we'd rather not use /bin/bash or
# /usr/bin/env in the shebang, hence this hack.
if [ "x$BASH_VERSION" = "x" ]
then
exec bash "$0" "$@"
fi
set -eo pipefail
[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1; }
REQUIRE=(
"dirname"
"readlink"
"wget"
"gpg"
"grep"
"which"
"sed"
"sort"
"getent"
"mktemp"
"rm"
"chmod"
"uname"
"groupadd"
"tail"
"tr"
"xz"
)
PAS=$'[ \033[32;1mPASS\033[0m ] '
ERR=$'[ \033[31;1mFAIL\033[0m ] '
WAR=$'[ \033[33;1mWARN\033[0m ] '
INF="[ INFO ] "
DEBUG=0
GNU_URL="https://ftp.gnu.org/gnu/guix/"
#GNU_URL="https://alpha.gnu.org/gnu/guix/"
# The following associative array holds set of GPG keys used to sign the
# releases, keyed by their corresponding Savannah user ID.
declare -A GPG_SIGNING_KEYS
GPG_SIGNING_KEYS[15145]=3CE464558A84FDC69DB40CFB090B11993D9AEBB5 # ludo
GPG_SIGNING_KEYS[127547]=27D586A4F8900854329FF09F1260E46482E63562 # maxim
# ------------------------------------------------------------------------------
#+UTILITIES
_err()
{ # All errors go to stderr.
printf "[%s]: %s\n" "$(date +%s.%3N)" "$1"
}
_msg()
{ # Default message to stdout.
printf "[%s]: %s\n" "$(date +%s.%3N)" "$1"
}
_debug()
{
if [ "${DEBUG}" = '1' ]; then
printf "[%s]: %s\n" "$(date +%s.%3N)" "$1"
fi
}
die()
{
_err "${ERR}$*"
exit 1
}
# Return true if user answered yes, false otherwise. The prompt is
# yes-biased, that is, when the user simply enter newline, it is equivalent to
# answering "yes".
# $1: The prompt question.
prompt_yes_no() {
local -l yn
read -rp "$1 [Y/n]" yn
[[ ! $yn || $yn = y || $yn = yes ]] || return 1
}
chk_require()
{ # Check that every required command is available.
declare -a warn
local c
_debug "--- [ ${FUNCNAME[0]} ] ---"
for c in "$@"; do
command -v "$c" &>/dev/null || warn+=("$c")
done
[ "${#warn}" -ne 0 ] &&
{ _err "${ERR}Missing commands: ${warn[*]}.";
return 1; }
_msg "${PAS}verification of required commands completed"
}
chk_gpg_keyring()
{ # Check whether the Guix release signing public key is present.
_debug "--- [ ${FUNCNAME[0]} ] ---"
local user_id
local gpg_key_id
local exit_flag
for user_id in "${!GPG_SIGNING_KEYS[@]}"; do
gpg_key_id=${GPG_SIGNING_KEYS[$user_id]}
# Without --dry-run this command will create a ~/.gnupg owned by root on
# systems where gpg has never been used, causing errors and confusion.
if gpg --dry-run --list-keys "$gpg_key_id" >/dev/null 2>&1; then
continue
fi
if prompt_yes_no "${INF}The following OpenPGP public key is \
required to verify the Guix binary signature: $gpg_key_id.
Would you like me to fetch it for you?"; then
# Use a reasonable time-out here so users don't report silent
# freezes when Savannah goes out to lunch, as has happened.
if wget "https://sv.gnu.org/people/viewgpg.php?user_id=$user_id" \
--timeout=30 --no-verbose -O- | gpg --import -; then
continue
fi
fi
# If we reach this point, the key is (still) missing. Report further
# missing keys, if any, but then abort the installation.
_err "${ERR}Missing OpenPGP public key ($gpg_key_id).
Fetch it with this command:
wget \"https://sv.gnu.org/people/viewgpg.php?user_id=$user_id\" -O - | \
sudo -i gpg --import -"
exit_flag=yes
done
if [ "$exit_flag" = yes ]; then
exit 1
fi
}
chk_term()
{ # Check for ANSI terminal for color printing.
if [ -t 2 ]; then
if [ "${TERM+set}" = 'set' ]; then
case "$TERM" in
xterm*|rxvt*|urxvt*|linux*|vt*|eterm*|screen*)
;;
*)
