From acaa20d632da16937508a45ef2cc0083e09bae4c Mon Sep 17 00:00:00 2001 From: "Collin J. Doering" Date: Sun, 20 Mar 2022 22:31:46 -0400 Subject: [PATCH] Initial commit --- .gitignore | 4 + .guix-authorizations | 9 + .guix-channel | 5 + .../manual/laptop-lenovo-t480s.scm | 147 ++++++++ .../guix-config/proxmox-vm-lvm-minimal.scm | 129 +++++++ .../vms/ci-runner0-home-rekahsoft-ca.scm | 82 +++++ .../guix-config/vms/ci0-home-rekahsoft-ca.scm | 83 +++++ .../vms/cloud0-home-rekahsoft-ca.scm | 64 ++++ .../vms/dash0-home-rekahsoft-ca.scm | 84 +++++ .../vms/git0-home-rekahsoft-ca.scm | 83 +++++ .../vms/grocy0-home-rekahsoft-ca.scm | 32 ++ .../vms/guix-ci0-home-rekahsoft-ca.scm | 314 ++++++++++++++++++ .../vms/loki-home-rekahsoft-ca.scm | 86 +++++ .../vms/postgres-home-rekahsoft-ca.scm | 94 ++++++ .../vms/prom0-home-rekahsoft-ca.scm | 84 +++++ .../vms/searx0-home-rekahsoft-ca.scm | 86 +++++ .../vms/vault0-home-rekahsoft-ca.scm | 27 ++ .pubkeys/collin.pub | 1 + .pubkeys/guix-coordinator-key.pub | 7 + README.org | 145 ++++++++ TODO.org | 58 ++++ channels-manual.scm | 22 ++ channels-vms.scm | 22 ++ deploy/cloud0-home-rekahsoft-ca.scm | 13 + deploy/grocy0-home-rekahsoft-ca.scm | 13 + deploy/guix-ci0-home-rekahsoft-ca.scm | 13 + deploy/vault0-home-rekahsoft-ca.scm | 13 + .../drone-runner-guix.sh | 20 ++ .../drone-runner.sh | 17 + unguix/ci0-home-rekahsoft-ca/drone.sh | 21 ++ unguix/cloud0-home-rekahsoft-ca/nextcloud.sh | 16 + unguix/dash0-home-rekahsoft-ca/grafana.sh | 10 + unguix/git0-home-rekahsoft-ca/gitea.sh | 15 + .../loki-home-rekahsoft-ca/loki-config.yaml | 45 +++ unguix/loki-home-rekahsoft-ca/loki.sh | 13 + .../promtail-config.yaml | 18 + unguix/prom0-home-rekahsoft-ca/prometheus.sh | 8 + .../prom0-home-rekahsoft-ca/prometheus.yaml | 210 ++++++++++++ unguix/searx0-home-rekahsoft-ca/searx.sh | 9 + .../vault0-home-rekahsoft-ca/vaultwarden.sh | 11 + 40 files changed, 2133 insertions(+) create mode 100644 .gitignore create mode 100644 .guix-authorizations create mode 100644 .guix-channel create mode 100644 .guix/rekahsoft/guix-config/manual/laptop-lenovo-t480s.scm create mode 100644 .guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm create mode 100644 .guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/ci0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm create mode 100644 .guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm create mode 100644 .pubkeys/collin.pub create mode 100644 .pubkeys/guix-coordinator-key.pub create mode 100644 README.org create mode 100644 TODO.org create mode 100644 channels-manual.scm create mode 100644 channels-vms.scm create mode 100644 deploy/cloud0-home-rekahsoft-ca.scm create mode 100644 deploy/grocy0-home-rekahsoft-ca.scm create mode 100644 deploy/guix-ci0-home-rekahsoft-ca.scm create mode 100644 deploy/vault0-home-rekahsoft-ca.scm create mode 100644 unguix/ci-runner0-home-rekahsoft-ca/drone-runner-guix.sh create mode 100644 unguix/ci-runner0-home-rekahsoft-ca/drone-runner.sh create mode 100644 unguix/ci0-home-rekahsoft-ca/drone.sh create mode 100755 unguix/cloud0-home-rekahsoft-ca/nextcloud.sh create mode 100644 unguix/dash0-home-rekahsoft-ca/grafana.sh create mode 100644 unguix/git0-home-rekahsoft-ca/gitea.sh create mode 100644 unguix/loki-home-rekahsoft-ca/loki-config.yaml create mode 100644 unguix/loki-home-rekahsoft-ca/loki.sh create mode 100644 unguix/loki-home-rekahsoft-ca/promtail-config.yaml create mode 100644 unguix/prom0-home-rekahsoft-ca/prometheus.sh create mode 100644 unguix/prom0-home-rekahsoft-ca/prometheus.yaml create mode 100644 unguix/searx0-home-rekahsoft-ca/searx.sh create mode 100644 unguix/vault0-home-rekahsoft-ca/vaultwarden.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..08b7e50 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +# Emacs +*~ + +.deploy-key diff --git a/.guix-authorizations b/.guix-authorizations new file mode 100644 index 0000000..82f090f --- /dev/null +++ b/.guix-authorizations @@ -0,0 +1,9 @@ +;; This is the list of OpenPGP keys currently authorized to sign commits in +;; this repository. + +(authorizations + (version 0) + + ((;; primary: "F7BD DC6D BBE6 B16B 2C71 1A02 5FAB 9938 E05B FEC8" + "F8D5 46F3 AF37 EF53 D1B6 48BE 7B4D EB93 212B 3022" + (name "rekahsoft")))) diff --git a/.guix-channel b/.guix-channel new file mode 100644 index 0000000..e0dec60 --- /dev/null +++ b/.guix-channel @@ -0,0 +1,5 @@ +;; -*- mode: scheme; -*- + +(channel + (version 0) + (directory ".guix")) diff --git a/.guix/rekahsoft/guix-config/manual/laptop-lenovo-t480s.scm b/.guix/rekahsoft/guix-config/manual/laptop-lenovo-t480s.scm new file mode 100644 index 0000000..b2bc532 --- /dev/null +++ b/.guix/rekahsoft/guix-config/manual/laptop-lenovo-t480s.scm @@ -0,0 +1,147 @@ +(define-module (rekahsoft guix-config manual laptop-lenovo-t480s) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages linux) + #:use-module (gnu packages shells) + #:use-module (gnu services virtualization) + #:use-module (gnu services docker) + #:use-module (gnu services desktop) + #:use-module (gnu services xorg) + #:use-module (gnu services security-token) + #:use-module (nongnu packages linux) + #:use-module (nongnu system linux-initrd) + #:export (system)) + +(define system + (operating-system + (host-name "rekahsoft-mini") + (timezone "America/Toronto") + (locale "en_US.utf8") + + ;; Choose US English keyboard layout. + (keyboard-layout (keyboard-layout "us")) + + ;; Use the UEFI variant of GRUB with the EFI System + ;; Partition mounted on /boot/efi. + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + (keyboard-layout keyboard-layout))) + + ;; Use non-free kernel, intel microcode and proprietary firmware + (kernel linux) + (initrd microcode-initrd) + (firmware (list linux-firmware)) + + ;; Specify a mapped device for the encrypted root partition. + ;; The UUID is that returned by 'cryptsetup luksUUID'. + (mapped-devices + (list (mapped-device + (source (uuid "c811a95f-7de8-4c25-8b96-f4d223e5a06e")) + (target "crypt") + (type luks-device-mapping)) + (mapped-device + (source "vg0") + (targets (list "vg0-root" "vg0-swap")) + (type lvm-device-mapping)))) + + (file-systems (append + (list (file-system + (device (file-system-label "root")) + (mount-point "/") + (type "btrfs") + (options "subvol=@,compress=zstd") + (dependencies mapped-devices)) + (file-system + (device (uuid "8767-90D2" 'fat)) + (mount-point "/boot/efi") + (type "vfat"))) + %base-file-systems)) + + (swap-devices + (list (swap-space + (target (file-system-label "swap")) + (dependencies mapped-devices)))) + + (users (cons* (user-account + (name "collin") + (comment "Collin J Doering") + (shell (file-append zsh "/bin/zsh")) + (group "users") + (supplementary-groups '("wheel" "netdev" "lp" "libvirt" "docker" + "audio" "video"))) + (user-account + (name "test") + (comment "Test user") + (shell (file-append zsh "/bin/zsh")) + (group "users") + (supplementary-groups '("wheel" "netdev" "lp" "libvirt" "docker" + "audio" "video"))) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" ;; for HTTPS access + "gvfs" ;; for user mounts + "btrfs-progs" ;; for btrfs root filesystem + "xinitrc-xsession" ;; for starting users .xinitrc from display manager + "tmux" + "recutils" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (bluetooth-service) + (service pcscd-service-type) + (service libvirt-service-type + (libvirt-configuration + (unix-sock-group "libvirt") + (listen-tls? #f) + (listen-tcp? #f))) + (service docker-service-type) + (service qemu-binfmt-service-type + (qemu-binfmt-configuration + (platforms (lookup-qemu-platforms "arm" "aarch64")))) + (set-xorg-configuration + (xorg-configuration + (keyboard-layout keyboard-layout)))) + (modify-services %desktop-services + ;; Add and authorize non-guix substitute server + (guix-service-type config => + (guix-configuration + (inherit config) + (substitute-urls + (append (list "https://substitutes.nonguix.org" + "https://guix-ci.home.rekahsoft.ca") + %default-substitute-urls)) + (authorized-keys + (append (list (plain-file "non-guix.pub" + "(public-key + (ecc + (curve Ed25519) + (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#) + ) + )") + (plain-file "rekahsoft-guix.pub" + "(public-key + (ecc + (curve Ed25519) + (q #13EBA5788C96A57B32273782E8CB24834338B7DC00D7C0F103CA2C5576409A78#) + ) + )")) + %default-authorized-guix-keys)))) + + ;; Add udev rule for yubikeys + ;; See: https://lists.gnu.org/archive/html/guix-devel/2020-01/msg00418.html + (udev-service-type + config => + (udev-configuration (inherit config) + (rules (cons (specification->package "libu2f-host") + (udev-configuration-rules + config)))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm b/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm new file mode 100644 index 0000000..c6cc82d --- /dev/null +++ b/.