rekahsoft
/
guix-machines
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

This commit is contained in:
Collin J. Doering 2022-03-20 22:31:46 -04:00
commit acaa20d632
Signed by: rekahsoft
GPG Key ID: 7B4DEB93212B3022
40 changed files with 2133 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
# Emacs
*~
.deploy-key

9
.guix-authorizations Normal file
View File

@ -0,0 +1,9 @@
;; This is the list of OpenPGP keys currently authorized to sign commits in
;; this repository.
(authorizations
(version 0)
((;; primary: "F7BD DC6D BBE6 B16B 2C71 1A02 5FAB 9938 E05B FEC8"
"F8D5 46F3 AF37 EF53 D1B6 48BE 7B4D EB93 212B 3022"
(name "rekahsoft"))))

5
.guix-channel Normal file
View File

@ -0,0 +1,5 @@
;; -*- mode: scheme; -*-
(channel
(version 0)
(directory ".guix"))

147
.guix/rekahsoft/guix-config/manual/laptop-lenovo-t480s.scm Normal file
View File

@ -0,0 +1,147 @@
(define-module (rekahsoft guix-config manual laptop-lenovo-t480s)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages linux)
#:use-module (gnu packages shells)
#:use-module (gnu services virtualization)
#:use-module (gnu services docker)
#:use-module (gnu services desktop)
#:use-module (gnu services xorg)
#:use-module (gnu services security-token)
#:use-module (nongnu packages linux)
#:use-module (nongnu system linux-initrd)
#:export (system))
(define system
(operating-system
(host-name "rekahsoft-mini")
(timezone "America/Toronto")
(locale "en_US.utf8")
;; Choose US English keyboard layout.
(keyboard-layout (keyboard-layout "us"))
;; Use the UEFI variant of GRUB with the EFI System
;; Partition mounted on /boot/efi.
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
;; Use non-free kernel, intel microcode and proprietary firmware
(kernel linux)
(initrd microcode-initrd)
(firmware (list linux-firmware))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "c811a95f-7de8-4c25-8b96-f4d223e5a06e"))
(target "crypt")
(type luks-device-mapping))
(mapped-device
(source "vg0")
(targets (list "vg0-root" "vg0-swap"))
(type lvm-device-mapping))))
(file-systems (append
(list (file-system
(device (file-system-label "root"))
(mount-point "/")
(type "btrfs")
(options "subvol=@,compress=zstd")
(dependencies mapped-devices))
(file-system
(device (uuid "8767-90D2" 'fat))
(mount-point "/boot/efi")
(type "vfat")))
%base-file-systems))
(swap-devices
(list (swap-space
(target (file-system-label "swap"))
(dependencies mapped-devices))))
(users (cons* (user-account
(name "collin")
(comment "Collin J Doering")
(shell (file-append zsh "/bin/zsh"))
(group "users")
(supplementary-groups '("wheel" "netdev" "lp" "libvirt" "docker"
"audio" "video")))
(user-account
(name "test")
(comment "Test user")
(shell (file-append zsh "/bin/zsh"))
(group "users")
(supplementary-groups '("wheel" "netdev" "lp" "libvirt" "docker"
"audio" "video")))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs" ;; for HTTPS access
"gvfs" ;; for user mounts
"btrfs-progs" ;; for btrfs root filesystem
"xinitrc-xsession" ;; for starting users .xinitrc from display manager
"tmux"
"recutils"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (bluetooth-service)
(service pcscd-service-type)
(service libvirt-service-type
(libvirt-configuration
(unix-sock-group "libvirt")
(listen-tls? #f)
(listen-tcp? #f)))
(service docker-service-type)
(service qemu-binfmt-service-type
(qemu-binfmt-configuration
(platforms (lookup-qemu-platforms "arm" "aarch64"))))
(set-xorg-configuration
(xorg-configuration
(keyboard-layout keyboard-layout))))
(modify-services %desktop-services
;; Add and authorize non-guix substitute server
(guix-service-type config =>
(guix-configuration
(inherit config)
(substitute-urls
(append (list "https://substitutes.nonguix.org"
"https://guix-ci.home.rekahsoft.ca")
%default-substitute-urls))
(authorized-keys
(append (list (plain-file "non-guix.pub"
"(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
)
)")
(plain-file "rekahsoft-guix.pub"
"(public-key
(ecc
(curve Ed25519)
(q #13EBA5788C96A57B32273782E8CB24834338B7DC00D7C0F103CA2C5576409A78#)
)
)"))
%default-authorized-guix-keys))))
;; Add udev rule for yubikeys
;; See: https://lists.gnu.org/archive/html/guix-devel/2020-01/msg00418.html
(udev-service-type
config =>
(udev-configuration (inherit config)
(rules (cons (specification->package "libu2f-host")
(udev-configuration-rules
config))))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

129
.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm Normal file
View File