ERR="[ FAIL ] "
PAS="[ PASS ] "
;;
esac
fi
fi
}
chk_init_sys()
{ # Return init system type name.
if [[ $(/sbin/init --version 2>/dev/null) =~ upstart ]]; then
_msg "${INF}init system is: upstart"
INIT_SYS="upstart"
return 0
elif [[ $(systemctl 2>/dev/null) =~ -\.mount ]]; then
_msg "${INF}init system is: systemd"
INIT_SYS="systemd"
return 0
elif [[ -f /etc/init.d/cron && ! -h /etc/init.d/cron ]]; then
_msg "${INF}init system is: sysv-init"
INIT_SYS="sysv-init"
return 0
elif [[ $(openrc --version 2>/dev/null) =~ \(OpenRC\) ]]; then
_msg "${INF}init system is: OpenRC"
INIT_SYS="openrc"
return 0
else
INIT_SYS="NA"
_err "${ERR}Init system could not be detected."
fi
}
chk_sys_arch()
{ # Check for operating system and architecture type.
local os
local arch
os="$(uname -s)"
arch="$(uname -m)"
case "$arch" in
i386 | i486 | i686 | i786 | x86)
local arch=i686
;;
x86_64 | x86-64 | x64 | amd64)
local arch=x86_64
;;
aarch64)
local arch=aarch64
;;
armv7l)
local arch=armhf
;;
ppc64le | powerpc64le)
local arch=powerpc64le
;;
*)
die "Unsupported CPU type: ${arch}"
esac
case "$os" in
Linux | linux)
local os=linux
;;
*)
die "Your operation system (${os}) is not supported."
esac
ARCH_OS="${arch}-${os}"
}
chk_sys_nscd()
{ # Check if nscd is up and suggest to start it or install it
if [ "$(type -P pidof)" ]; then
if [ ! "$(pidof nscd)" ]; then
_msg "${WAR}We recommend installing and/or starting your distribution 'nscd' service"
_msg "${WAR}Please read 'info guix \"Application Setup\"' about \"Name Service Switch\""
fi
else
_msg "${INF}We cannot determine if your distribution 'nscd' service is running"
_msg "${INF}Please read 'info guix \"Application Setup\"' about \"Name Service Switch\""
fi
}
# Configure substitute discovery according to user's preferences.
# $1 is the installed service file to edit.
configure_substitute_discovery() {
if grep -q -- '--discover=no' "$1" && \
prompt_yes_no "Would you like the Guix daemon to automatically \
discover substitute servers on the local network?"; then
sed -i 's/--discover=no/--discover=yes/' "$1"
fi
}
# ------------------------------------------------------------------------------
#+MAIN
guix_get_bin_list()
{ # Scan GNU archive and save list of binaries
local gnu_url="$1"
local -a bin_ver_ls
local latest_ver
local default_ver
_debug "--- [ ${FUNCNAME[0]} ] ---"
# Filter only version and architecture
bin_ver_ls=("$(wget "$gnu_url" --no-verbose -O- \
| sed -n -e 's/.*guix-binary-\([0-9.]*[a-z0-9]*\)\..*.tar.xz.*/\1/p' \
| sort -Vu)")
latest_ver="$(echo "${bin_ver_ls[0]}" \
| grep -oE "([0-9]{1,2}\.){2}[0-9]{1,2}[a-z0-9]*" \
| tail -n1)"
default_ver="guix-binary-${latest_ver}.${ARCH_OS}"
if [[ "${#bin_ver_ls}" -ne "0" ]]; then
_msg "${PAS}Release for your system: ${default_ver}"
else
die "Could not obtain list of Guix releases."
fi
# Use default to download according to the list and local ARCH_OS.
BIN_VER="${default_ver}"
}
guix_get_bin()
{ # Download and verify binary package.
local url="$1"
local bin_ver="$2"
local dl_path="$3"
local wget_args=()
_debug "--- [ ${FUNCNAME[0]} ] ---"
_msg "${INF}Downloading Guix release archive"
wget --help | grep -q '\--show-progress' \
&& wget_args=("--no-verbose" "--show-progress")
if wget "${wget_args[@]}" -P "$dl_path" \
"${url}/${bin_ver}.tar.xz" "${url}/${bin_ver}.tar.xz.sig"; then
_msg "${PAS}download completed."
else
