~tieong/bootstrap-guix

3c0c4c65e22f267aa6fadf04c27945ceadfeeeef — Thomas Ieong 1 year, 1 month ago f4e7ec1
Updated bootstrap.sh
1 files changed, 100 insertions(+), 59 deletions(-)

M bootstrap.sh
M bootstrap.sh => bootstrap.sh +100 -59
@@ 1,16 1,18 @@
#!/usr/bin/env bash

# To run as root
# Target a debian10 machine

sudo su -

apt-get update

apt-get install xz-utils -y

wget https://ftp.gnu.org/gnu/guix/guix-binary-1.3.0.x86_64-linux.tar.xz
wget https://ftp.gnu.org/gnu/guix/guix-binary-1.4.0.x86_64-linux.tar.xz

cd /tmp

tar --warning=no-timestamp -xvf ~/guix-binary-1.3.0.x86_64-linux.tar.xz
tar --warning=no-timestamp -xvf ~/guix-binary-1.4.0.x86_64-linux.tar.xz

mv var/guix /var/ && mv gnu /



@@ 52,16 54,18 @@ done
guix archive --authorize < /root/.config/guix/current/share/guix/ci.guix.gnu.org.pub

guix pull
guix install glibc-utf8-locales-2.29
guix install glibc-utf8-locales-2.29 openssl glibc-locales

export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"

guix install openssl
# Yeah I actually have to comment out libvirt and virtlog for now
# otherwise I get a werid libvirt error.
# Reenable them once we've succesfully bootstraped.

cat > /etc/bootstrap-config.scm << EOF
(use-modules (gnu))
(use-service-modules networking ssh vpn)
(use-package-modules ssh certs tls tmux vpn)
(use-service-modules networking ssh vpn virtualization sysctl certbot admin)
(use-package-modules ssh certs tls tmux vpn virtualization)

(operating-system
  (host-name "guix")


@@ 80,15 84,7 @@ cat > /etc/bootstrap-config.scm << EOF
    (mapped-device
     (source (list "/dev/sda2" "/dev/sdb2"))
     (target "/dev/md2")
     (type raid-device-mapping))
    (mapped-device
     (source (list "/dev/sda4" "/dev/sdb4"))
     (target "/dev/md4")
     (type raid-device-mapping))
    (mapped-device
     (source "vg")
     (targets (list "vg-xenvg"))
     (type lvm-device-mapping))))
     (type raid-device-mapping))))

  (swap-devices
    (list


@@ 107,18 103,14 @@ This is the GNU system at Kimsufi.  Welcome.\n")
                        (device "/dev/md2")
                        (type "ext4")
                        (dependencies mapped-devices))
                       (file-system
                        (mount-point "/srv/ganeti")
                        (device "/dev/mapper/vg-xenvg")
                        (type "ext4")
                        (dependencies mapped-devices))
                      %base-file-systems))

  (users (cons (user-account
                (name "debian")
                (comment "debian")
                (group "users")
                (supplementary-groups '("wheel"))
                ;(supplementary-groups '("wheel"))
                ;(supplementary-groups '("wheel" "libvirt" "kvm"))
                (home-directory "/home/debian"))
               %base-user-accounts))



@@ 130,60 122,109 @@ debian ALL=(ALL) NOPASSWD:ALL\n"))


  ;; Globally-installed packages.
  (packages (cons* tmux openssh nss-certs gnutls wireguard-tools %base-packages))
  (packages (cons* tmux nss-certs gnutls wireguard-tools %base-packages))

(services
 (cons*
  (service wireguard-service-type
         (wireguard-configuration
          (addresses '("10.0.0.1/24"))
          ;(addresses '("10.0.0.2/24"))
          (port 51820)
          (dns #f)
          (peers
           (list
            (wireguard-peer
             (name "my-peer")
             (public-key "8HR5tqYjmM7PU+TJ0WZlqq6nRi9XoZoaQ2x7tabl9xE=")
             (endpoint "37.187.89.124:51820")
             ;(endpoint "37.187.79.64:51820")
             (allowed-ips '("10.0.0.2/24"))
             ;(allowed-ips '("10.0.0.1/24"))
             (keep-alive #f))))))
  (service static-networking-service-type
           (list (static-networking
		  (addresses (list (network-address
                                    (device "enp3s0")
                                    ;(value "37.187.79.64/24"))))
                                    (value "37.187.89.124/24"))))
                                    (value "37.187.79.64/24"))
 				   (network-address
                                    (device "enp3s0")
                                    (value "2001:41d0:a:2f40::1/64"))))
		  (routes (list (network-route
				 (destination "default")
				 ;(gateway "37.187.79.254"))))
				 (gateway "37.187.89.254"))))
				 (gateway "37.187.79.254"))
 				(network-route
				 (destination "default")
				 (gateway "2001:41d0:a:2fFF:FF:FF:FF:FF"))))
		  (name-servers '("213.186.33.99")))))

;             (service unattended-upgrade-service-type)
;
;      	     (service nftables-service-type
;                      (nftables-configuration
;                       (ruleset
;                        (plain-file "nftables.nft"
;                                    "\
;table ip nat {
;	chain prerouting {
;		type nat hook prerouting priority -100;
;    		tcp dport { http, https } dnat to 192.168.1.10:http
;	}
;
;	chain postrouting {
;		type nat hook postrouting priority 100;
;		masquerade
;	}
;}
;
;table inet filter {
; chain input {
;   type filter hook input priority 0; policy drop;
;
;   # early drop of invalid connections
;   ct state invalid drop
;
;   # allow established/related connections
;   ct state { established, related } accept
;
;   # allow icmp
;   ip protocol icmp accept
;   ip6 nexthdr icmpv6 accept
;
;   # allow from loopback
;   iifname lo accept
;
;   # added: make NAT from libvirt work
;   iifname virbr0 accept
;
;   # allow ssh,http
;   tcp dport {http,https,53,67,2222} accept
;   udp dport {53,67} accept
;
;   # reject everything else
;   reject with icmpx type port-unreachable
; }
; chain forward {
;   type filter hook forward priority 0; policy drop;
;   iifname virbr0 oifname enp3s0 accept
;   iifname enp3s0 oifname virbr0 accept
; }
; chain output {
;   type filter hook output priority 0; policy accept;
; }
;}"))))
;
;	     (service libvirt-service-type
;		      (libvirt-configuration
;		       (unix-sock-group "libvirt")
;		       (tls-port "16555")))
;
;	     (service virtlog-service-type
;		      (virtlog-configuration
;		       (max-clients 1000)))

  (service openssh-service-type
           (openssh-configuration
            (port-number 2222)
            (permit-root-login #f)))
 (modify-services %base-services
   (guix-service-type config =>
		      (guix-configuration
		       (inherit config)
		       (authorized-keys
			(append (list
				 (plain-file "offload-key.pub"
				 "\
(public-key
 (ecc
  (curve Ed25519)
  (q #92A6B514AB44FD75B0D257412C4A9CA4D00E02D0C9F2C366F93B72DB3BDE9EE9#)
  )
 )
"))
				%default-authorized-guix-keys))))))))

	     (modify-services %base-services
                 (sysctl-service-type config =>
                       (sysctl-configuration
                         (settings (append '(("net.ipv6.conf.all.autoconf" . "0")
			 	   	     ("net.ipv6.conf.all.accept_ra" . "0"))
                                           %default-sysctl-settings))))))))
EOF

guix system build /etc/bootstrap-config.scm

# TODO: dbus
mv /etc/{ssl,pam.d,skel,udev} /tmp

guix system reconfigure /etc/bootstrap-config.scm

mv /etc /old-etc