From a17e56e771f149d16902e42f30ca78adbcca9e7d Mon Sep 17 00:00:00 2001
From: "Collin J. Doering" <collin@rekahsoft.ca>
Date: Thu, 26 Sep 2024 23:51:47 -0400
Subject: [PATCH] proxmox-vm-lvm-minimal: Use guix substitute signing keys on
 all vms

Previously, only guix-ci0.home.rekahsoft.ca was configured to use substitutes from custom
substitute servers, notably non-guix. This however is not favorable for other vms, as some
package substitutes are only available on custom substitute servers (eg. my own internal one,
non-guix, etc..).

This commit adjusts this, as well as reorganizes public key files.
---
 .../guix-config/proxmox-vm-lvm-minimal.scm    | 21 ++++++++++++-------
 .../vms/guix-ci0-home-rekahsoft-ca.scm        | 14 +------------
 .pubkeys/guix/cuirass-genenetwork-org.pub     |  6 ++++++
 .pubkeys/guix/cuirass-nonguix-org.pub         |  6 ++++++
 .../dell-precision.pub}                       |  0
 .pubkeys/guix/guix-ci-home-rekahsoft-ca.pub   |  6 ++++++
 .../lenovo-t480s.pub}                         |  0
 .pubkeys/{ => ssh}/deploy-key.pub             |  0
 .pubkeys/{ => ssh}/ed25519-861CD08E.pub       |  0
 .pubkeys/{ => ssh}/rsa2048-ED51AB07.pub       |  0
 .pubkeys/{ => ssh}/rsa4096-6765FB18.pub       |  0
 11 files changed, 33 insertions(+), 20 deletions(-)
 create mode 100644 .pubkeys/guix/cuirass-genenetwork-org.pub
 create mode 100644 .pubkeys/guix/cuirass-nonguix-org.pub
 rename .pubkeys/{guix-signing-key_dell-precision.pub => guix/dell-precision.pub} (100%)
 create mode 100644 .pubkeys/guix/guix-ci-home-rekahsoft-ca.pub
 rename .pubkeys/{guix-signing-key_lenovo-t480s.pub => guix/lenovo-t480s.pub} (100%)
 rename .pubkeys/{ => ssh}/deploy-key.pub (100%)
 rename .pubkeys/{ => ssh}/ed25519-861CD08E.pub (100%)
 rename .pubkeys/{ => ssh}/rsa2048-ED51AB07.pub (100%)
 rename .pubkeys/{ => ssh}/rsa4096-6765FB18.pub (100%)

diff --git a/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm b/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm
index 1300f2e..ce566b8 100644
--- a/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm
+++ b/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm
@@ -23,14 +23,18 @@
 (define %automation-user "auto")
 (define %guix-signing-keys
   (list
-   (local-file "../../../.pubkeys/guix-signing-key_lenovo-t480s.pub")
-   (local-file "../../../.pubkeys/guix-signing-key_dell-precision.pub")))
+   (local-file "../../../.pubkeys/guix/lenovo-t480s.pub")
+   (local-file "../../../.pubkeys/guix/dell-precision.pub")
+
+   (local-file "../../../.pubkeys/guix/cuirass-genenetwork-org.pub")
+   (local-file "../../../.pubkeys/guix/cuirass-nonguix-org.pub")
+   (local-file "../../../.pubkeys/guix/guix-ci-home-rekahsoft-ca.pub")))
 
 ;; Keys used for ssh access
-(define %deploy-key (local-file "../../../.pubkeys/deploy-key.pub"))
-(define %collin-ed25519-key (local-file "../../../.pubkeys/ed25519-861CD08E.pub"))
-(define %collin-rsa4096-key (local-file "../../../.pubkeys/rsa4096-6765FB18.pub"))
-(define %collin-rsa-key (local-file "../../../.pubkeys/rsa2048-ED51AB07.pub"))
+(define %deploy-key (local-file "../../../.pubkeys/ssh/deploy-key.pub"))
+(define %collin-ed25519-key (local-file "../../../.pubkeys/ssh/ed25519-861CD08E.pub"))
+(define %collin-rsa4096-key (local-file "../../../.pubkeys/ssh/rsa4096-6765FB18.pub"))
+(define %collin-rsa-key (local-file "../../../.pubkeys/ssh/rsa2048-ED51AB07.pub"))
 