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm @@ -0,0 +1,129 @@ +(define-module (rekahsoft guix-config proxmox-vm-lvm-minimal) + #:use-module (gnu) + #:use-module (gnu packages) + #:use-module (gnu system nss) + #:use-module (srfi srfi-1) + + #:use-module (gnu services dbus) + #:use-module (gnu services desktop) + #:use-module (gnu services networking) + #:use-module (gnu services monitoring) + #:use-module (gnu services ssh) + #:use-module (gnu services xorg) + #:use-module (gnu packages bash) + #:use-module (gnu packages shells) + #:export (%proxmox-vm-lvm-minimal-services + proxmox-vm-lvm-minimal)) + +(define %automation-user "auto") +(define %guix-key (local-file "../../../.pubkeys/guix-coordinator-key.pub")) + +;; Services need to be exposed this way so they can be overriden via guix's special +;; record inheritance. Otherwise, if trying to directly use an operating-system's +;; services, an error will be recieved about an abiguous-service called 'system. +(define %proxmox-vm-lvm-minimal-services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("auto" ,(local-file "../../../.deploy-key/key.pub")) + ("collin" ,(local-file "../../../.pubkeys/collin.pub")) + ("root" ,(local-file "../../../.pubkeys/collin.pub")))))) + (service prometheus-node-exporter-service-type) + + ;; + ;; All below services were taken from %desktop-services + + ;; Add polkit rules, so that non-root users in the wheel group can + ;; perform administrative tasks (similar to "sudo"). + polkit-wheel-service + + ;; The global fontconfig cache directory can sometimes contain + ;; stale entries, possibly referencing fonts that have been GC'd, + ;; so mount it read-only. + fontconfig-file-system-service + + ;; NetworkManager + (service network-manager-service-type) + (service wpa-supplicant-service-type) ;needed by NetworkManager + + ;; The D-Bus clique. + (accountsservice-service) + (service polkit-service-type) + (elogind-service) + (dbus-service) + + (service ntp-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (authorized-keys (cons %guix-key %default-authorized-guix-keys)) + (substitute-urls %default-substitute-urls)))))) + +(define (proxmox-vm-lvm-minimal host-name) + (operating-system + (host-name host-name) + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/sda")))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (mapped-devices + (list (mapped-device + (source "vg0") + (targets (list "vg0-root" "vg0-swap")) + (type lvm-device-mapping)))) + + (swap-devices + (list (swap-space + (target (file-system-label "swap")) + (dependencies mapped-devices)))) + + (file-systems (append + (list (file-system + (device (file-system-label "root")) + (mount-point "/") + (type "ext4") + (dependencies mapped-devices))) + %base-file-systems)) + + (users (cons* (user-account + (name %automation-user) + (comment "Automation User") + (group "users") + (shell #~(string-append #$bash "/bin/bash")) + (supplementary-groups + '("wheel" "netdev" "audio" "video")) + (home-directory "/home/auto")) + %base-user-accounts)) + + (sudoers-file + (plain-file "sudoers" + (string-append (plain-file-content %sudoers-specification) + (format #f "~a ALL = NOPASSWD: ALL~%" + %automation-user)))) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services %proxmox-vm-lvm-minimal-services) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..0ed61f5 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm @@ -0,0 +1,82 @@ +(define-module (rekahsoft guix-config vms ci-runner0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services docker) + #:use-module (gnu services networking) + #:use-module (gnu services monitoring) + #:use-module (gnu services ssh) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "ci-runner0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service prometheus-node-exporter-service-type) + (service docker-service-type)) + (modify-services + (remove (lambda (service) + (eq? (service-kind service) gdm-service-type)) + %desktop-services) + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/ci0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/ci0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..79af52e --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/ci0-home-rekahsoft-ca.scm @@ -0,0 +1,83 @@ +(define-module (rekahsoft