~tieong/bootstrap-guix

785d8bf247c686c72c223ed942d30192d437187e — Thomas Ieong 1 year, 29 days ago ec9dd2b
Added a deploy script.
1 files changed, 182 insertions(+), 0 deletions(-)

A deploy.scm
A deploy.scm => deploy.scm +182 -0
@@ 0,0 1,182 @@
(use-modules (gnu) (guix))
(use-service-modules networking ssh vpn virtualization sysctl admin mcron)
(use-package-modules ssh certs tls tmux vpn virtualization)

(define garbage-collector-job
  ;; Collect garbage 5 minutes after midnight every day.
  ;; The job's action is a shell command.
  #~(job "5 0 * * *"            ;Vixie cron syntax
	 "guix gc -F 1G"))

(define %system
  (operating-system
   (host-name "kimsufi")
   (timezone "Etc/UTC")

   (bootloader (bootloader-configuration
		(bootloader grub-bootloader)
		(targets (list "/dev/sda" "/dev/sdb"))
		(terminal-outputs '(console))))

   ;; Add a kernel module for RAID-1 (aka. "mirror").
   (initrd-modules (cons* "raid1"  %base-initrd-modules))

   (mapped-devices
    (list
     (mapped-device
      (source (list "/dev/sda2" "/dev/sdb2"))
      (target "/dev/md127")
      (type raid-device-mapping))))

   (swap-devices
    (list
     (swap-space
      (target "/dev/sda3"))
     (swap-space
      (target "/dev/sdb3"))))

   (issue
    ;; Default contents for /etc/issue.
    "\
This is the GNU system at Kimsufi.  Welcome.\n")

   (file-systems (cons* (file-system
			 (mount-point "/")
			 (device "/dev/md127")
			 (type "ext4")
			 (dependencies mapped-devices))
			%base-file-systems))

   (users (cons (user-account
		 (name "guix")
		 (comment "guix")
		 (group "users")
		 (supplementary-groups '("wheel" "libvirt" "kvm"))
		 (home-directory "/home/guix"))
		%base-user-accounts))

   (sudoers-file
    (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
guix ALL=(ALL) NOPASSWD:ALL\n"))


   ;; Globally-installed packages.
   (packages (cons* tmux nss-certs gnutls wireguard-tools %base-packages))
   (services
    (cons*
     (service static-networking-service-type
	      (list (static-networking
		     (addresses (list (network-address
				       (device "enp3s0")
				       (value "37.187.79.64/24"))))
		     (routes (list (network-route
				    (destination "default")
				    (gateway "37.187.79.254"))))
		     (name-servers '("213.186.33.99")))))

     (service unattended-upgrade-service-type)

     (simple-service 'my-cron-jobs
		     mcron-service-type
		     (list garbage-collector-job))

     ;;    (service nftables-service-type
     ;;	    (nftables-configuration
     ;;	     (ruleset
     ;;	      (plain-file "nftables.nft"
     ;;			  "\
     ;; table ip nat {
     ;;	chain prerouting {
     ;;		type nat hook prerouting priority -100;
     ;;		tcp dport { http, https } dnat to 192.168.1.10:http
     ;;	}

     ;;	chain postrouting {
     ;;		type nat hook postrouting priority 100;
     ;;		masquerade
     ;;	}
     ;; }

     ;; table inet filter {
     ;; chain input {
     ;;   type filter hook input priority 0; policy drop;

     ;;   # early drop of invalid connections
     ;;   ct state invalid drop

     ;;   # allow established/related connections
     ;;   ct state { established, related } accept

     ;;   # allow icmp
     ;;   ip protocol icmp accept
     ;;   ip6 nexthdr icmpv6 accept

     ;;   # allow from loopback
     ;;   iifname lo accept

     ;;   # added: make NAT from libvirt work
     ;;   iifname virbr0 accept

     ;;   # allow ssh,http
     ;;   tcp dport {http,https,53,67,2222} accept
     ;;   udp dport {53,67} accept

     ;;   # reject everything else
     ;;   reject with icmpx type port-unreachable
     ;; }
     ;; chain forward {
     ;;   type filter hook forward priority 0; policy drop;
     ;;   iifname virbr0 oifname enp3s0 accept
     ;;   iifname enp3s0 oifname virbr0 accept
     ;; }
     ;; chain output {
     ;;   type filter hook output priority 0; policy accept;
     ;; }
     ;; }"))))

     (service libvirt-service-type
	      (libvirt-configuration
	       (unix-sock-group "libvirt")
	       (tls-port "16555")))

     (service virtlog-service-type
	      (virtlog-configuration
	       (max-clients 1000)))

     (service openssh-service-type
	      (openssh-configuration
	       (openssh openssh-sans-x)
	       (permit-root-login #f)
	       (port-number 2222)
	       (authorized-keys
		(quasiquote
		 (("guix" (unquote (plain-file "kimsufi-infra.pub" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYGq2Ryy8hnMkvK+3/ADzhH9WPmO8lvTKiC3Q8NHwqw user@linux"))))))))
     (modify-services %base-services
		      ;; See https://stumbles.id.au/getting-started-with-guix-deploy.html
		      (guix-service-type config =>
					 (guix-configuration
					  (inherit config)
					  (authorized-keys
					   (append (list (local-file "/etc/guix/signing-key.pub"))
						   %default-authorized-guix-keys))))
		      (sysctl-service-type config =>
					   (sysctl-configuration
					    (settings (append '(("net.ipv6.conf.all.autoconf" . "0")
								("net.ipv6.conf.all.accept_ra" . "0"))
							      %default-sysctl-settings)))))))))

(list (machine
       (operating-system %system)
       (environment managed-host-environment-type)
       (configuration (machine-ssh-configuration
		       (build-locally? #t)
		       (host-name "37.187.79.64")
		       (system "x86_64-linux")
		       (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzpvGEW3X0dSYCxUicdjaL+M9cJI9VdRMh80QMvK0+V")
		       (user "guix")
		       (identity "/home/user/.ssh/kimsufi-infra")
		       (port 2222)))))

;; Also see guix deploy -x -- <arbitrary-command>