@ -0,0 +1,129 @@
(define-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
#:use-module (gnu)
#:use-module (gnu packages)
#:use-module (gnu system nss)
#:use-module (srfi srfi-1)
#:use-module (gnu services dbus)
#:use-module (gnu services desktop)
#:use-module (gnu services networking)
#:use-module (gnu services monitoring)
#:use-module (gnu services ssh)
#:use-module (gnu services xorg)
#:use-module (gnu packages bash)
#:use-module (gnu packages shells)
#:export (%proxmox-vm-lvm-minimal-services
proxmox-vm-lvm-minimal))
(define %automation-user "auto")
(define %guix-key (local-file "../../../.pubkeys/guix-coordinator-key.pub"))
;; Services need to be exposed this way so they can be overriden via guix's special
;; record inheritance. Otherwise, if trying to directly use an operating-system's
;; services, an error will be recieved about an abiguous-service called 'system.
(define %proxmox-vm-lvm-minimal-services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("auto" ,(local-file "../../../.deploy-key/key.pub"))
("collin" ,(local-file "../../../.pubkeys/collin.pub"))
("root" ,(local-file "../../../.pubkeys/collin.pub"))))))
(service prometheus-node-exporter-service-type)
;;
;; All below services were taken from %desktop-services
;; Add polkit rules, so that non-root users in the wheel group can
;; perform administrative tasks (similar to "sudo").
polkit-wheel-service
;; The global fontconfig cache directory can sometimes contain
;; stale entries, possibly referencing fonts that have been GC'd,
;; so mount it read-only.
fontconfig-file-system-service
;; NetworkManager
(service network-manager-service-type)
(service wpa-supplicant-service-type) ;needed by NetworkManager
;; The D-Bus clique.
(accountsservice-service)
(service polkit-service-type)
(elogind-service)
(dbus-service)
(service ntp-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(authorized-keys (cons %guix-key %default-authorized-guix-keys))
(substitute-urls %default-substitute-urls))))))
(define (proxmox-vm-lvm-minimal host-name)
(operating-system
(host-name host-name)
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sda"))))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(mapped-devices
(list (mapped-device
(source "vg0")
(targets (list "vg0-root" "vg0-swap"))
(type lvm-device-mapping))))
(swap-devices
(list (swap-space
(target (file-system-label "swap"))
(dependencies mapped-devices))))
(file-systems (append
(list (file-system
(device (file-system-label "root"))
(mount-point "/")
(type "ext4")
(dependencies mapped-devices)))
%base-file-systems))
(users (cons* (user-account
(name %automation-user)
(comment "Automation User")
(group "users")
(shell #~(string-append #$bash "/bin/bash"))
(supplementary-groups
'("wheel" "netdev" "audio" "video"))
(home-directory "/home/auto"))
%base-user-accounts))
(sudoers-file
(plain-file "sudoers"
(string-append (plain-file-content %sudoers-specification)
(format #f "~a ALL = NOPASSWD: ALL~%"
%automation-user))))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services %proxmox-vm-lvm-minimal-services)
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

82
.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,82 @@
(define-module (rekahsoft guix-config vms ci-runner0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services docker)
#:use-module (gnu services networking)
#:use-module (gnu services monitoring)
#:use-module (gnu services ssh)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "ci-runner0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service prometheus-node-exporter-service-type)
(service docker-service-type))
(modify-services
(remove (lambda (service)
(eq? (service-kind service) gdm-service-type))
%desktop-services)
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

83
.guix/rekahsoft/guix-config/vms/ci0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,83 @@
(define-module (rekahsoft guix-config vms ci0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services monitoring)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "ci0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service prometheus-node-exporter-service-type)
(service docker-service-type))
(modify-services
(remove (lambda (service)
(eq? (service-kind service) gdm-service-type))
%desktop-services)
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

64
.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,64 @@
(define-module (rekahsoft guix-config vms cloud0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system)
#:use-module (gnu packages docker)
#:use-module (gnu packages shells)
#:use-module (gnu packages storage)
#:use-module (gnu services docker)
#:use-module (gnu services shepherd)
#:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
#:export (system))
(define base-system (proxmox-vm-lvm-minimal "cloud0"))
(define cephfs-service
(simple-service 'cephfs shepherd-root-service-type
(list (shepherd-service
(provision '(cephfs))
(requirement '(networking file-system-/mnt/cephfs))
(start #~(make-system-constructor "/run/setuid-programs/mount /mnt/cephfs"))
(stop #~(make-system-constructor "/run/setuid-programs/umount /mnt/cephfs"))
(respawn? #f)))))
;; TODO: run nextcloud docker container as shepherd service
;; TODO: Manually setup basic nextcloud cron on guix host; this should be replaced with configuration as code - THIS DOESN'T ACTUALLY WORK. The manually created crontab is not exected.
;; TODO: add mcron job for nextcloud cron: 'docker exec -t -u www-data nextcloud php --define apc.enable_cli=1 -f /var/www/html/cron.php'
;; TODO: add mcron job for nextcloud preview generation: 'docker exec -t -u www-data nextcloud php occ preview:pre-generate'
(define system
(operating-system
(inherit base-system)
(users (cons*
(user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
(operating-system-users base-system)))
(file-systems
(append
(list (file-system
(device "172.16.0.20,172.16.0.21,172.16.0.22:/file-vault/nextcloud")
(options "rw,relatime,name=file-vault-nextcloud,secretfile=/etc/ceph/ceph.client.file-vault-nextcloud.key,acl")
;; Filesystem cannot be mounted as its not a real device; instead a shepherd service is used to mount the file-system
(mount? #f)
(create-mount-point? #t)
(mount-point "/mnt/cephfs")
(type "ceph")))
(operating-system-file-systems base-system)))
(packages
(append
(map specification->package
'("ceph"))
(operating-system-packages base-system)))
(services
(append
(list (service docker-service-type)
cephfs-service)
%proxmox-vm-lvm-minimal-services))))

84
.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,84 @@
(define-module (rekahsoft guix-config vms dash0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "dash0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service docker-service-type)
(dbus-service)
(elogind-service)
(service network-manager-service-type)
(service wpa-supplicant-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

83
.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,83 @@
(define-module (rekahsoft guix-config vms git0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services monitoring)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "git0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"tmux"
"emacs"
"emacs-guix"
"docker-compose"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
;; (password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service prometheus-node-exporter-service-type)
(service docker-service-type))
(modify-services
(remove (lambda (service)
(eq? (service-kind service) gdm-service-type))
%desktop-services)
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

32
.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,32 @@
(define-module (rekahsoft guix-config vms grocy0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system)
#:use-module (gnu packages shells)
#:use-module (gnu services docker)
#:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
#:export (system))
(define base-system (proxmox-vm-lvm-minimal "grocy0"))
(define system
(operating-system
(inherit base-system)
(users (cons*
(user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
(operating-system-users base-system)))
(packages
(append
(map specification->package
'("docker-compose"))
(operating-system-packages base-system)))
(services
(append
(list (service docker-service-type))
%proxmox-vm-lvm-minimal-services))))