die "could not download ${url}/${bin_ver}.tar.xz."
fi
pushd "${dl_path}" >/dev/null
if gpg --verify "${bin_ver}.tar.xz.sig" >/dev/null 2>&1; then
_msg "${PAS}Signature is valid."
popd >/dev/null
else
die "could not verify the signature."
fi
}
sys_create_store()
{ # Unpack and install /gnu/store and /var/guix
local pkg="$1"
local tmp_path="$2"
_debug "--- [ ${FUNCNAME[0]} ] ---"
if [[ -e "/var/guix" || -e "/gnu" ]]; then
die "A previous Guix installation was found. Refusing to overwrite."
fi
cd "$tmp_path"
tar --extract --file "$pkg" && _msg "${PAS}unpacked archive"
_msg "${INF}Installing /var/guix and /gnu..."
mv "${tmp_path}/var/guix" /var/
mv "${tmp_path}/gnu" /
_msg "${INF}Linking the root user's profile"
mkdir -p ~root/.config/guix
ln -sf /var/guix/profiles/per-user/root/current-guix \
~root/.config/guix/current
GUIX_PROFILE=~root/.config/guix/current
# shellcheck disable=SC1090
source "${GUIX_PROFILE}/etc/profile"
_msg "${PAS}activated root profile at ${GUIX_PROFILE}"
}
sys_create_build_user()
{ # Create the group and user accounts for build users.
_debug "--- [ ${FUNCNAME[0]} ] ---"
if getent group guixbuild > /dev/null; then
_msg "${INF}group guixbuild exists"
else
groupadd --system guixbuild
_msg "${PAS}group <guixbuild> created"
fi
if getent group kvm > /dev/null; then
_msg "${INF}group kvm exists and build users will be added to it"
local KVMGROUP=,kvm
fi
for i in $(seq -w 1 10); do
if id "guixbuilder${i}" &>/dev/null; then
_msg "${INF}user is already in the system, reset"
usermod -g guixbuild -G guixbuild${KVMGROUP} \
-d /var/empty -s "$(which nologin)" \
-c "Guix build user $i" \
"guixbuilder${i}";
else
useradd -g guixbuild -G guixbuild${KVMGROUP} \
-d /var/empty -s "$(which nologin)" \
-c "Guix build user $i" --system \
"guixbuilder${i}";
_msg "${PAS}user added <guixbuilder${i}>"
fi
done
}
sys_enable_guix_daemon()
{ # Run the daemon, and set it to automatically start on boot.
local info_path
local local_bin
local var_guix
_debug "--- [ ${FUNCNAME[0]} ] ---"
info_path="/usr/local/share/info"
local_bin="/usr/local/bin"
var_guix="/var/guix/profiles/per-user/root/current-guix"
case "$INIT_SYS" in
upstart)
{ initctl reload-configuration;
cp ~root/.config/guix/current/lib/upstart/system/guix-daemon.conf \
/etc/init/ &&
configure_substitute_discovery /etc/init/guix-daemon.conf &&
start guix-daemon; } &&
_msg "${PAS}enabled Guix daemon via upstart"
;;
systemd)
{ # systemd .mount units must be named after the target directory.
# Here we assume a hard-coded name of /gnu/store.
# XXX Work around <https://issues.guix.gnu.org/41356> until next release.
if [ -f ~root/.config/guix/current/lib/systemd/system/gnu-store.mount ]; then
cp ~root/.config/guix/current/lib/systemd/system/gnu-store.mount \
/etc/systemd/system/;
chmod 664 /etc/systemd/system/gnu-store.mount;
systemctl daemon-reload &&
systemctl enable gnu-store.mount;
fi
cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \
/etc/systemd/system/;
chmod 664 /etc/systemd/system/guix-daemon.service;
# Work around <https://bugs.gnu.org/36074>, present in 1.0.1.
sed -i /etc/systemd/system/guix-daemon.service \
-e "s/GUIX_LOCPATH='/'GUIX_LOCPATH=/";
# Work around <https://bugs.gnu.org/35671>, present in 1.0.1.
if ! grep en_US /etc/systemd/system/guix-daemon.service >/dev/null;
then sed -i /etc/systemd/system/guix-daemon.service \
