From af2a23f2020f8ed1804f9061dd3bce9dd6aaebcb Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Fri, 18 Apr 2025 22:04:55 +0200 Subject: [PATCH 1/7] Initial guix setup --- guix/guix-acl-keys/jc.pub | 6 ++ guix/ssh-keys/chris.pub | 1 + guix/ssh-keys/jb.pub | 1 + guix/ssh-keys/jb2.pub | 1 + guix/ssh-keys/jc.pub | 1 + guix/turing.scm | 115 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 125 insertions(+) create mode 100644 guix/guix-acl-keys/jc.pub create mode 100644 guix/ssh-keys/chris.pub create mode 100644 guix/ssh-keys/jb.pub create mode 100644 guix/ssh-keys/jb2.pub create mode 100644 guix/ssh-keys/jc.pub create mode 100644 guix/turing.scm diff --git a/guix/guix-acl-keys/jc.pub b/guix/guix-acl-keys/jc.pub new file mode 100644 index 00000000..7bf00b0c --- /dev/null +++ b/guix/guix-acl-keys/jc.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #69B54CB8F663421D77E674EF58794F8CB7FB3F5F39F90640DF271E68D79DBBE1#) + ) + ) diff --git a/guix/ssh-keys/chris.pub b/guix/ssh-keys/chris.pub new file mode 100644 index 00000000..c7c2d104 --- /dev/null +++ b/guix/ssh-keys/chris.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMxOPLzQEOJtBJJ6Od9ucrDUpAFOviqJaUAvoG8NzyM chris@neptune diff --git a/guix/ssh-keys/jb.pub b/guix/ssh-keys/jb.pub new file mode 100644 index 00000000..dffdbd8e --- /dev/null +++ b/guix/ssh-keys/jb.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyNdEOw7tfOHWCM0w2A7UzspnYYpNiF+nak51dcx3d7 diff --git a/guix/ssh-keys/jb2.pub b/guix/ssh-keys/jb2.pub new file mode 100644 index 00000000..66ad73f7 --- /dev/null +++ b/guix/ssh-keys/jb2.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAeclEz5F0yR4ip/cCbsJ6uHdo8QPK5FBPb6aH/e2Fg diff --git a/guix/ssh-keys/jc.pub b/guix/ssh-keys/jc.pub new file mode 100644 index 00000000..a4ac0573 --- /dev/null +++ b/guix/ssh-keys/jc.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoHtDPD+w3rKGW4JVEDXidpRM1UXksC+/cMFgCykQBy jc@turing.box.chrisjl.dev diff --git a/guix/turing.scm b/guix/turing.scm new file mode 100644 index 00000000..bc9bccd6 --- /dev/null +++ b/guix/turing.scm @@ -0,0 +1,115 @@ +;; Module imports +(use-modules (gnu) + (guix) + (gnu packages linux) + (gnu packages tmux) + (gnu packages vim)) +(use-service-modules networking ssh) +(use-package-modules bootloaders) + +;; Getting "unauthorized public key"? +;; your key needs to be in the guix authorized-keys, search for `guix-archive-key`. +;; Add your key there, then: +;; scp -r . turing.box.chrisjl.dev:guix +;; ssh turing.box.chrisjl.dev +;; cd guix +;; vim turing.scm +;; # Delete the `(list (machine ...))` stuff +;; # Add %turing-os +;; # Save +;; sudo guix system reconfigure turing.scm + +(define %this-dir (dirname (current-filename))) + +; https://logs.guix.gnu.org/guile/2017-07-01.log +; davidl: a syntax checker probably wouldn’t help you here. “invalid field specifier” means that you have a record (e.g. operating-system) and you try to initialise a field that doesn’t exist. +; davidl: this can mean that you close an expression too early, which makes it seem that its contents are fields for the parent expression. +; davidl: but without more context it’s hard to say what’s wrong in your case. +; +; alternatively, that means you're trying to `guix system reconfigure` + +(define (file-from-cwd path) + (local-file (string-append %this-dir path))) + +(define (ssh-key name) + (file-from-cwd (string-append "/ssh-keys/" name ".pub"))) + +(define (guix-archive-key name) + (file-from-cwd (string-append "/guix-acl-keys/" name ".pub"))) + +(define %services + (append (list (service openssh-service-type + (openssh-configuration + (permit-root-login #f) + (password-authentication? #f) + (authorized-keys `(("cj" ,(ssh-key "chris")) + ("jc" ,(ssh-key "jc")) + ("j" ,(ssh-key "jb") + ,(ssh-key "jb2")))))) + (service dhcp-client-service-type) + (simple-service 'resolv-conf etc-service-type + (list `("resolv.conf" ,(plain-file + "resolv.conf" + "nameserver 1.1.1.1 1.0.0.1\n"))))) + %base-services)) + +;; Operating system description +(define %turing-os + (operating-system + (locale "en_GB.utf8") + (timezone "UTC") + (keyboard-layout (keyboard-layout "gb")) + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/vda")) + (keyboard-layout keyboard-layout))) + (file-systems (cons* (file-system + (mount-point "/") + (device "/dev/vda2") + (type "ext4")) + %base-file-systems)) + (host-name "u-76") + (users (cons* (user-account + (name "cj") + (comment "Chris") + (group "users") + (home-directory "/home/cj") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "jc") + (comment "void") + (group "users") + (home-directory "/home/jc") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + (user-account + (name "j") + (comment "J") + (group "users") + (home-directory "/home/j") + (supplementary-groups '("wheel" "netdev" "audio" "video"))) + %base-user-accounts)) + (packages (cons* vim %base-packages)) + (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL +")) + (services (modify-services %services + (guix-service-type config => + (guix-configuration + (inherit config) + (authorized-keys + (append (list (guix-archive-key "jc")) + %default-authorized-guix-keys)))))))) + +; local deployments: +; SSHKEY=path/to/key USER=myuser guix deploy turing.scm +; USER is usually implicitly declared somewhere +(list (machine + (operating-system %turing-os) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "turing.box.chrisjl.dev") + (build-locally? #f) + (system "x86_64-linux") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvvi6P/G+rZ2qUZ+anluvFQwYM/WFZkERygd9X9+xqU") + (user (getenv "USER")) + (identity (getenv "SSHKEY")))))) From 86c17cd74df3eae2d6ded1054c4a46bd83f84567 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Fri, 25 Apr 2025 22:11:50 +0200 Subject: [PATCH 2/7] Deploy PostgreSQL & add unattended upgrades --- guix/turing.scm | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/guix/turing.scm b/guix/turing.scm index bc9bccd6..dee488d8 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -1,9 +1,12 @@ ;; Module imports (use-modules (gnu) (guix) + (gnu packages databases) (gnu packages linux) (gnu packages tmux) - (gnu packages vim)) + (gnu packages vim) + (gnu services admin) + (gnu services databases)) (use-service-modules networking ssh) (use-package-modules bootloaders) @@ -47,6 +50,10 @@ ("j" ,(ssh-key "jb") ,(ssh-key "jb2")))))) (service dhcp-client-service-type) + (service postgresql-service-type + (postgresql-configuration + (postgresql postgresql-16))) + (service unattended-upgrade-service-type) (simple-service 'resolv-conf etc-service-type (list `("resolv.conf" ,(plain-file "resolv.conf" @@ -88,7 +95,7 @@ (home-directory "/home/j") (supplementary-groups '("wheel" "netdev" "audio" "video"))) %base-user-accounts)) - (packages (cons* vim %base-packages)) + (packages (cons* %base-packages)) (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL %wheel ALL=NOPASSWD: ALL ")) From 3a14afe8fbda781afef2f4d2eb1057ccb3400d3a Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Sat, 26 Apr 2025 21:42:23 +0200 Subject: [PATCH 3/7] Allow agents in the field to safely SSH to turing --- guix/turing.scm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/guix/turing.scm b/guix/turing.scm index dee488d8..6bf36cb1 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -40,6 +40,12 @@ (define (guix-archive-key name) (file-from-cwd (string-append "/guix-acl-keys/" name ".pub"))) +(define %hidden-service-turing + (simple-service 'hidden-service-turing tor-service-type + (list (tor-onion-service-configuration + (name "turing") + (mapping '((22 "127.0.0.1:22"))))))) + (define %services (append (list (service openssh-service-type (openssh-configuration @@ -53,6 +59,8 @@ (service postgresql-service-type (postgresql-configuration (postgresql postgresql-16))) + (service tor-service-type) + %hidden-service-turing (service unattended-upgrade-service-type) (simple-service 'resolv-conf etc-service-type (list `("resolv.conf" ,(plain-file From e27f7b772646ee1acdd21e9dc3d095323fa2dc88 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Sun, 27 Apr 2025 18:54:34 +0200 Subject: [PATCH 4/7] Deploy certbot and nginx to turing --- guix/turing.scm | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/guix/turing.scm b/guix/turing.scm index 6bf36cb1..af81c1ca 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -6,7 +6,9 @@ (gnu packages tmux) (gnu packages vim) (gnu services admin) - (gnu services databases)) + (gnu services certbot) + (gnu services databases) + (gnu services web)) (use-service-modules networking ssh) (use-package-modules bootloaders) @@ -46,6 +48,12 @@ (name "turing") (mapping '((22 "127.0.0.1:22"))))))) +(define %certbot-deploy-hook + (program-file + "nginx-deploy-hook" + #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) + (kill pid SIGHUP)))) + (define %services (append (list (service