314
.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,314 @@
(define-module (rekahsoft guix-config vms guix-ci0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system)
#:use-module (gnu packages shells)
#:use-module (gnu services base)
#:use-module (gnu services cuirass)
#:use-module (gnu services web)
#:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
#:export (system))
(define base-system (proxmox-vm-lvm-minimal "guix-ci0"))
(define %cuirass-specs
#~(let ((rekahsoft-guix-channel
(channel
(name 'rekahsoft-guix)
(url "https://git.rekahsoft.ca/rekahsoft/rekahsoft-guix.git"))))
(list (specification
(name "rekahsoft-guix")
(priority 0)
(build '(channels rekahsoft-guix))
(channels
(cons rekahsoft-guix-channel
%default-channels)))
(specification
(name "rekahsoft-dotfiles")
(build '(manifests "home-manifest.scm"))
(channels
(cons* (channel
(name 'rekahsoft-dotfiles)
(url "https://git.home.rekahsoft.ca/rekahsoft-public/dotfiles.git"))
(channel
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix"))
rekahsoft-guix-channel
%default-channels))))))
;; Taken from: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/nginx/berlin.scm
(define (publish-locations url)
"Return the nginx location blocks for 'guix publish' running on URL."
(list (nginx-location-configuration
(uri "/nix-cache-info")
(body
(list
(string-append
"proxy_pass " url "/nix-cache-info;")
;; Cache this file since that's always the first thing we ask
;; for.
"proxy_cache static;"
"proxy_cache_valid 200 100d;" ; cache hits for a looong time.
"proxy_cache_valid any 5m;" ; cache misses/others for 5 min.
"proxy_ignore_client_abort on;"
;; We need to hide and ignore the Set-Cookie header to enable
;; caching.
"proxy_hide_header Set-Cookie;"
"proxy_ignore_headers Set-Cookie;")))
(nginx-location-configuration
(uri "/nar/")
(body
(list
(string-append "proxy_pass " url ";")
"client_body_buffer_size 256k;"
;; Be more tolerant of delays when fetching a nar.
"proxy_read_timeout 60s;"
"proxy_send_timeout 60s;"
;; Enable caching for nar files, to avoid reconstructing and
;; recompressing archives.
"proxy_cache nar;"
"proxy_cache_valid 200 30d;" ; cache hits for 1 month
"proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
"proxy_cache_valid any 1h;" ; cache misses/others for 1h.
"proxy_ignore_client_abort on;"
;; Nars are already compressed.
"gzip off;"
;; We need to hide and ignore the Set-Cookie header to enable
;; caching.
"proxy_hide_header Set-Cookie;"
"proxy_ignore_headers Set-Cookie;"
;; Provide a 'content-length' header so that 'guix
;; substitute-binary' knows upfront how much it is downloading.
;; "add_header Content-Length $body_bytes_sent;"
)))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
;; Since 'guix publish' has its own caching, and since it relies
;; on the atime of cached narinfos to determine whether a
;; narinfo can be removed from the cache, don't do any caching
;; here.
(string-append "proxy_pass " url ";")
;; For HTTP pipelining. This has a dramatic impact on
;; performance.
"client_body_buffer_size 128k;"
;; Narinfos requests are short, serve many of them on a
;; connection.
"keepalive_requests 600;"
;; Do not tolerate slowness of hydra.gnu.org when fetching
;; narinfos: better return 504 quickly than wait forever.
"proxy_connect_timeout 10s;"
"proxy_read_timeout 10s;"
"proxy_send_timeout 10s;"
;; 'guix publish --ttl' produces a 'Cache-Control' header for
;; use by 'guix substitute'. Let it through rather than use
;; nginx's "expire" directive since the expiration time defined
;; by 'guix publish' is the right one.
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;"
;; We need to hide and ignore the Set-Cookie header to enable
;; caching.
"proxy_hide_header Set-Cookie;"
"proxy_ignore_headers Set-Cookie;")))
;; Content-addressed files served by 'guix publish'.
(nginx-location-configuration
(uri "/file/")
(body
(list
(string-append "proxy_pass " url ";")
"proxy_cache cas;"
"proxy_cache_valid 200 200d;" ; cache hits
"proxy_cache_valid any 5m;" ; cache misses/others
"proxy_ignore_client_abort on;")))))
(define %publish-url "http://localhost:3000")
;; Modified from: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/nginx/berlin.scm (berlin-locations)
(define (nginx-locations publish-url)
"Return nginx location blocks with 'guix publish' reachable at
PUBLISH-URL."
(append (publish-locations publish-url)
(list
;; Cuirass.
(nginx-location-configuration
(uri "/")
(body (list "proxy_pass http://localhost:8081;")))
;; TODO: disabled as currently there is no auth setup for cuirass
;; (nginx-location-configuration
;; (uri "~ ^/admin")
;; (body
;; (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;")))
(nginx-location-configuration
(uri "/static")
(body
(list
"proxy_pass http://localhost:8081;"
;; Let browsers cache this for a while.
"expires 10d;"
;; Cache quite aggressively.
"proxy_cache static;"
"proxy_cache_valid 200 5d;"
"proxy_cache_valid any 10m;"
"proxy_ignore_client_abort on;"))))))
(define %extra-content
(list
"default_type application/octet-stream;"
"sendfile on;"
; (accept-languages)
;; Maximum chunk size to send. Partly this is a workaround for
;; <http://bugs.gnu.org/19939>, but also the nginx docs mention that
;; "Without the limit, one fast connection may seize the worker
;; process entirely."
;; <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
"sendfile_max_chunk 1m;"
"keepalive_timeout 65;"
;; Use HTTP 1.1 to talk to the backend so we benefit from keep-alive
;; connections and chunked transfer encoding. The latter allows us to
;; make sure we do not cache partial downloads.
"proxy_http_version 1.1;"
;; The 'inactive' parameter for caching is not very useful in our
;; case: all that matters is that LRU sweeping happens when 'max_size'
;; is hit.
;; cache for nar files
"proxy_cache_path /var/cache/nginx/nar"
" levels=2"
" inactive=8d" ; inactive keys removed after 8d
" keys_zone=nar:4m" ; nar cache meta data: ~32K keys
" max_size=10g;" ; total cache data size max
;; cache for content-addressed files
"proxy_cache_path /var/cache/nginx/cas"
" levels=2"
" inactive=180d" ; inactive keys removed after 180d
" keys_zone=cas:8m" ; nar cache meta data: ~64K keys
" max_size=50g;" ; total cache data size max
;; cache for build logs
"proxy_cache_path /var/cache/nginx/logs"
" levels=2"
" inactive=60d" ; inactive keys removed after 60d
" keys_zone=logs:8m" ; narinfo meta data: ~64K keys
" max_size=4g;" ; total cache data size max
;; cache for static data
"proxy_cache_path /var/cache/nginx/static"
" levels=1"
" inactive=10d" ; inactive keys removed after 10d
" keys_zone=static:1m" ; nar cache meta data: ~8K keys
" max_size=200m;" ; total cache data size max
;; If Hydra cannot honor these delays, then something is wrong and
;; we'd better drop the connection and return 504.
"proxy_connect_timeout 10s;"
"proxy_read_timeout 10s;"
"proxy_send_timeout 10s;"
;; Cache timeouts for a little while to avoid increasing pressure.
"proxy_cache_valid 504 30s;"))
(define %nginx-configuration
(nginx-configuration
(server-blocks
(list
(nginx-server-configuration
(listen '("80"))
(server-name '("guix-ci0.home.rekahsoft.ca"
"guix-ci.home.rekahsoft.ca"
;; <https://logs.guix.gnu.org/guix/2021-11-20.log#155427>
"~[0-9]$"))
(locations (nginx-locations %publish-url))
(raw-content
(list
"access_log /var/log/nginx/http.access.log;"
"proxy_set_header X-Forwarded-Host $host;"
"proxy_set_header X-Forwarded-Port $server_port;"
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")))))
(global-directives
'((worker_processes . 4)
(pcre_jit . on)
(events . ((worker_connections . 1024)))))
(extra-content
(string-join %extra-content "\n"))))
(define %nginx-cache-activation
;; Make sure /var/cache/nginx exists on the first run.
(simple-service 'nginx-/var/cache/nginx
activation-service-type
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(mkdir-p "/var/cache/nginx")))))
(define system
(operating-system
(inherit base-system)
(users (cons*
(user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video"))
(home-directory "/home/collin"))
(operating-system-users base-system)))
(services
(append
(list (service cuirass-service-type
(cuirass-configuration
(host "localhost")
(specifications %cuirass-specs)
(use-substitutes? #t)))
%nginx-cache-activation
(service nginx-service-type %nginx-configuration)
(service guix-publish-service-type
(guix-publish-configuration
(port 3000)
(cache "/var/cache/guix/publish"))))
(modify-services %proxmox-vm-lvm-minimal-services
;; Add and authorize non-guix substitute server
(guix-service-type config =>
(guix-configuration
(inherit config)
(substitute-urls
(append (list "https://substitutes.nonguix.org")
(guix-configuration-substitute-urls config)))
(authorized-keys
(append (list (plain-file "non-guix.pub"
"(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
)
)"))
(guix-configuration-authorized-keys config))))))))))

