~tieong/bootstrap-guix

807717862c96d5239e99c5c751be0e547456364f — Thomas Ieong 1 year, 8 months ago 0dc18df
No need to bootstrap from debian, we can install from rescue mode
1 files changed, 0 insertions(+), 243 deletions(-)

D bootstrap.sh
D bootstrap.sh => bootstrap.sh +0 -243
@@ 1,243 0,0 @@
#!/usr/bin/env bash

# Target a debian10 machine

sudo su -

apt-get update

apt-get install xz-utils -y

wget https://ftp.gnu.org/gnu/guix/guix-binary-1.4.0.x86_64-linux.tar.xz

cd /tmp

tar --warning=no-timestamp -xvf ~/guix-binary-1.4.0.x86_64-linux.tar.xz

mv var/guix /var/ && mv gnu /

mkdir -p /root/.config/guix

ln -sf /var/guix/profiles/per-user/root/current-guix ~root/.config/guix/current

export GUIX_PROFILE="/root/.config/guix/current" ;

source $GUIX_PROFILE/etc/profile

groupadd --system guixbuild

for i in `seq -w 1 10`; do
   useradd -g guixbuild -G guixbuild         \
           -d /var/empty -s `which nologin`  \
           -c "Guix build user $i" --system  \
           guixbuilder$i;
done;

cp -v /root/.config/guix/current/lib/systemd/system/guix-daemon.service /etc/systemd/system/

systemctl start guix-daemon && systemctl enable guix-daemon

mkdir -p /usr/local/bin

cd /usr/local/bin

ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix

mkdir -p /usr/local/share/info

cd /usr/local/share/info

for i in /var/guix/profiles/per-user/root/current-guix/share/info/*; do
    ln -s $i;
done

guix archive --authorize < /root/.config/guix/current/share/guix/ci.guix.gnu.org.pub

guix pull
guix install glibc-utf8-locales-2.29 openssl glibc-locales

export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"

# Yeah I actually have to comment out libvirt and virtlog for now
# otherwise I get a werid libvirt error.
# Reenable them once we've succesfully bootstraped.

cat > /etc/bootstrap-config.scm << EOF
(use-modules (gnu))
(use-service-modules networking ssh vpn virtualization sysctl certbot admin)
(use-package-modules ssh certs tls tmux vpn virtualization)

(operating-system
  (host-name "guix")
  (timezone "Etc/UTC")

  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets (list "/dev/sda" "/dev/sdb"))
               (terminal-outputs '(console))))

  ;; Add a kernel module for RAID-1 (aka. "mirror").
  (initrd-modules (cons "raid1" %base-initrd-modules))

  (mapped-devices
   (list
    (mapped-device
     (source (list "/dev/sda2" "/dev/sdb2"))
     (target "/dev/md2")
     (type raid-device-mapping))))

  (swap-devices
    (list
     (swap-space
       (target "/dev/sda3"))
     (swap-space
       (target "/dev/sdb3"))))

  (issue 
  ;; Default contents for /etc/issue.
  "
This is the GNU system at Kimsufi.  Welcome.\n")

  (file-systems (cons* (file-system
                        (mount-point "/")
                        (device "/dev/md2")
                        (type "ext4")
                        (dependencies mapped-devices))
                      %base-file-systems))

  (users (cons (user-account
                (name "debian")
                (comment "debian")
                (group "users")
                ;(supplementary-groups '("wheel"))
                ;(supplementary-groups '("wheel" "libvirt" "kvm"))
                (home-directory "/home/debian"))
               %base-user-accounts))

  (sudoers-file
   (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
debian ALL=(ALL) NOPASSWD:ALL\n"))


  ;; Globally-installed packages.
  (packages (cons* tmux nss-certs gnutls wireguard-tools %base-packages))

(services
 (cons*
  (service static-networking-service-type
           (list (static-networking
		  (addresses (list (network-address
                                    (device "enp3s0")
                                    (value "37.187.79.64/24"))
 				   (network-address
                                    (device "enp3s0")
                                    (value "2001:41d0:a:2f40::1/64"))))
		  (routes (list (network-route
				 (destination "default")
				 (gateway "37.187.79.254"))
 				(network-route
				 (destination "default")
				 (gateway "2001:41d0:a:2fFF:FF:FF:FF:FF"))))
		  (name-servers '("213.186.33.99")))))

;             (service unattended-upgrade-service-type)
;
;      	     (service nftables-service-type
;                      (nftables-configuration
;                       (ruleset
;                        (plain-file "nftables.nft"
;                                    "\
;table ip nat {
;	chain prerouting {
;		type nat hook prerouting priority -100;
;    		tcp dport { http, https } dnat to 192.168.1.10:http
;	}
;
;	chain postrouting {
;		type nat hook postrouting priority 100;
;		masquerade
;	}
;}
;
;table inet filter {
; chain input {
;   type filter hook input priority 0; policy drop;
;
;   # early drop of invalid connections
;   ct state invalid drop
;
;   # allow established/related connections
;   ct state { established, related } accept
;
;   # allow icmp
;   ip protocol icmp accept
;   ip6 nexthdr icmpv6 accept
;
;   # allow from loopback
;   iifname lo accept
;
;   # added: make NAT from libvirt work
;   iifname virbr0 accept
;
;   # allow ssh,http
;   tcp dport {http,https,53,67,2222} accept
;   udp dport {53,67} accept
;
;   # reject everything else
;   reject with icmpx type port-unreachable
; }
; chain forward {
;   type filter hook forward priority 0; policy drop;
;   iifname virbr0 oifname enp3s0 accept
;   iifname enp3s0 oifname virbr0 accept
; }
; chain output {
;   type filter hook output priority 0; policy accept;
; }
;}"))))
;
;	     (service libvirt-service-type
;		      (libvirt-configuration
;		       (unix-sock-group "libvirt")
;		       (tls-port "16555")))
;
;	     (service virtlog-service-type
;		      (virtlog-configuration
;		       (max-clients 1000)))

  (service openssh-service-type
           (openssh-configuration
            (port-number 2222)
            (permit-root-login #f)))

	     (modify-services %base-services
                 (sysctl-service-type config =>
                       (sysctl-configuration
                         (settings (append '(("net.ipv6.conf.all.autoconf" . "0")
			 	   	     ("net.ipv6.conf.all.accept_ra" . "0"))
                                           %default-sysctl-settings))))))))
EOF

guix system build /etc/bootstrap-config.scm

# TODO: dbus
mv /etc/{ssl,pam.d,skel,udev} /tmp

guix system reconfigure /etc/bootstrap-config.scm

mv /etc /old-etc

mkdir /etc

cp -r /old-etc/{passwd,group,shadow,gshadow,mtab,guix,bootstrap-config.scm} /etc/

guix system reconfigure /etc/bootstrap-config.scm

# The users uid created by guix is set to 100 and the one made
# made by debian is 1000, so we change that for guix.

chown -R debian:users /home/debian

reboot