guix-config vms ci0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services monitoring) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "ci0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service prometheus-node-exporter-service-type) + (service docker-service-type)) + (modify-services + (remove (lambda (service) + (eq? (service-kind service) gdm-service-type)) + %desktop-services) + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..e57b4a3 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm @@ -0,0 +1,64 @@ +(define-module (rekahsoft guix-config vms cloud0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system) + #:use-module (gnu packages docker) + #:use-module (gnu packages shells) + #:use-module (gnu packages storage) + #:use-module (gnu services docker) + #:use-module (gnu services shepherd) + #:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal) + #:export (system)) + +(define base-system (proxmox-vm-lvm-minimal "cloud0")) + +(define cephfs-service + (simple-service 'cephfs shepherd-root-service-type + (list (shepherd-service + (provision '(cephfs)) + (requirement '(networking file-system-/mnt/cephfs)) + (start #~(make-system-constructor "/run/setuid-programs/mount /mnt/cephfs")) + (stop #~(make-system-constructor "/run/setuid-programs/umount /mnt/cephfs")) + (respawn? #f))))) + +;; TODO: run nextcloud docker container as shepherd service +;; TODO: Manually setup basic nextcloud cron on guix host; this should be replaced with configuration as code - THIS DOESN'T ACTUALLY WORK. The manually created crontab is not exected. +;; TODO: add mcron job for nextcloud cron: 'docker exec -t -u www-data nextcloud php --define apc.enable_cli=1 -f /var/www/html/cron.php' +;; TODO: add mcron job for nextcloud preview generation: 'docker exec -t -u www-data nextcloud php occ preview:pre-generate' + +(define system + (operating-system + (inherit base-system) + (users (cons* + (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + (operating-system-users base-system))) + + (file-systems + (append + (list (file-system + (device "172.16.0.20,172.16.0.21,172.16.0.22:/file-vault/nextcloud") + (options "rw,relatime,name=file-vault-nextcloud,secretfile=/etc/ceph/ceph.client.file-vault-nextcloud.key,acl") + ;; Filesystem cannot be mounted as its not a real device; instead a shepherd service is used to mount the file-system + (mount? #f) + (create-mount-point? #t) + (mount-point "/mnt/cephfs") + (type "ceph"))) + (operating-system-file-systems base-system))) + + (packages + (append + (map specification->package + '("ceph")) + (operating-system-packages base-system))) + + (services + (append + (list (service docker-service-type) + cephfs-service) + %proxmox-vm-lvm-minimal-services)))) diff --git a/.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..54564a4 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm @@ -0,0 +1,84 @@ +(define-module (rekahsoft guix-config vms dash0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "dash0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service docker-service-type) + (dbus-service) + (elogind-service) + (service network-manager-service-type) + (service wpa-supplicant-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..737b2d6 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm @@ -0,0 +1,83 @@ +(define-module (rekahsoft guix-config vms git0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services monitoring) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "git0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "tmux" + "emacs" + "emacs-guix" + "docker-compose")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + ;; (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service prometheus-node-exporter-service-type) + (service docker-service-type)) + (modify-services + (remove (lambda (service) + (eq? (service-kind service) gdm-service-type)) + %desktop-services) + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..6b0d1df --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm @@ -0,0 +1,32 @@ +(define-module (rekahsoft guix-config vms grocy0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system) + #:use-module (gnu packages shells) + #:use-module (gnu services docker) + #:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal) + #:export (system)) + +(define base-system (proxmox-vm-lvm-minimal "grocy0")) + +(define system + (operating-system + (inherit base-system) + (users (cons* + (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + (operating-system-users base-system))) + (packages + (append + (map specification->package + '("docker-compose")) + (operating-system-packages base-system))) + (services + (append + (list (service docker-service-type)) + %proxmox-vm-lvm-minimal-services)))) diff --git a/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..46079fd --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm @@ -0,0 +1,314 @@ +(define-module (rekahsoft guix-config vms guix-ci0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system) + #:use-module (gnu packages shells) + #:use-module (gnu services base) + #:use-module (gnu services cuirass) + #:use-module (gnu services web) + #:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal) + #:export (system)) + +(define base-system (proxmox-vm-lvm-minimal "guix-ci0")) + +(define %cuirass-specs + #~(let ((rekahsoft-guix-channel + (channel + (name 'rekahsoft-guix) + (url "https://git.rekahsoft.ca/rekahsoft/rekahsoft-guix.git")))) + (list (specification + (name "rekahsoft-guix") + (priority 0) + (build '(channels rekahsoft-guix)) + (channels + (cons rekahsoft-guix-channel + %default-channels))) + (specification + (name "rekahsoft-dotfiles") + (build '(manifests "home-manifest.scm")) + (channels + (cons* (channel + (name 'rekahsoft-dotfiles) + (url "https://git.home.rekahsoft.ca/rekahsoft-public/dotfiles.git")) + (channel + (name 'nonguix) + (url "https://gitlab.com/nonguix/nonguix")) + rekahsoft-guix-channel + %default-channels)))))) + +;; Taken from: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/nginx/berlin.scm +(define (publish-locations url) + "Return the nginx location blocks for 'guix publish' running on URL." + (list (nginx-location-configuration + (uri "/nix-cache-info") + (body + (list + (string-append + "proxy_pass " url "/nix-cache-info;") + ;; Cache this file since that's always the first thing we ask + ;; for. + "proxy_cache static;" + "proxy_cache_valid 200 100d;" ; cache hits for a looong time. + "proxy_cache_valid any 5m;" ; cache misses/others for 5 min. + "proxy_ignore_client_abort on;" + + ;; We need to hide and ignore the Set-Cookie header to enable + ;; caching. + "proxy_hide_header Set-Cookie;" + "proxy_ignore_headers Set-Cookie;"))) + + (nginx-location-configuration + (uri "/nar/") + (body + (list + (string-append "proxy_pass " url ";") + "client_body_buffer_size 256k;" + + ;; Be more tolerant of delays when fetching a nar. + "proxy_read_timeout 60s;" + "proxy_send_timeout 60s;" + + ;; Enable caching for nar files, to avoid reconstructing and + ;; recompressing archives. + "proxy_cache nar;" + "proxy_cache_valid 200 30d;" ; cache hits for 1 month + "proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded + "proxy_cache_valid any 1h;" ; cache misses/others for 1h. + + "proxy_ignore_client_abort on;" + + ;; Nars are already compressed. + "gzip off;" + + ;; We need to hide and ignore the Set-Cookie header to enable + ;; caching. + "proxy_hide_header Set-Cookie;" + "proxy_ignore_headers Set-Cookie;" + + ;; Provide a 'content-length' header so that 'guix + ;; substitute-binary' knows upfront how much it is downloading. + ;; "add_header Content-Length $body_bytes_sent;" + ))) + + (nginx-location-configuration + (uri "~ \\.narinfo$") + (body + (list + ;; Since 'guix publish' has its own caching, and since it relies + ;; on the atime of cached narinfos to determine whether a + ;; narinfo can be removed from the cache, don't do any caching + ;; here. + (string-append "proxy_pass " url ";") + + ;; For HTTP pipelining. This has a dramatic impact on + ;; performance. + "client_body_buffer_size 128k;" + + ;; Narinfos requests are short, serve many of them on a + ;; connection. + "keepalive_requests 600;" + + ;; Do not tolerate slowness of hydra.gnu.org when fetching + ;; narinfos: better return 504 quickly than wait forever. + "proxy_connect_timeout 10s;" + "proxy_read_timeout 10s;" + "proxy_send_timeout 10s;" + + ;; 'guix publish --ttl' produces a 'Cache-Control' header for + ;; use by 'guix substitute'. Let it through rather than use + ;; nginx's "expire" directive since the expiration time defined + ;; by 'guix publish' is the right one. + "proxy_pass_header