86
.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,86 @@
(define-module (rekahsoft guix-config vms loki-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services monitoring)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "loki")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service prometheus-node-exporter-service-type)
(service docker-service-type)
(dbus-service)
(elogind-service)
(service network-manager-service-type)
(service wpa-supplicant-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

94
.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,94 @@
(define-module (rekahsoft guix-config vms postgres-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services monitoring)
#:use-module (gnu services databases)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define postgres-hba
(plain-file "pg_hba.conf"
"
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 172.16.0.0/20 md5"))
(define system
(operating-system
(host-name "postgres")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(postgresql-service
#:config-file (postgresql-config-file
(hba-file postgres-hba)
(extra-config
'(("listen_addresses" "'*'")))))
(service prometheus-node-exporter-service-type)
(service network-manager-service-type)
(service wpa-supplicant-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

84
.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,84 @@
(define-module (rekahsoft guix-config vms prom0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "prom0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service docker-service-type)
(dbus-service)
(elogind-service)
(service network-manager-service-type)
(service wpa-supplicant-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

86
.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,86 @@
(define-module (rekahsoft guix-config vms searx0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system nss)
#:use-module (gnu packages)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services monitoring)
#:use-module (gnu services docker)
#:use-module (gnu services xorg)
#:use-module (srfi srfi-1)
#:export (system))
(define system
(operating-system
(host-name "searx0")
(timezone "America/Toronto")
(locale "en_US.utf8")
(keyboard-layout (keyboard-layout "us"))
(bootloader
(bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(keyboard-layout keyboard-layout)))
(initrd-modules
(append '("virtio_scsi") %base-initrd-modules))
(swap-devices (list "/dev/sda2"))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "f354b908-fd6f-46c9-931b-2bebaac61b56"
'ext4))
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
%base-user-accounts))
(packages
(append
(map specification->package
'("nss-certs"
"recutils"
"openssh"
"tmux"
"emacs"
"emacs-guix"))
%base-packages))
(services
(append
(list (service openssh-service-type
(openssh-configuration
(password-authentication? #f)
(authorized-keys
`(("collin" ,(local-file "collin.pub"))
("root" ,(local-file "collin.pub"))))))
(service prometheus-node-exporter-service-type)
(service docker-service-type)
(dbus-service)
(elogind-service)
(service network-manager-service-type)
(service wpa-supplicant-service-type))
(modify-services
%base-services
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix")))))))
;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss)))