-e 's/^Environment=\(.*\)$/Environment=\1 LC_ALL=en_US.UTF-8';
fi;
configure_substitute_discovery \
/etc/systemd/system/guix-daemon.service
systemctl daemon-reload &&
systemctl enable guix-daemon &&
systemctl start guix-daemon; } &&
_msg "${PAS}enabled Guix daemon via systemd"
;;
sysv-init)
{ mkdir -p /etc/init.d;
cp ~root/.config/guix/current/etc/init.d/guix-daemon \
/etc/init.d/guix-daemon;
chmod 775 /etc/init.d/guix-daemon;
configure_substitute_discovery /etc/init.d/guix-daemon
update-rc.d guix-daemon defaults &&
update-rc.d guix-daemon enable &&
service guix-daemon start; } &&
_msg "${PAS}enabled Guix daemon via sysv"
;;
openrc)
{ mkdir -p /etc/init.d;
cp ~root/.config/guix/current/etc/openrc/guix-daemon \
/etc/init.d/guix-daemon;
chmod 775 /etc/init.d/guix-daemon;
configure_substitute_discovery /etc/init.d/guix-daemon
rc-update add guix-daemon default &&
rc-service guix-daemon start; } &&
_msg "${PAS}enabled Guix daemon via OpenRC"
;;
NA|*)
_msg "${ERR}unsupported init system; run the daemon manually:"
echo " ~root/.config/guix/current/bin/guix-daemon --build-users-group=guixbuild"
;;
esac
_msg "${INF}making the guix command available to other users"
[ -e "$local_bin" ] || mkdir -p "$local_bin"
ln -sf "${var_guix}/bin/guix" "$local_bin"
[ -e "$info_path" ] || mkdir -p "$info_path"
for i in "${var_guix}"/share/info/*; do
ln -sf "$i" "$info_path"
done
}
sys_authorize_build_farms()
{ # authorize the public key(s) of the build farm(s)
local hosts=(
ci.guix.gnu.org
bordeaux.guix.gnu.org
)
if prompt_yes_no "Permit downloading pre-built package binaries from the \
project's build farms?"; then
for host in "${hosts[@]}"; do
local key=~root/.config/guix/current/share/guix/$host.pub
[ -f "$key" ] \
&& guix archive --authorize < "$key" \
&& _msg "${PAS}Authorized public key for $host"
done
else
_msg "${INF}Skipped authorizing build farm public keys"
fi
}
sys_create_init_profile()
{ # Define for better desktop integration
# This will not take effect until the next shell or desktop session!
[ -d "/etc/profile.d" ] || mkdir /etc/profile.d # Just in case
cat <<"EOF" > /etc/profile.d/zzz-guix.sh
# Explicitly initialize XDG base directory variables to ease compatibility
# with Guix System: see <https://issues.guix.gnu.org/56050#3>.
export XDG_DATA_HOME="${XDG_DATA_HOME:-$HOME/.local/share}"
export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-$HOME/.config}"
export XDG_STATE_HOME="${XDG_STATE_HOME:-$HOME/.local/state}"
export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share/:/usr/share/}"
export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-$HOME/.cache}"
# no default for XDG_RUNTIME_DIR (depends on foreign distro for semantics)
# _GUIX_PROFILE: `guix pull` profile
_GUIX_PROFILE="$HOME/.config/guix/current"
export PATH="$_GUIX_PROFILE/bin${PATH:+:}$PATH"
# Export INFOPATH so that the updated info pages can be found
# and read by both /usr/bin/info and/or $GUIX_PROFILE/bin/info
# When INFOPATH is unset, add a trailing colon so that Emacs
# searches 'Info-default-directory-list'.
export INFOPATH="$_GUIX_PROFILE/share/info:$INFOPATH"
# GUIX_PROFILE: User's default profile
# Prefer the one from 'guix home' if it exists.
GUIX_PROFILE="$HOME/.guix-home/profile"
[ -L $GUIX_PROFILE ] || GUIX_PROFILE="$HOME/.guix-profile"
[ -L $GUIX_PROFILE ] || return