Cache-Control;" + + "proxy_ignore_client_abort on;" + + ;; We need to hide and ignore the Set-Cookie header to enable + ;; caching. + "proxy_hide_header Set-Cookie;" + "proxy_ignore_headers Set-Cookie;"))) + + ;; Content-addressed files served by 'guix publish'. + (nginx-location-configuration + (uri "/file/") + (body + (list + (string-append "proxy_pass " url ";") + + "proxy_cache cas;" + "proxy_cache_valid 200 200d;" ; cache hits + "proxy_cache_valid any 5m;" ; cache misses/others + + "proxy_ignore_client_abort on;"))))) + +(define %publish-url "http://localhost:3000") + +;; Modified from: https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/nginx/berlin.scm (berlin-locations) +(define (nginx-locations publish-url) + "Return nginx location blocks with 'guix publish' reachable at +PUBLISH-URL." + (append (publish-locations publish-url) + (list + ;; Cuirass. + (nginx-location-configuration + (uri "/") + (body (list "proxy_pass http://localhost:8081;"))) + ;; TODO: disabled as currently there is no auth setup for cuirass + ;; (nginx-location-configuration + ;; (uri "~ ^/admin") + ;; (body + ;; (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://localhost:8081;"))) + + (nginx-location-configuration + (uri "/static") + (body + (list + "proxy_pass http://localhost:8081;" + ;; Let browsers cache this for a while. + "expires 10d;" + ;; Cache quite aggressively. + "proxy_cache static;" + "proxy_cache_valid 200 5d;" + "proxy_cache_valid any 10m;" + "proxy_ignore_client_abort on;")))))) + +(define %extra-content + (list + "default_type application/octet-stream;" + "sendfile on;" + +; (accept-languages) + + ;; Maximum chunk size to send. Partly this is a workaround for + ;; , but also the nginx docs mention that + ;; "Without the limit, one fast connection may seize the worker + ;; process entirely." + ;; + "sendfile_max_chunk 1m;" + + "keepalive_timeout 65;" + + ;; Use HTTP 1.1 to talk to the backend so we benefit from keep-alive + ;; connections and chunked transfer encoding. The latter allows us to + ;; make sure we do not cache partial downloads. + "proxy_http_version 1.1;" + + ;; The 'inactive' parameter for caching is not very useful in our + ;; case: all that matters is that LRU sweeping happens when 'max_size' + ;; is hit. + + ;; cache for nar files + "proxy_cache_path /var/cache/nginx/nar" + " levels=2" + " inactive=8d" ; inactive keys removed after 8d + " keys_zone=nar:4m" ; nar cache meta data: ~32K keys + " max_size=10g;" ; total cache data size max + + ;; cache for content-addressed files + "proxy_cache_path /var/cache/nginx/cas" + " levels=2" + " inactive=180d" ; inactive keys removed after 180d + " keys_zone=cas:8m" ; nar cache meta data: ~64K keys + " max_size=50g;" ; total cache data size max + + ;; cache for build logs + "proxy_cache_path /var/cache/nginx/logs" + " levels=2" + " inactive=60d" ; inactive keys removed after 60d + " keys_zone=logs:8m" ; narinfo meta data: ~64K keys + " max_size=4g;" ; total cache data size max + + ;; cache for static data + "proxy_cache_path /var/cache/nginx/static" + " levels=1" + " inactive=10d" ; inactive keys removed after 10d + " keys_zone=static:1m" ; nar cache meta data: ~8K keys + " max_size=200m;" ; total cache data size max + + ;; If Hydra cannot honor these delays, then something is wrong and + ;; we'd better drop the connection and return 504. + "proxy_connect_timeout 10s;" + "proxy_read_timeout 10s;" + "proxy_send_timeout 10s;" + + ;; Cache timeouts for a little while to avoid increasing pressure. + "proxy_cache_valid 504 30s;")) + +(define %nginx-configuration + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (listen '("80")) + (server-name '("guix-ci0.home.rekahsoft.ca" + "guix-ci.home.rekahsoft.ca" + ;; + "~[0-9]$")) + (locations (nginx-locations %publish-url)) + (raw-content + (list + "access_log /var/log/nginx/http.access.log;" + "proxy_set_header X-Forwarded-Host $host;" + "proxy_set_header X-Forwarded-Port $server_port;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))))) + (global-directives + '((worker_processes . 4) + (pcre_jit . on) + (events . ((worker_connections . 