27
.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,27 @@
(define-module (rekahsoft guix-config vms vault0-home-rekahsoft-ca)
#:use-module (gnu)
#:use-module (gnu system)
#:use-module (gnu packages shells)
#:use-module (gnu services docker)
#:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
#:export (system))
(define base-system (proxmox-vm-lvm-minimal "vault0"))
(define system
(operating-system
(inherit base-system)
(users (cons*
(user-account
(name "collin")
(comment "Master User")
(group "users")
(shell #~(string-append #$zsh "/bin/zsh"))
(supplementary-groups
'("wheel" "netdev" "audio" "video" "docker"))
(home-directory "/home/collin"))
(operating-system-users base-system)))
(services
(append
(list (service docker-service-type))
%proxmox-vm-lvm-minimal-services))))

1
.pubkeys/collin.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbkiHEE2y85M1qkOBG9p0nuplkFETuMmRudDJ2ryf2gakD1NGMbKz82EHWWyPagkXMHx0tw4TZyV/AOq2LqzH8ZVDAj+QOO2wkFIRIXr3rsZGeMO9kpaZORwdTMTABRPcIg+KteWXe7Qq4I1H3izSuIIbyOW2wFdHkMxWAJEGr2L/q8qMlYbCbDwj1v7AQQRUjy8a0pTyG9eZ6kmc0bVxuFGAsvKtJSPpYxFNNGr8f2EY977DkmHK146B+Ce6Vp9wFDV5PwIQOFnZFXLDoYkI/ndshW+7+LQKViYP/ftIMTt4LC/0BC56heHOKkTCE3FHo4W/0zxfJdcLLkfRoev9T openpgp:0xED51AB07

7
.pubkeys/guix-coordinator-key.pub Normal file
View File

@ -0,0 +1,7 @@
(public-key
(ecc
(curve Ed25519)
(q #4C9DDCA82172D07FE644BEB4B5B39429F835BEE7E11E3F770EAB79ECBE226DE9#)
)
)

145
README.org Normal file
View File

@ -0,0 +1,145 @@
#+TITLE: Guix Machines
#+AUTHOR: Collin J. Doering
#+BEGIN_EXPORT html
<p><a href="https://guix-ci.home.rekahsoft.ca/jobset/guix-machines"><img src="https://guix-ci.home.rekahsoft.ca/jobset/guix-machines/badge.svg?type=0" alt="Cuirass Status"></a></p>
#+END_EXPORT
#+begin_abstract
Guix configurations for all Guix powered systems privately managed by the author. This
includes all virtual machines for my home network, cloud/vps instances, as well as personal
computers. Due to the variety of types of systems managed via this repository, two mutable
deployment methodologies are supported:
1. A push based model, using ~guix deploy~[fn:1] to remotely deploy changes (useful for example
from ci/cd).
2. A pull based model, using ~guix~ along with this repository directly from the target
machine.
Immutable deployment is not yet supported, but is certainly possible given Guix's ability to
build an ~operating-system~ configuration into a image.
#+end_abstract
* Repository Structure
- ~channels*.scm~ :: [[*Guix Channel Files][Guix channel files]]
- ~deploy/~ :: Folder containing all ~guix deploy~ configurations
- ~.gitignore~ :: Files ignored by git
- ~.guix/~ :: Guix channel directory
- ~.guix-authorizations~ :: Guix authorizations file[fn:2]
- ~.guix-channel~ :: Guix channel file[fn:3]
- ~.pub-keys/~ :: Folder containing public key files used by Guix configurations
- ~README.org~ :: Org-mode[fn:4] documentation
- ~TODO.org~ :: Org-mode todo's, known issues and future aspirations
- ~unguix/~ :: Docker/docker-compose files used on deployed instances, managed
outside of guix. Once better support for running docker/docker-compose via shepherd,
specified declaratively via Guix configuration has been implemented, this directory and all
files within it should be able to be removed.
** User Supplied Files Required for Push Based Deployment
- ~.deploy-key~ :: Folder expected to contain two files (a public and private ssh key, named
~key.pub~ and ~key~ respectively).
** Guix Channel Files
Guix channels[fn:5] allow for Guix to be customized and extended. They are also critical for
replicating a Guix system[fn:6]. As mentioned above, there are two primary classes of
deployments that are managed using this repository, push based and pull based. In both cases,
what specific versions of software that will be installed during deployment depends on the
guix channels in use. To ensure reproducibility, ~channel*.scm~ files are provided in this
repository that are expected to be used during deployment. However, multiple channel files
are provided as it makes sense to lock software versions across different sets of machines in
varying ways. For example, there is value in using the same channel file (and thus, same
software versions) across all virtual machines running on my home hypervisor cluster, but
there is no reason to explicitly lock my personal machines to the same software versions.
Further, cases could arise where my personal computer configuration/s or server
configuration/s need to be pinned to a specific set of software versions, and thus require a
individual channel file.
Though supporting a channel file per machine is possible, it would cause additional
maintenance overhead. So instead, two channel files are provided, that correspond to the two
classes of machines that are managed.
- ~channels-vms.scm~ :: Channel file used for push based deployments to vm's running on my
home hypervisor cluster
- ~channels.scm :: Channel file used for pull based deployments of personal computers
If for some reason channels need to be pinned for a specific deployment, a new channel file
named ~channels-<hostname>.scm~ can be created and used in place of normally used channel
file.
*** TODO Updating guix channels used for deployment
**This doesn't work right unless your channels match what is expected by this repository.**
#+begin_src shell
guix time-machine -- describe -f channels > channels-vms.scm
#+end_src
** ~guix-machines~ the Guix Channel
This repository is itself a Guix channel, which facilitates CI, allowing for changes to it to
be evaluated by Cuirass at [[https://guix-ci.home.rekahsoft.ca]] (only available in my internal
home-network). This channel is not intended to be used directly from guix systems as it
doesn't provide any packages.
At a later date, this also will allow for building of machine images for immutable
deployment, bootstrapping and more.
* Push Deployment with ~guix deploy~
Push based mutable deployment is the default deployment methodology for the majority of
systems managed by this repository. This is particularity safe because Guix changes are done
as transactions, and thus can easily be rolled back.
#+begin_src shell
guix time-machine -C channels-vms.scm -- deploy -L ./.guix deploy/<vm-hostname>.scm
#+end_src
* Pull Based Deployment
Pull based mutable deployment is the default deployment methodology for personal computers,
where using a push based method doesn't make sense. It also serves as a secondary deployment
mechanism for systems normally maintained using the push deployment model; for example, this
becomes necessary when facing ~guix deploy~ bugs.
To manually deploy from the target, first the contents of this repository must be transferred
to the target machine. The easiest way to do this is via git, from the target like so.
#+begin_src shell
git clone https://git.home.rekahsoft.ca/rekahsoft-public/guix-machines.git
#+end_src
Once this repository is on the target, pull the [[*Guix Channel Files][appropriate channels]] as root.
#+begin_src shell
sudo -i guix pull -C $(realpath channels-<vms|manual>.scm)
#+end_src
Once channels have been updated successfully, use the following to reconfigure the system.
#+begin_src shell
sudo -i guix system reconfigure -L $(realpath .guix) -e '(@ (rekahsoft guix-config <vms|manual> <target>) system)'
#+end_src
Alternatively, the same effect can be achieved without first pulling the appropriate channels
by instead using ~guix time-machine~ as follows.
#+begin_src shell
sudo -i guix time-machine -C $(realpath channels-<vms|manual>.scm) -- system reconfigure -L $(realpath .guix) -e '(@ (rekahsoft guix-config <vms|manual> <target>) system)'
#+end_src
* Footnotes
[fn:1] https://guix.gnu.org/manual/en/html_node/Invoking-guix-deploy.html
[fn:2] https://guix.gnu.org/manual/en/html_node/Channel-Authentication.html
[fn:3] https://guix.gnu.org/manual/en/html_node/Package-Modules-in-a-Sub_002ddirectory.html
[fn:4] https://orgmode.org/
[fn:5] https://guix.gnu.org/manual/en/html_node/Channels.html
[fn:6] https://guix.gnu.org/manual/en/html_node/Replicating-Guix.html

