diff --git a/guix/guix-acl-keys/jc.pub b/guix/guix-acl-keys/jc.pub new file mode 100644 index 00000000..7bf00b0c --- /dev/null +++ b/guix/guix-acl-keys/jc.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #69B54CB8F663421D77E674EF58794F8CB7FB3F5F39F90640DF271E68D79DBBE1#) + ) + ) diff --git a/guix/guix-acl-keys/lovelace.pub b/guix/guix-acl-keys/lovelace.pub new file mode 100644 index 00000000..c5f9fd82 --- /dev/null +++ b/guix/guix-acl-keys/lovelace.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #C2F473C5A16D14256DC6CBE78DB3F2D782B7723AECCCBCB123BE84DB110BF348#) + ) + ) diff --git a/guix/ssh-keys/chris-lovelace.pub b/guix/ssh-keys/chris-lovelace.pub new file mode 100644 index 00000000..c496d536 --- /dev/null +++ b/guix/ssh-keys/chris-lovelace.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9bVRTi9UIihz9B2wRpnsyl/1NqXJXuea6aPrH/h+o2 cj@lovelace.box.pydis.wtf diff --git a/guix/ssh-keys/chris.pub b/guix/ssh-keys/chris.pub new file mode 100644 index 00000000..c7c2d104 --- /dev/null +++ b/guix/ssh-keys/chris.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMxOPLzQEOJtBJJ6Od9ucrDUpAFOviqJaUAvoG8NzyM chris@neptune diff --git a/guix/ssh-keys/jb.pub b/guix/ssh-keys/jb.pub new file mode 100644 index 00000000..dffdbd8e --- /dev/null +++ b/guix/ssh-keys/jb.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyNdEOw7tfOHWCM0w2A7UzspnYYpNiF+nak51dcx3d7 diff --git a/guix/ssh-keys/jb2.pub b/guix/ssh-keys/jb2.pub new file mode 100644 index 00000000..66ad73f7 --- /dev/null +++ b/guix/ssh-keys/jb2.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAeclEz5F0yR4ip/cCbsJ6uHdo8QPK5FBPb6aH/e2Fg diff --git a/guix/ssh-keys/jc.pub b/guix/ssh-keys/jc.pub new file mode 100644 index 00000000..a4ac0573 --- /dev/null +++ b/guix/ssh-keys/jc.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoHtDPD+w3rKGW4JVEDXidpRM1UXksC+/cMFgCykQBy jc@turing.box.chrisjl.dev diff --git a/guix/turing.scm b/guix/turing.scm new file mode 100644 index 00000000..1ca46fee --- /dev/null +++ b/guix/turing.scm @@ -0,0 +1,182 @@ +;; Module imports +(use-modules (gnu) + (guix) + (gnu packages databases) + (gnu packages linux) + (gnu packages tmux) + (gnu packages vim) + (gnu services admin) + (gnu services certbot) + (gnu services databases) + (gnu services web)) +(use-service-modules networking ssh) +(use-package-modules bootloaders) + +;; Getting "unauthorized public key"? +;; your key needs to be in the guix authorized-keys, search for `guix-archive-key`. +;; Add your key there, then: +;; scp -r . turing.box.chrisjl.dev:guix +;; ssh turing.box.chrisjl.dev +;; cd guix +;; vim turing.scm +;; # Delete the `(list (machine ...))` stuff +;; # Add %turing-os +;; # Save +;; sudo guix system reconfigure turing.scm + +(define %this-dir (dirname (current-filename))) + +; https://logs.guix.gnu.org/guile/2017-07-01.log +; davidl: a syntax checker probably wouldn’t help you here. “invalid field specifier” means that you have a record (e.g. operating-system) and you try to initialise a field that doesn’t exist. +; davidl: this can mean that you close an expression too early, which makes it seem that its contents are fields for the parent expression. +; davidl: but without more context it’s hard to say what’s wrong in your case. +; +; alternatively, that means you're trying to `guix system reconfigure` + +(define (file-from-cwd path) + (local-file (string-append %this-dir path))) + +(define (ssh-key name) + (file-from-cwd (string-append "/ssh-keys/" name ".pub"))) + +(define (guix-archive-key name) + (file-from-cwd (string-append "/guix-acl-keys/" name ".pub"))) + +(define %hidden-service-turing + (simple-service 'hidden-service-turing tor-service-type + (list (tor-onion-service-configuration + (name "turing") + (mapping '((22 "127.0.0.1:22"))))))) + +(define %certbot-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + +(define (letsencrypt-path hostname filename) + (string-append "/etc/letsencrypt/live/" hostname "/" filename)) + +(define (letsencrypt-key hostname) + (letsencrypt-path hostname "privkey.pem")) + +(define (letsencrypt-cert hostname) + (letsencrypt-path hostname "fullchain.pem")) + +(define %services + (append (list (service openssh-service-type + (openssh-configuration + (permit-root-login #f) + (password-authentication? #f) + (authorized-keys `(("cj" ,(ssh-key "chris") + ,(ssh-key "chris-lovelace")) + ("jc" ,(ssh-key "jc")) + ("j" ,(ssh-key "jb") + ,(ssh-key "jb2")))))) + (service dhcp-client-service-type) + (service postgresql-service-type + (postgresql-configuration + (postgresql postgresql-16))) + (service tor-service-type) + %hidden-service-turing + (service nginx-service-type + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (listen '("443 ssl http2")) + (server-name '("turing.box.pydis.wtf")) + (ssl-certificate (letsencrypt-cert "turing.box.pydis.wtf")) + (ssl-certificate-key (letsencrypt-key "turing.box.pydis.wtf")) + (root "/var/www/turing.box.pydis.wtf")))))) +; The below is added by the certbot role +; (listen '("80" "[::]:80")) +; (server-name '("turing.box.pydis.wtf")) +; (root "/var/www/owlcorp.uk") +; (locations +; (list +; (nginx-location-configuration +; ; Certbot webroot serving +; (uri "/.well-known") +; (body (list "root /var/www; ")))))))))) +; + (service certbot-service-type + (certbot-configuration + (email "ops@owlcorp.uk") + ; Do not add certbot configuration to nginx automatically + ; XXX: seems broken, report upstream? + ; (default-location #f) + (webroot "/var/www") + (certificates + (list + (certificate-configuration + (domains '("turing.box.pydis.wtf")) + (deploy-hook %certbot-deploy-hook)))))) + (service unattended-upgrade-service-type) + (simple-service 'resolv-conf etc-service-type + (list `("resolv.conf" ,(plain-file + "resolv.conf" + "nameserver 1.1.1.1 1.0.0.1\n"))))) + %base-services)) + +;; Operating system description +(define %turing-os + (operating-system + (locale "en_GB.utf8") + (timezone "UTC") + (keyboard-layout (keyboard-layout "gb")) + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/vda")) + (keyboard-layout keyboard-layout))) + (file-systems (cons* (file-system + (mount-point "/") + (device "/dev/vda2") + (type "ext4")) + %base-file-systems)) + (host-name "u-76") + (users (cons* (user-account + (name "cj") + (comment "Chris") + (group "users") + (home-directory "/home/cj") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "jc") + (comment "void") + (group "users") + (home-directory "/home/jc") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "j") + (comment "J") + (group "users") + (home-directory "/home/j") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + %base-user-accounts)) + (packages (cons* %base-packages)) + (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL +")) + (services (modify-services %services + (guix-service-type config => + (guix-configuration + (inherit config) + (authorized-keys + (append (list (guix-archive-key "jc") + (guix-archive-key "lovelace")) + %default-authorized-guix-keys)))))))) + +; local deployments: +; SSHKEY=path/to/key USER=myuser guix deploy turing.scm +; USER is usually implicitly declared somewhere +(list (machine + (operating-system %turing-os) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "turing.box.chrisjl.dev") + (build-locally? #f) + (system "x86_64-linux") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvvi6P/G+rZ2qUZ+anluvFQwYM/WFZkERygd9X9+xqU") + (user (getenv "USER")) + (identity (getenv "SSHKEY"))))))