GUIX_LOCPATH="$GUIX_PROFILE/lib/locale"
export GUIX_LOCPATH
[ -f "$GUIX_PROFILE/etc/profile" ] && . "$GUIX_PROFILE/etc/profile"
EOF
}
sys_create_shell_completion()
{ # Symlink supported shell completions system-wide
var_guix=/var/guix/profiles/per-user/root/current-guix
bash_completion=/etc/bash_completion.d
zsh_completion=/usr/share/zsh/site-functions
fish_completion=/usr/share/fish/vendor_completions.d
{ # Just in case
for dir_shell in $bash_completion $zsh_completion $fish_completion; do
[ -d "$dir_shell" ] || mkdir -p $dir_shell
done;
ln -sf ${var_guix}/etc/bash_completion.d/* "$bash_completion";
ln -sf ${var_guix}/share/zsh/site-functions/* "$zsh_completion";
ln -sf ${var_guix}/share/fish/vendor_completions.d/* "$fish_completion"; } &&
_msg "${PAS}installed shell completion"
}
sys_customize_bashrc()
{
prompt_yes_no "Customize users Bash shell prompt for Guix?" || return
for bashrc in /home/*/.bashrc /root/.bashrc; do
test -f "$bashrc" || continue
grep -Fq '$GUIX_ENVIRONMENT' "$bashrc" && continue
cp "${bashrc}" "${bashrc}.bak"
echo '
# Automatically added by the Guix install script.
if [ -n "$GUIX_ENVIRONMENT" ]; then
if [[ $PS1 =~ (.*)"\\$" ]]; then
PS1="${BASH_REMATCH[1]} [env]\\\$ "
fi
fi
' >> "$bashrc"
done
_msg "${PAS}Bash shell prompt successfully customized for Guix"
}
welcome()
{
local char
cat<<"EOF"
░░░ ░░░
░░▒▒░░░░░░░░░ ░░░░░░░░░▒▒░░
░░▒▒▒▒▒░░░░░░░ ░░░░░░░▒▒▒▒▒░
░▒▒▒░░▒▒▒▒▒ ░░░░░░░▒▒░
░▒▒▒▒░ ░░░░░░
▒▒▒▒▒ ░░░░░░
▒▒▒▒▒ ░░░░░
░▒▒▒▒▒ ░░░░░
▒▒▒▒▒ ░░░░░
▒▒▒▒▒ ░░░░░
░▒▒▒▒▒░░░░░
▒▒▒▒▒▒░░░
▒▒▒▒▒▒░
_____ _ _ _ _ _____ _
/ ____| \ | | | | | / ____| (_)
| | __| \| | | | | | | __ _ _ ___ __
| | |_ | . ' | | | | | | |_ | | | | \ \/ /
| |__| | |\ | |__| | | |__| | |_| | |> <
\_____|_| \_|\____/ \_____|\__,_|_/_/\_\
This script installs GNU Guix on your system
https://www.gnu.org/software/guix/
EOF
# Don't use read -p here! It won't display when run non-interactively.
echo -n "Press return to continue..."$'\r'
read -r char
if [ "$char" ]; then
echo
echo "...that ($char) was not a return!"
_msg "${WAR}Use newlines to automate installation, e.g.: yes '' | ${0##*/}"
_msg "${WAR}Any other method is unsupported and likely to break in future."
fi
}
main()
{
local tmp_path
welcome
_msg "Starting installation ($(date))"
chk_term
chk_require "${REQUIRE[@]}"
chk_gpg_keyring
chk_init_sys
chk_sys_arch
chk_sys_nscd
_msg "${INF}system is ${ARCH_OS}"
umask 0022
tmp_path="$(mktemp -t -d guix.XXXXXX)"
if [ -z "${GUIX_BINARY_FILE_NAME}" ]; then
guix_get_bin_list "${GNU_URL}"
guix_get_bin "${GNU_URL}" "${BIN_VER}" "$tmp_path"
GUIX_BINARY_FILE_NAME=${BIN_VER}.tar.xz
else
if ! [[ $GUIX_BINARY_FILE_NAME =~ $ARCH_OS ]]; then
_err "$ARCH_OS not in ${GUIX_BINARY_FILE_NAME}; aborting"
fi
_msg "${INF}Using manually provided binary ${GUIX_BINARY_FILE_NAME}"
GUIX_BINARY_FILE_NAME=$(realpath "$GUIX_BINARY_FILE_NAME")
fi
sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
sys_create_build_user
sys_enable_guix_daemon
sys_authorize_build_farms
sys_create_init_profile
sys_create_shell_completion
sys_customize_bashrc
_msg "${INF}cleaning up ${tmp_path}"
rm -r "${tmp_path}"
_msg "${PAS}Guix has successfully been installed!"
_msg "${INF}Run 'info guix' to read the manual."
# Required to source /etc/profile in desktop environments.
_msg "${INF}Please log out and back in to complete the installation."
}
main "$@"