58
TODO.org Normal file
View File

@ -0,0 +1,58 @@
#+TITLE: guix-machines TODO's
#+AUTHOR: Collin J. Doering
* DOING VM Status
- State "DOING" from "TODO" [2022-03-20 Sun 19:53]
** DONE Convert existing [[file:.guix/rekahsoft/guix-config/vms/][.guix/rekahsoft/guix-config/vms/*.scm]] files to guile modules
CLOSED: [2022-03-20 Sun 13:00]
- State "DONE" from "TODO" [2022-03-20 Sun 13:00]
- [X] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]]
** TODO Use 'guix deploy'/lvm based common proxmox-vm configuration for all vms
Checked indicates the vm is using a 'guix deploy' style deployment, and is based on the
common lvm based proxmox configuration [[file:.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm][prmox-vm-lvm-minimal.scm]].
- [ ] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]]
** TODO Run/configure docker/docker-compose from within guix configurations
Better docker support within guix configuration is required to make this issue go away. Once
completed, the ~unguix~ directory can be removed.
Checked indicates VMs that use docker/docker-compose (and either depend on files in the
~unguix~ directory or ~docker-compose~ files on the vm disk.
- [X] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]] :: docker-compose
- [ ] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]]
- [ ] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]]
- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]]

22
channels-manual.scm Normal file
View File

@ -0,0 +1,22 @@
(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(branch "master")
(commit
"44cd0a4f371db22141832e17b8bdb5130696993a")
(introduction
(make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))))
(channel
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix")
(branch "master")
(commit
"fea52adbc9356184bff51146c6515fad609baf77")
(introduction
(make-channel-introduction
"897c1a470da759236cc11798f4e0a5f7d4d59fbc"
(openpgp-fingerprint
"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))))

22
channels-vms.scm Normal file
View File

@ -0,0 +1,22 @@
(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(branch "master")
(commit
"a4eae0c3adce8e4c4ac153a4959d18b9897a67e1")
(introduction
(make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))))
(channel
(name 'rekahsoft-guix)
(url "https://git.rekahsoft.ca/rekahsoft/rekahsoft-guix.git")
(branch "master")
(commit
"b72c13392a9ffab0dd52dcf9e30fb599e364a78e")
(introduction
(make-channel-introduction
"191cdaa0947657e0c85fe89ebbb8e7b1e7a8e0a4"
(openpgp-fingerprint
"F8D5 46F3 AF37 EF53 D1B6 48BE 7B4D EB93 212B 3022")))))

13
deploy/cloud0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,13 @@
(use-modules
(rekahsoft guix-config vms cloud0-home-rekahsoft-ca))
(list (machine
(operating-system system)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "cloud0.home.rekahsoft.ca")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGi4YmUyLgpmFxJzGQF5Ju7CL8d2Wa2VtHMZGms0KO root@(none)")
(system "x86_64-linux")
(user "auto")
(identity ".deploy-key/key")
(port 22)))))

13
deploy/grocy0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,13 @@
(use-modules
(rekahsoft guix-config vms grocy0-home-rekahsoft-ca))
(list (machine
(operating-system system)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "grocy0.home.rekahsoft.ca")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSMBcmFdlDI/JKOBC/RRJh2VM0MY45o684OXaTQ3fGm root@(none)")
(system "x86_64-linux")
(user "auto")
(identity ".deploy-key/key")
(port 22)))))

