96 lines
3.8 KiB
Plaintext
96 lines
3.8 KiB
Plaintext
Deployment
|
|
==========
|
|
To build the virtual machine image you can use the following command:
|
|
$ ./autogen.sh && ./configure && make
|
|
|
|
You can also check the configure option for configuring it for testing
|
|
on another infrastructure (for instance by using another domain).
|
|
|
|
To build an image you will also need at least id_ed25519.pub and
|
|
signing-key.pub:
|
|
|
|
- id_ed25519.pub can be genreated with the ssh-keygen -t ed25519
|
|
command. See the ssh-keygen manual ('man 1 ssh-keygen') for more
|
|
details. If you're not confortable with that, backup your ~/.ssh
|
|
folder first.
|
|
|
|
- signing-key.pub can be generated with the 'guix archive
|
|
--generate-key' command. See the "Invoking guix archive" in the
|
|
Guix manual for more details[1].
|
|
https://guix.gnu.org/en/manual/en/guix.html#Invoking-guix-archive
|
|
|
|
Other files are optional:
|
|
|
|
- id_ed25519: It is used for guix deploy. It is also generated by
|
|
ssh-keygen. A good idea is to have a symlink to it in order not to
|
|
have scp copy it to the target machine by mistake as it is the SSH
|
|
private key. Using separate SSH keys for separate machines also help
|
|
limiting the damage when such accident happen.
|
|
|
|
- id_wireguard: This is the wireguard private key. It can be generated
|
|
with the 'wg genkey > id_wireguard' command. See the wg manual ('man
|
|
8 wg') for more detail.
|
|
|
|
|
|
Note that letsencrypt has a limit of about 5 certificates per week, so
|
|
it's a good idea to use test domains before deployments.
|
|
|
|
Once the image is booted:
|
|
- You will need to login inside and run the following command:
|
|
# first-boot.sh
|
|
- You then need to set the root password.
|
|
|
|
The mumble-vm-install.sh installation script
|
|
============================================
|
|
This script is supposed to only run inside a VM on the Guix installer
|
|
and checks that it's the case through various ways. The specification
|
|
of the VM it runs on is provided in guix-vm-installer.xml for
|
|
reference. It is very specific to the Libre en communs infrastructure,
|
|
so you might need to modify it to use it on your infrastructure.
|
|
|
|
The Libre en Communs infrastructure on which this VM is being deployed
|
|
has libvirt but it doesn't have Guix on the host. So the option
|
|
provided by Libre en Communs was to do the installation from a
|
|
VM.
|
|
|
|
This is also common for many infrastructure providers due to security
|
|
concerns with access outside the VM.
|
|
|
|
Since the Guix installer is trusted and is now provided by Libre en
|
|
communs, and that we also have access to the vm management interfaces
|
|
we simply use a script to do all the installation work.
|
|
|
|
If instead you have a VM with only SSH access you will also need to
|
|
modify the script to fit that use case.
|
|
|
|
It is also possible to convert an existing VM to Guix but that
|
|
requires significantly more work (see gnu/machine/digital-ocean.scm
|
|
inside the Guix source code for more detail on how to do that).
|
|
|
|
To use this script, the admin with privileged access to the vm
|
|
management interface needs to boot the installer and copy the script
|
|
inside. This can be done by running the following command (the script
|
|
can be named like you want):
|
|
# cat /dev/ttyS0 > i.sh
|
|
and then by pasting the script through the first serial port, and
|
|
typing ctrl+d at the end, so that the file is closed and written.
|
|
|
|
The script can then run like that:
|
|
# chmod +x i.sh
|
|
# ./i.sh
|
|
|
|
License
|
|
=======
|
|
This project is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This project is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this project. If not, see <http://www.gnu.org/licenses/>.
|