View File

@ -0,0 +1,24 @@
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
PACKAGES remove
guix
PACKAGES install
make
screen
wget
xz-utils

View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# Copyright (C) 2023 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This project is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this project. If not, see <http://www.gnu.org/licenses/>.
fcopy -i -m root,root,0755 /etc/cron.d/fai
fcopy -iM /etc/fai/fai.conf
fcopy -iM /etc/hostname
fcopy -iM /etc/hosts
fcopy -iM /etc/network/interfaces.d/lo.conf
fcopy -iM /etc/network/interfaces.d/enp1s0.conf
fcopy -iM /etc/resolv.conf
fcopy -iM /etc/ssh/sshd_config
fcopy -i -m root,root,0755 /usr/local/bin/guix-install.sh

View File

@ -0,0 +1,150 @@
<domain type='kvm'>
<name>trisquel-guix-installer.experimental.a-lec.org</name>
<description>Image générique à cloner</description>
<memory unit='KiB'>4194304</memory>
<currentMemory unit='KiB'>4194304</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc-q35-3.1'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='host-model' check='partial'>
<topology sockets='1' dies='1' cores='1' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/srv/vmverse/installation/gnutoo-trisquel-fai-installer.img'/>
<target dev='vdc' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x09' slot='0x00' function='0x0'/>
</disk>
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</controller>
<controller type='sata' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pcie-root'/>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x11'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0x12'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x13'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x14'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x15'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0x16'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
</controller>
<controller type='pci' index='8' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='8' port='0x17'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
</controller>
<controller type='pci' index='9' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='9' port='0x18'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</controller>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</controller>
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</controller>
<interface type='bridge'>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
<serial type='pty'>
<target type='isa-serial' port='1'>
<model name='isa-serial'/>
</target>
</serial>
<serial type='pty'>
<target type='isa-serial' port='2'>
<model name='isa-serial'/>
</target>
</serial>
<serial type='pty'>
<target type='isa-serial' port='3'>
<model name='isa-serial'/>
</target>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice'>
<listen type='none'/>
</graphics>
<audio id='1' type='spice'/>
<video>
<model type='none'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</rng>
</devices>
</domain>

View File

@ -0,0 +1,79 @@
# Copying and distribution of this file, with or without modification,
# are permitted in any medium without royalty provided the copyright
# notice and this notice are preserved. This file is offered as-is,
# without any warranty.
CURL ?= curl
MIRROR ?= https://cdimage.trisquel.info/trisquel-images
VERSION ?= 11.0
.precious: \
trisquel_$(VERSION)_amd64.iso \
trisquel_$(VERSION)_amd64.iso.asc \
trisquel-netinst_$(VERSION)_amd64.iso \
trisquel-netinst_$(VERSION)_amd64.iso.asc
.PHONY: all install-vm
all: verify-trisquel-netinst_$(VERSION)_amd64
trisquel-archive-signkey.gpg:
gpg --list-keys D24DDAC9226D5BA5E9F3BED3F5DAAAF74AD4C938 || \
$(CURL) https://archive.trisquel.info/trisquel/$@ -o $@
gpg --list-keys D24DDAC9226D5BA5E9F3BED3F5DAAAF74AD4C938 || \
gpg --import trisquel-archive-signkey.gpg
%.iso:
$(CURL) $(MIRROR)/$@ -o $@
%.asc: trisquel-archive-signkey.gpg %
$(CURL) $(MIRROR)/$@ -o $@
verify-%: %.iso.asc
gpg --verify $<
install-iso:
virsh -c qemu:///system vol-list installation | \
tail +3 | \
awk '{print $1}' | \
grep '^trisquel-netinst_11.0_amd64.iso$' || \
( \
virsh -c qemu:///system \
vol-create-as \
installation trisquel-netinst_11.0_amd64.iso 0 && \
virsh -c qemu:///system \
vol-upload \
--pool installation trisquel-netinst_11.0_amd64.iso \
--file $PWD/trisquel-netinst_11.0_amd64.iso \
)
# We need that for transparency reasons
install-signature:
virsh -c qemu:///system vol-list installation | \
tail +3 | \
awk '{print $1}' | \
grep '^trisquel-netinst_11.0_amd64.iso.asc$' || \
( \
virsh -c qemu:///system \
vol-create-as \
installation trisquel-netinst_11.0_amd64.iso.asc 0 && \
virsh -c qemu:///system \
vol-upload \
--pool installation trisquel-netinst_11.0_amd64.iso \
--file $PWD/trisquel-netinst_11.0_amd64.iso.asc \
)
VM_DEPENDENCIES = \
install-iso \
install-signature \
verify-trisquel-netinst_$(VERSION)_amd64
install-vm: $(VM_DEPENDENCIES)
if ! virsh -c qemu:///system \
desc experimental-trisquel-netinstall ; then \
virsh -c qemu:///system destroy \
experimental-trisquel-netinstall || true ; \
virsh -c qemu:///system undefine \
experimental-trisquel-netinstall ; \
fi
virsh -c qemu:///system \
define --file experimental-trisquel-netinstall.xml