13
deploy/guix-ci0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,13 @@
(use-modules
(rekahsoft guix-config vms guix-ci0-home-rekahsoft-ca))
(list (machine
(operating-system system)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "guix-ci0.home.rekahsoft.ca")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrv3Ygq47GYt5jYiNPUhvIDOOl4H17Z/abMvA1l/xkj root@(none)")
(system "x86_64-linux")
(user "auto")
(identity ".deploy-key/key")
(port 22)))))

13
deploy/vault0-home-rekahsoft-ca.scm Normal file
View File

@ -0,0 +1,13 @@
(use-modules
(rekahsoft guix-config vms vault0-home-rekahsoft-ca))
(list (machine
(operating-system system)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "vault0.home.rekahsoft.ca")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGi4YmUyLgpmFxJzGQF5Ju7CL8d2Wa2VtHMZGms0KO root@(none)")
(system "x86_64-linux")
(user "auto")
(identity ".deploy-key/key")
(port 22)))))

20
unguix/ci-runner0-home-rekahsoft-ca/drone-runner-guix.sh Normal file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env bash
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DRONE_RPC_PROTO="https" \
-e DRONE_RPC_HOST="ci.home.rekahsoft.ca" \
-e DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \
-e DRONE_RUNNER_CAPACITY=4 \
-e DRONE_RUNNER_NAME="ci-runner1.home.rekahsoft.ca" \
-e DRONE_RUNNER_LABELS=guix:on \
-e DRONE_RUNNER_VOLUMES=/var/guix/daemon-socket/socket:/var/guix/daemon-socket/socket,/gnu/store:/gnu/store,/home/collin/guix-ci-cache:/.cache/guix \
-e DRONE_DEBUG=true \
-p 3001:3000 \
--restart unless-stopped \
--name runner-guix \
--log-driver=loki \
--log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \
--log-opt loki-retries=5 \
--log-opt loki-batch-size=400 \
docker.nexus.home.rekahsoft.ca/drone/drone-runner-docker:1.6.3

17
unguix/ci-runner0-home-rekahsoft-ca/drone-runner.sh Normal file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env bash
docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DRONE_RPC_PROTO="https" \
-e DRONE_RPC_HOST="ci.home.rekahsoft.ca" \
-e DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \
-e DRONE_RUNNER_CAPACITY=4 \
-e DRONE_RUNNER_NAME="ci-runner0.home.rekahsoft.ca" \
-p 3000:3000 \
--restart unless-stopped \
--name runner \
--log-driver=loki \
--log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \
--log-opt loki-retries=5 \
--log-opt loki-batch-size=400 \
docker.nexus.home.rekahsoft.ca/drone/drone-runner-docker:1.6.3

21
unguix/ci0-home-rekahsoft-ca/drone.sh Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env bash
docker run \
--volume=/var/lib/drone:/data \
--env=DRONE_GITEA_SERVER="https://git.home.rekahsoft.ca" \
--env=DRONE_GITEA_CLIENT_ID="25793ca8-0057-494b-b6a5-e7534104f546" \
--env=DRONE_GITEA_CLIENT_SECRET="Br9vQ-WG4nkC4cVwnCEFsfQg_WD6ax5Ebi5hNwiSd9M=" \
--env=DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \
--env=DRONE_SERVER_HOST="ci.home.rekahsoft.ca" \
--env=DRONE_SERVER_PROTO=https \
--env=DRONE_USER_CREATE=username:rekahsoft,admin:true \
--env=DRONE_JSONNET_ENABLED=true \
--publish=80:80 \
--restart=always \
--detach=true \
--name=drone \
--log-driver=loki \
--log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \
--log-opt loki-retries=5 \
--log-opt loki-batch-size=400 \
docker.nexus.home.rekahsoft.ca/drone/drone:2

16
unguix/cloud0-home-rekahsoft-ca/nextcloud.sh Executable file
View File

@ -0,0 +1,16 @@
#/usr/bin/env bash
docker run -d --name nextcloud \
-p 80:80 \
--restart unless-stopped \
-v nextcloud:/var/www/html \
-v apps:/var/www/html/custom_apps \
-v config:/var/www/html/config \
-v /mnt/cephfs:/var/www/html/data \
-e APACHE_DISABLE_REWRITE_IP=1 \
-e TRUSTED_PROXIES="172.16.0.1" \
-e NEXTCLOUD_TRUSTED_DOMAINS="cloud.home.rekahsoft.ca,cloud0.home.rekahsoft.ca" \
docker.nexus.home.rekahsoft.ca/nextcloud:stable
# Last working: 22.2.3-apache
# Broken upgrade: 22.2.5.1

10
unguix/dash0-home-rekahsoft-ca/grafana.sh Normal file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
docker run -d \
-p 80:3000 \
--restart unless-stopped \
--name grafana \
-v grafana:/var/lib/grafana \
-e "GF_INSTALL_PLUGINS=vonage-status-panel,grafana-piechart-panel" \
-e "GF_SECURITY_ALLOW_EMBEDDING=true" \
docker.nexus.home.rekahsoft.ca/grafana/grafana:8.1.5

15
unguix/git0-home-rekahsoft-ca/gitea.sh Normal file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
docker run -d \
--restart unless-stopped \
--name gitea \
-v gitea:/data \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
-p 80:3000 \
-p 2222:22 \
--log-driver=loki \
--log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \
--log-opt loki-retries=5 \
--log-opt loki-batch-size=400 \
docker.nexus.home.rekahsoft.ca/gitea/gitea:1.15.6

45
unguix/loki-home-rekahsoft-ca/loki-config.yaml Normal file
View File

@ -0,0 +1,45 @@
auth_enabled: false
server:
http_listen_port: 3100
ingester:
lifecycler:
address: 127.0.0.1
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 5m
chunk_retain_period: 30s
max_transfer_retries: 0
schema_config:
configs:
- from: 2018-04-15
store: boltdb
object_store: filesystem
schema: v11
index:
prefix: index_
period: 168h
storage_config:
boltdb:
directory: /tmp/loki/index
filesystem:
directory: /tmp/loki/chunks
limits_config:
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s