openssh-service-type (openssh-configuration @@ -61,6 +69,32 @@ (postgresql postgresql-16))) (service tor-service-type) %hidden-service-turing + (service nginx-service-type + (nginx-configuration + (server-blocks '()))) +; The below is added by the certbot role +; (listen '("80" "[::]:80")) +; (server-name '("turing.box.pydis.wtf")) +; (root "/var/www/owlcorp.uk") +; (locations +; (list +; (nginx-location-configuration +; ; Certbot webroot serving +; (uri "/.well-known") +; (body (list "root /var/www; ")))))))))) +; + (service certbot-service-type + (certbot-configuration + (email "ops@owlcorp.uk") + ; Do not add certbot configuration to nginx automatically + ; XXX: seems broken, report upstream? + ; (default-location #f) + (webroot "/var/www") + (certificates + (list + (certificate-configuration + (domains '("turing.box.pydis.wtf")) + (deploy-hook %certbot-deploy-hook)))))) (service unattended-upgrade-service-type) (simple-service 'resolv-conf etc-service-type (list `("resolv.conf" ,(plain-file From 689ee5cf677b71ec2959f4c3a349d681a11200a7 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Sun, 27 Apr 2025 18:54:47 +0200 Subject: [PATCH 5/7] Deploy simple nginx config to turing --- guix/turing.scm | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/guix/turing.scm b/guix/turing.scm index af81c1ca..27f6c3ad 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -54,6 +54,15 @@ #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read))) (kill pid SIGHUP)))) +(define (letsencrypt-path hostname filename) + (string-append "/etc/letsencrypt/live/" hostname "/" filename)) + +(define (letsencrypt-key hostname) + (letsencrypt-path hostname "privkey.pem")) + +(define (letsencrypt-cert hostname) + (letsencrypt-path hostname "fullchain.pem")) + (define %services (append (list (service openssh-service-type (openssh-configuration @@ -71,7 +80,14 @@ %hidden-service-turing (service nginx-service-type (nginx-configuration - (server-blocks '()))) + (server-blocks + (list + (nginx-server-configuration + (listen '("443 ssl http2")) + (server-name '("turing.box.pydis.wtf")) + (ssl-certificate (letsencrypt-cert "turing.box.pydis.wtf")) + (ssl-certificate-key (letsencrypt-key "turing.box.pydis.wtf")) + (root "/var/www/turing.box.pydis.wtf")))))) ; The below is added by the certbot role ; (listen '("80" "[::]:80")) ; (server-name '("turing.box.pydis.wtf")) From 41c064c04db3e285182c66b3534b498bb838eb43 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Sun, 27 Apr 2025 20:32:41 +0200 Subject: [PATCH 6/7] Add lovelace ACL key to turing --- guix/guix-acl-keys/lovelace.pub | 6 ++++++ guix/turing.scm | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 guix/guix-acl-keys/lovelace.pub diff --git a/guix/guix-acl-keys/lovelace.pub b/guix/guix-acl-keys/lovelace.pub new file mode 100644 index 00000000..c5f9fd82 --- /dev/null +++ b/guix/guix-acl-keys/lovelace.pub @@ -0,0 +1,6 @@ +(public-key + (ecc + (curve Ed25519) + (q #C2F473C5A16D14256DC6CBE78DB3F2D782B7723AECCCBCB123BE84DB110BF348#) + ) + ) diff --git a/guix/turing.scm b/guix/turing.scm index 27f6c3ad..45027baf 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -162,7 +162,8 @@ (guix-configuration (inherit config) (authorized-keys - (append (list (guix-archive-key "jc")) + (append (list (guix-archive-key "jc") + (guix-archive-key "lovelace")) %default-authorized-guix-keys)))))))) ; local deployments: From 59cca1435df0af42b6f3ec50fe22fc58d553e3ce Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Sun, 27 Apr 2025 21:03:39 +0200 Subject: [PATCH 7/7] Add Chris' SSH key from lovelace --- guix/ssh-keys/chris-lovelace.pub | 1 + guix/turing.scm | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 guix/ssh-keys/chris-lovelace.pub diff --git a/guix/ssh-keys/chris-lovelace.pub b/guix/ssh-keys/chris-lovelace.pub new file mode 100644 index 00000000..c496d536 --- /dev/null +++ b/guix/ssh-keys/chris-lovelace.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9bVRTi9UIihz9B2wRpnsyl/1NqXJXuea6aPrH/h+o2 cj@lovelace.box.pydis.wtf diff --git a/guix/turing.scm b/guix/turing.scm index 45027baf..1ca46fee 100644 --- a/guix/turing.scm +++ b/guix/turing.scm @@ -68,7 +68,8 @@ (openssh-configuration (permit-root-login #f) (password-authentication? #f) - (authorized-keys `(("cj" ,(ssh-key "chris")) + (authorized-keys `(("cj" ,(ssh-key "chris") + ,(ssh-key "chris-lovelace")) ("jc" ,(ssh-key "jc")) ("j" ,(ssh-key "jb") ,(ssh-key "jb2"))))))