~tieong/bootstrap-guix

f4e7ec1db72164d0dc23463050e6bec1738b3bdc — Thomas Ieong 1 year, 10 months ago
Init
1 files changed, 202 insertions(+), 0 deletions(-)

A bootstrap.sh
A  => bootstrap.sh +202 -0
@@ 1,202 @@
#!/usr/bin/env bash

# To run as root

apt-get update

apt-get install xz-utils -y

wget https://ftp.gnu.org/gnu/guix/guix-binary-1.3.0.x86_64-linux.tar.xz

cd /tmp

tar --warning=no-timestamp -xvf ~/guix-binary-1.3.0.x86_64-linux.tar.xz

mv var/guix /var/ && mv gnu /

mkdir -p /root/.config/guix

ln -sf /var/guix/profiles/per-user/root/current-guix ~root/.config/guix/current

export GUIX_PROFILE="/root/.config/guix/current" ;

source $GUIX_PROFILE/etc/profile

groupadd --system guixbuild

for i in `seq -w 1 10`; do
   useradd -g guixbuild -G guixbuild         \
           -d /var/empty -s `which nologin`  \
           -c "Guix build user $i" --system  \
           guixbuilder$i;
done;

cp -v /root/.config/guix/current/lib/systemd/system/guix-daemon.service /etc/systemd/system/

systemctl start guix-daemon && systemctl enable guix-daemon

mkdir -p /usr/local/bin

cd /usr/local/bin

ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix

mkdir -p /usr/local/share/info

cd /usr/local/share/info

for i in /var/guix/profiles/per-user/root/current-guix/share/info/*; do
    ln -s $i;
done

guix archive --authorize < /root/.config/guix/current/share/guix/ci.guix.gnu.org.pub

guix pull
guix install glibc-utf8-locales-2.29

export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"

guix install openssl

cat > /etc/bootstrap-config.scm << EOF
(use-modules (gnu))
(use-service-modules networking ssh vpn)
(use-package-modules ssh certs tls tmux vpn)

(operating-system
  (host-name "guix")
  (timezone "Etc/UTC")

  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets (list "/dev/sda" "/dev/sdb"))
               (terminal-outputs '(console))))

  ;; Add a kernel module for RAID-1 (aka. "mirror").
  (initrd-modules (cons "raid1" %base-initrd-modules))

  (mapped-devices
   (list
    (mapped-device
     (source (list "/dev/sda2" "/dev/sdb2"))
     (target "/dev/md2")
     (type raid-device-mapping))
    (mapped-device
     (source (list "/dev/sda4" "/dev/sdb4"))
     (target "/dev/md4")
     (type raid-device-mapping))
    (mapped-device
     (source "vg")
     (targets (list "vg-xenvg"))
     (type lvm-device-mapping))))

  (swap-devices
    (list
     (swap-space
       (target "/dev/sda3"))
     (swap-space
       (target "/dev/sdb3"))))

  (issue 
  ;; Default contents for /etc/issue.
  "
This is the GNU system at Kimsufi.  Welcome.\n")

  (file-systems (cons* (file-system
                        (mount-point "/")
                        (device "/dev/md2")
                        (type "ext4")
                        (dependencies mapped-devices))
                       (file-system
                        (mount-point "/srv/ganeti")
                        (device "/dev/mapper/vg-xenvg")
                        (type "ext4")
                        (dependencies mapped-devices))
                      %base-file-systems))

  (users (cons (user-account
                (name "debian")
                (comment "debian")
                (group "users")
                (supplementary-groups '("wheel"))
                (home-directory "/home/debian"))
               %base-user-accounts))

  (sudoers-file
   (plain-file "sudoers" "\
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
debian ALL=(ALL) NOPASSWD:ALL\n"))


  ;; Globally-installed packages.
  (packages (cons* tmux openssh nss-certs gnutls wireguard-tools %base-packages))

(services
 (cons*
  (service wireguard-service-type
         (wireguard-configuration
          (addresses '("10.0.0.1/24"))
          ;(addresses '("10.0.0.2/24"))
          (port 51820)
          (dns #f)
          (peers
           (list
            (wireguard-peer
             (name "my-peer")
             (public-key "8HR5tqYjmM7PU+TJ0WZlqq6nRi9XoZoaQ2x7tabl9xE=")
             (endpoint "37.187.89.124:51820")
             ;(endpoint "37.187.79.64:51820")
             (allowed-ips '("10.0.0.2/24"))
             ;(allowed-ips '("10.0.0.1/24"))
             (keep-alive #f))))))
  (service static-networking-service-type
           (list (static-networking
		  (addresses (list (network-address
                                    (device "enp3s0")
                                    ;(value "37.187.79.64/24"))))
                                    (value "37.187.89.124/24"))))
		  (routes (list (network-route
				 (destination "default")
				 ;(gateway "37.187.79.254"))))
				 (gateway "37.187.89.254"))))
		  (name-servers '("213.186.33.99")))))

  (service openssh-service-type
           (openssh-configuration
            (permit-root-login #f)))
 (modify-services %base-services
   (guix-service-type config =>
		      (guix-configuration
		       (inherit config)
		       (authorized-keys
			(append (list
				 (plain-file "offload-key.pub"
				 "\
(public-key
 (ecc
  (curve Ed25519)
  (q #92A6B514AB44FD75B0D257412C4A9CA4D00E02D0C9F2C366F93B72DB3BDE9EE9#)
  )
 )
"))
				%default-authorized-guix-keys))))))))
EOF

guix system build /etc/bootstrap-config.scm
guix system reconfigure /etc/bootstrap-config.scm

mv /etc /old-etc

mkdir /etc

cp -r /old-etc/{passwd,group,shadow,gshadow,mtab,guix,bootstrap-config.scm} /etc/

guix system reconfigure /etc/bootstrap-config.scm

# The users uid created by guix is set to 100 and the one made
# made by debian is 1000, so we change that for guix.

chown -R debian:users /home/debian

reboot