13
unguix/loki-home-rekahsoft-ca/loki.sh Normal file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
docker run -d \
--restart unless-stopped \
-v /var/lib/loki/config:/mnt/config \
-p 3100:3100 \
docker.nexus.home.rekahsoft.ca/grafana/loki:1.6.0 -config.file=/mnt/config/loki-config.yaml
docker run -d \
--restart unless-stopped \
-v /var/lib/loki/config:/mnt/config \
-v /var/log:/var/log \
docker.nexus.home.rekahsoft.ca/grafana/promtail:1.6.0 -config.file=/mnt/config/promtail-config.yaml

18
unguix/loki-home-rekahsoft-ca/promtail-config.yaml Normal file
View File

@ -0,0 +1,18 @@
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
job: varlogs
__path__: /var/log/*log

8
unguix/prom0-home-rekahsoft-ca/prometheus.sh Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/env bash
docker run -d \
--name prometheus \
--restart unless-stopped \
-p 9090:9090 \
-v /var/lib/prometheus:/etc/prometheus \
docker.nexus.home.rekahsoft.ca/prom/prometheus

210
unguix/prom0-home-rekahsoft-ca/prometheus.yaml Normal file
View File

@ -0,0 +1,210 @@
# my global config
global:
scrape_interval: 15s
evaluation_interval: 30s
# scrape_timeout is set to the global default (10s).
#
# Applications
scrape_configs:
- job_name: grafana
scheme: http
dns_sd_configs:
- type: 'A'
port: 80
names:
- dash0.home.rekahsoft.ca
- job_name: gitea
scheme: http
dns_sd_configs:
- type: 'A'
port: 80
names:
- git0.home.rekahsoft.ca
#
# VMs
- job_name: vm-searx
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- searx0.home.rekahsoft.ca
- job_name: vm-git0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- git0.home.rekahsoft.ca
- job_name: vm-ci0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- ci0.home.rekahsoft.ca
- job_name: vm-ci-runner0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- ci-runner0.home.rekahsoft.ca
- job_name: vm-my0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- my0.home.rekahsoft.ca
- job_name: vm-torrent0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- torrent0.home.rekahsoft.ca
- job_name: vm-plex0
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- plex0.home.rekahsoft.ca
- job_name: vm-loki
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- loki.home.rekahsoft.ca
- job_name: vm-postgres
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- postgres.home.rekahsoft.ca
#
# Physical hardware
- job_name: proxmox-nodes
scheme: http
dns_sd_configs:
- type: 'A'
port: 9100
names:
- pve-0.home.rekahsoft.ca
- type: 'A'
port: 9100
names:
- pve-1.home.rekahsoft.ca
- type: 'A'
port: 9100
names:
- pve-2.home.rekahsoft.ca
- type: 'A'
port: 9100
names:
- pve-3.home.rekahsoft.ca
- type: 'A'
port: 9100
names:
- pve-4.home.rekahsoft.ca
#
# Applications running directly on physical hardware
- job_name: ceph-metrics
scheme: http
dns_sd_configs:
- type: 'A'
port: 9283
names:
- pve-0.home.rekahsoft.ca
- type: 'A'
port: 9283
names:
- pve-1.home.rekahsoft.ca
- type: 'A'
port: 9283
names:
- pve-2.home.rekahsoft.ca
- type: 'A'
port: 9283
names:
- pve-3.home.rekahsoft.ca
- type: 'A'
port: 9283
names:
- pve-4.home.rekahsoft.ca
# - job_name: some-service
# metrics_path: /metrics
# static_configs:
# - targets:
# - localhost:9090
# - job_name: prometheus
# honor_labels: true
# # scrape_interval is defined by the configured global (15s).
# # scrape_timeout is defined by the global default (10s).
# # metrics_path defaults to '/metrics'
# # scheme defaults to 'http'.
# file_sd_configs:
# - files:
# - foo/*.slow.json
# - foo/*.slow.yml
# - single/file.yml
# refresh_interval: 10m
# - files:
# - bar/*.yaml
# static_configs:
# - targets: ['localhost:9090', 'localhost:9191']
# labels:
# my: label
# your: label
# relabel_configs:
# - source_labels: [job, __meta_dns_name]
# regex: (.*)some-[regex]
# target_label: job
# replacement: foo-${1}
# # action defaults to 'replace'
# - source_labels: [abc]
# target_label: cde
# - replacement: static
# target_label: abc
# - regex:
# replacement: static
# target_label: abc
# bearer_token_file: valid_token_file
# - job_name: badfederation
# honor_timestamps: false
# metrics_path: /federate
# static_configs:
# - targets:
# - localhost:9090

9
unguix/searx0-home-rekahsoft-ca/searx.sh Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
docker run -d \
--name searx \
--restart unless-stopped \
-v /var/lib/searx:/etc/searx \
-p 8080:8080 \
-e BASE_URL=https://searx.home.rekahsoft.ca \
docker.nexus.home.rekahsoft.ca/searx/searx

11
unguix/vault0-home-rekahsoft-ca/vaultwarden.sh Normal file
View File

@ -0,0 +1,11 @@
#!/usr/bin/env bash
docker run -d \
--restart unless-stopped \
--name bitwarden \
-v bitwarden:/data \
-e DOMAIN=https://vault.home.rekahsoft.ca \
-e ADMIN_TOKEN=82HHZZImGbiZ2WaOybVvIM9ug+MgGO/VhMG5t16DbwpsRrTe3jUlOD76VPUXctB5 \
-e SIGNUPS_ALLOWED=false \
-p 80:80 \
docker.nexus.home.rekahsoft.ca/vaultwarden/server:1.23.0