 (define syslog-configuration
   (plain-file "syslog.conf"
@@ -119,7 +123,10 @@ mail.*                                 -/var/log/maillog
        config => (guix-configuration
 		 (inherit config)
                  (authorized-keys (append %guix-signing-keys %default-authorized-guix-keys))
-		 (substitute-urls %default-substitute-urls))))))
+		 (substitute-urls (append (list "https://cuirass.genenetwork.org"
+                                                "https://substitutes.nonguix.org"
+                                                "https://guix-ci.home.rekahsoft.ca")
+		                          %default-substitute-urls)))))))
 
 (define (proxmox-vm-lvm-minimal host-name)
   (operating-system
diff --git a/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm
index 964b365..1687da1 100644
--- a/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm
+++ b/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm
@@ -331,16 +331,4 @@ PUBLISH-URL."
       (guix-service-type config =>
                          (guix-configuration
 	                  (inherit config)
-                          (extra-options '("--max-jobs=4"))
-	                  (substitute-urls
-	                   (append (list "https://substitutes.nonguix.org")
-		                   (guix-configuration-substitute-urls config)))
-	                  (authorized-keys
-	                   (append (list (plain-file "non-guix.pub"
-				                     "(public-key
-                                       (ecc
-                                        (curve Ed25519)
-                                        (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
-                                        )
-                                       )"))
-                                   (guix-configuration-authorized-keys config))))))))))
+                          (extra-options '("--max-jobs=4")))))))))
diff --git a/.pubkeys/guix/cuirass-genenetwork-org.pub b/.pubkeys/guix/cuirass-genenetwork-org.pub
new file mode 100644
index 0000000..1350f6d
--- /dev/null
+++ b/.pubkeys/guix/cuirass-genenetwork-org.pub
@@ -0,0 +1,6 @@
+(public-key
+ (ecc
+   (curve Ed25519)
+   (q #9578AD6CDB23BA51F9C4185D5D5A32A7EEB47ACDD55F1CCB8CEE4E0570FBF961#)
+  )
+ )
diff --git a/.pubkeys/guix/cuirass-nonguix-org.pub b/.pubkeys/guix/cuirass-nonguix-org.pub
new file mode 100644
index 0000000..32ddac6
--- /dev/null
+++ b/.pubkeys/guix/cuirass-nonguix-org.pub
@@ -0,0 +1,6 @@
+(public-key
+ (ecc
+  (curve Ed25519)
+  (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
+  )
+ )
diff --git a/.pubkeys/guix-signing-key_dell-precision.pub b/.pubkeys/guix/dell-precision.pub
similarity index 100%
rename from .pubkeys/guix-signing-key_dell-precision.pub
rename to .pubkeys/guix/dell-precision.pub
diff --git a/.pubkeys/guix/guix-ci-home-rekahsoft-ca.pub b/.pubkeys/guix/guix-ci-home-rekahsoft-ca.pub
new file mode 100644
index 0000000..f7af8d8
--- /dev/null
+++ b/.pubkeys/guix/guix-ci-home-rekahsoft-ca.pub
@@ -0,0 +1,6 @@
+(public-key
+ (ecc
+   (curve Ed25519)
+   (q #13EBA5788C96A57B32273782E8CB24834338B7DC00D7C0F103CA2C5576409A78#)
+  )
+ )
diff --git a/.pubkeys/guix-signing-key_lenovo-t480s.pub b/.pubkeys/guix/lenovo-t480s.pub
similarity index 100%
rename from .pubkeys/guix-signing-key_lenovo-t480s.pub
rename to .pubkeys/guix/lenovo-t480s.pub
diff --git a/.pubkeys/deploy-key.pub b/.pubkeys/ssh/deploy-key.pub
similarity index 100%
rename from .pubkeys/deploy-key.pub
rename to .pubkeys/ssh/deploy-key.pub
diff --git a/.pubkeys/ed25519-861CD08E.pub b/.pubkeys/ssh/ed25519-861CD08E.pub
similarity index 100%
rename from .pubkeys/ed25519-861CD08E.pub
rename to .pubkeys/ssh/ed25519-861CD08E.pub
diff --git a/.pubkeys/rsa2048-ED51AB07.pub b/.pubkeys/ssh/rsa2048-ED51AB07.pub
similarity index 100%
rename from .pubkeys/rsa2048-ED51AB07.pub
rename to .pubkeys/ssh/rsa2048-ED51AB07.pub
diff --git a/.pubkeys/rsa4096-6765FB18.pub b/.pubkeys/ssh/rsa4096-6765FB18.pub
similarity index 100%
rename from .pubkeys/rsa4096-6765FB18.pub
rename to .pubkeys/ssh/rsa4096-6765FB18.pub