View File

@ -0,0 +1,50 @@
Deployment
==========
If you don't have the Trisquel netinstall iso inside libvirt you can
get it by first downloading it in the current directory with the
following command:
```
$ make
```
Then you can add it to libvirt with the following command:
```
$ ./create-netinstall-volume.sh
```
Then if the VM is not already defined in libvirt, you can use the
following command to do that:
```
$ ./create-vm.sh
```
You will then need to add an extra storage device to the VM to have
some storage to install Trisquel on.
You can then start the installer and get a console inside it with the
following commands:
```
$ virsh -c qemu:///system start gnutoo-trisquel-netinstall
$ ./use-serial-port.sh
$ virsh -c qemu:///system console gnutoo-trisquel-netinstall
```
License
=======
This project is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This project is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this project. If not, see <http://www.gnu.org/licenses/>.

View File

@ -0,0 +1,102 @@
<domain type="kvm">
<name>gnutoo-trisquel-netinstall</name>
<memory unit="KiB">2097152</memory>
<currentMemory unit="KiB">2097152</currentMemory>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch="x86_64" machine="pc-i440fx-5.1">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<vmport state="off"/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
<timer name="hpet" present="no"/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled="no"/>
<suspend-to-disk enabled="no"/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="raw"/>
<source file="/srv/vmverse/installation/trisquel-netinst_11.0_amd64.iso"/>
<target dev="sda" bus="usb" removable="on"/>
<readonly/>
<address type="usb" bus="0" port="1"/>
</disk>
<controller type="usb" index="0" model="ich9-ehci1">
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci1">
<master startport="0"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0" multifunction="on"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci2">
<master startport="2"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x1"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci3">
<master startport="4"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x2"/>
</controller>
<controller type="pci" index="0" model="pci-root"/>
<interface type="bridge">
<source bridge="br0"/>
<model type="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
</interface>
<serial type="pty">
<target type="isa-serial" port="0">
<model name="isa-serial"/>
</target>
</serial>
<serial type="pty">
<target type="isa-serial" port="1">
<model name="isa-serial"/>
</target>
</serial>
<serial type="pty">
<target type="isa-serial" port="2">
<model name="isa-serial"/>
</target>
</serial>
<serial type="pty">
<target type="isa-serial" port="3">
<model name="isa-serial"/>
</target>
</serial>
<console type="pty">
<target type="serial" port="0"/>
</console>
<input type="keyboard" bus="ps2"/>
<input type="mouse" bus="ps2"/>
<graphics type="spice">
<listen type="none"/>
<gl enable="no"/>
</graphics>
<audio id="1" type="spice"/>
<video>
<model type="none"/>
</video>
<memballoon model="virtio">
<address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/>
</memballoon>
<rng model="virtio">
<backend model="random">/dev/urandom</backend>
<address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/>
</rng>
</devices>
<seclabel type="dynamic" model="dac" relabel="yes"/>
</domain>

View File

@ -0,0 +1,20 @@
#!/bin/sh
# Copyright (C) 2023 Denis 'GNUtoo' Carikli
# SPDX-License-Identifier: GPL-3.0-or-later
# See /usr/include/linux/input-event-codes.h for the key <-> values
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 15 # TAB
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 46 # C
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 24 # O
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 49 # N
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 31 # S
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 24 # O
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 38 # L
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 18 # E
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 13 # =
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 20 # T
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 20 # T
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 21 # Y
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 58 # CAPSLOCK
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 31 # S
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 11 # 0
virsh -c qemu:///system send-key gnutoo-trisquel-netinstall 28 # ENTER