1024))))) + (extra-content + (string-join %extra-content "\n")))) + +(define %nginx-cache-activation + ;; Make sure /var/cache/nginx exists on the first run. + (simple-service 'nginx-/var/cache/nginx + activation-service-type + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (mkdir-p "/var/cache/nginx"))))) + +(define system + (operating-system + (inherit base-system) + (users (cons* + (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video")) + (home-directory "/home/collin")) + (operating-system-users base-system))) + + (services + (append + (list (service cuirass-service-type + (cuirass-configuration + (host "localhost") + (specifications %cuirass-specs) + (use-substitutes? #t))) + + %nginx-cache-activation + + (service nginx-service-type %nginx-configuration) + + (service guix-publish-service-type + (guix-publish-configuration + (port 3000) + (cache "/var/cache/guix/publish")))) + (modify-services %proxmox-vm-lvm-minimal-services + ;; Add and authorize non-guix substitute server + (guix-service-type config => + (guix-configuration + (inherit config) + (substitute-urls + (append (list "https://substitutes.nonguix.org") + (guix-configuration-substitute-urls config))) + (authorized-keys + (append (list (plain-file "non-guix.pub" + "(public-key + (ecc + (curve Ed25519) + (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#) + ) + )")) + (guix-configuration-authorized-keys config)))))))))) diff --git a/.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm new file mode 100644 index 0000000..749cf81 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm @@ -0,0 +1,86 @@ +(define-module (rekahsoft guix-config vms loki-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services monitoring) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "loki") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service prometheus-node-exporter-service-type) + (service docker-service-type) + (dbus-service) + (elogind-service) + (service network-manager-service-type) + (service wpa-supplicant-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm new file mode 100644 index 0000000..4578d84 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm @@ -0,0 +1,94 @@ +(define-module (rekahsoft guix-config vms postgres-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services monitoring) + #:use-module (gnu services databases) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define postgres-hba + (plain-file "pg_hba.conf" + " +local all all peer +host all all 127.0.0.1/32 md5 +host all all ::1/128 md5 +host all all 172.16.0.0/20 md5")) + +(define system + (operating-system + (host-name "postgres") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (postgresql-service + #:config-file (postgresql-config-file + (hba-file postgres-hba) + (extra-config + '(("listen_addresses" "'*'"))))) + (service prometheus-node-exporter-service-type) + (service network-manager-service-type) + (service wpa-supplicant-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..4244c5c --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm @@ -0,0 +1,84 @@ +(define-module (rekahsoft guix-config vms prom0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "prom0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service docker-service-type) + (dbus-service) + (elogind-service) + (service network-manager-service-type) + (service wpa-supplicant-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..7c678d8 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm @@ -0,0 +1,86 @@ +(define-module (rekahsoft guix-config vms searx0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system nss) + #:use-module (gnu packages) + #:use-module (gnu packages shells) + #:use-module (gnu services desktop) + #:use-module (gnu services dbus) + #:use-module (gnu services networking) + #:use-module (gnu services ssh) + #:use-module (gnu services monitoring) + #:use-module (gnu services docker) + #:use-module (gnu services xorg) + #:use-module (srfi srfi-1) + #:export (system)) + +(define system + (operating-system + (host-name "searx0") + (timezone "America/Toronto") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us")) + + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/sda") + (keyboard-layout keyboard-layout))) + + (initrd-modules + (append '("virtio_scsi") %base-initrd-modules)) + + (swap-devices (list "/dev/sda2")) + + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "f354b908-fd6f-46c9-931b-2bebaac61b56" + 'ext4)) + (type "ext4")) + %base-file-systems)) + + (users (cons (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + %base-user-accounts)) + + (packages + (append + (map specification->package + '("nss-certs" + "recutils" + "openssh" + "tmux" + "emacs" + "emacs-guix")) + %base-packages)) + + (services + (append + (list (service openssh-service-type + (openssh-configuration + (password-authentication? #f) + (authorized-keys + `(("collin" ,(local-file "collin.pub")) + ("root" ,(local-file "collin.pub")))))) + (service prometheus-node-exporter-service-type) + (service docker-service-type) + (dbus-service) + (elogind-service) + (service network-manager-service-type) + (service wpa-supplicant-service-type)) + (modify-services + %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (substitute-urls '("https://nexus.home.rekahsoft.ca/repository/guix"))))))) + + ;; Allow resolution of '.local' host names with mDNS. + (name-service-switch %mdns-host-lookup-nss))) diff --git a/.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm b/.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..a4bf914 --- /dev/null +++ b/.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm @@ -0,0 +1,27 @@ +(define-module (rekahsoft guix-config vms vault0-home-rekahsoft-ca) + #:use-module (gnu) + #:use-module (gnu system) + #:use-module (gnu packages shells) + #:use-module (gnu services docker) + #:use-module (rekahsoft guix-config proxmox-vm-lvm-minimal) + #:export (system)) + +(define base-system (proxmox-vm-lvm-minimal "vault0")) + +(define system + (operating-system + (inherit base-system) + (users (cons* + (user-account + (name "collin") + (comment "Master User") + (group "users") + (shell #~(string-append #$zsh "/bin/zsh")) + (supplementary-groups + '("wheel" "netdev" "audio" "video" "docker")) + (home-directory "/home/collin")) + (operating-system-users base-system))) + (services + (append + (list (service docker-service-type)) + %proxmox-vm-lvm-minimal-services)))) diff --git a/.pubkeys/collin.pub b/.pubkeys/collin.pub new file mode 100644 index 0000000..e9d7f1e --- /dev/null +++ b/.pubkeys/collin.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbkiHEE2y85M1qkOBG9p0nuplkFETuMmRudDJ2ryf2gakD1NGMbKz82EHWWyPagkXMHx0tw4TZyV/AOq2LqzH8ZVDAj+QOO2wkFIRIXr3rsZGeMO9kpaZORwdTMTABRPcIg+KteWXe7Qq4I1H3izSuIIbyOW2wFdHkMxWAJEGr2L/q8qMlYbCbDwj1v7AQQRUjy8a0pTyG9eZ6kmc0bVxuFGAsvKtJSPpYxFNNGr8f2EY977DkmHK146B+Ce6Vp9wFDV5PwIQOFnZFXLDoYkI/ndshW+7+LQKViYP/ftIMTt4LC/0BC56heHOKkTCE3FHo4W/0zxfJdcLLkfRoev9T openpgp:0xED51AB07 diff --git a/.pubkeys/guix-coordinator-key.pub b/.pubkeys/guix-coordinator-key.pub new file mode 100644 index 0000000..ae00c4c --- /dev/null +++ b/.pubkeys/guix-coordinator-key.pub @@ -0,0 +1,7 @@ +(public-key + (ecc + (curve Ed25519) + (q #4C9DDCA82172D07FE644BEB4B5B39429F835BEE7E11E3F770EAB79ECBE226DE9#) + ) + ) + \ No newline at end of file diff --git a/README.org b/README.org new file mode 100644 index 0000000..b9a8d6c --- /dev/null +++ b/README.org @@ -0,0 +1,145 @@ +#+TITLE: Guix Machines +#+AUTHOR: Collin J. Doering + +#+BEGIN_EXPORT html +

Cuirass Status

+#+END_EXPORT + +#+begin_abstract +Guix configurations for all Guix powered systems privately managed by the author. This +includes all virtual machines for my home network, cloud/vps instances, as well as personal +computers. Due to the variety of types of systems managed via this repository, two mutable +deployment methodologies are supported: + +1. A push based model, using ~guix deploy~[fn:1] to remotely deploy changes (useful for example + from ci/cd). +2. A pull based model, using ~guix~ along with this repository directly from the target + machine. + +Immutable deployment is not yet supported, but is certainly possible given Guix's ability to +build an ~operating-system~ configuration into a image. +#+end_abstract + +* Repository Structure + +- ~channels*.scm~ :: [[*Guix Channel Files][Guix channel files]] +- ~deploy/~ :: Folder containing all ~guix deploy~ configurations +- ~.gitignore~ :: Files ignored by git +- ~.guix/~ :: Guix channel directory +- ~.guix-authorizations~ :: Guix authorizations file[fn:2] +- ~.guix-channel~ :: Guix channel file[fn:3] +- ~.pub-keys/~ :: Folder containing public key files used by Guix configurations +- ~README.org~ :: Org-mode[fn:4] documentation +- ~TODO.org~ :: Org-mode todo's, known issues and future aspirations +- ~unguix/~ :: Docker/docker-compose files used on deployed instances, managed + outside of guix. Once better support for running docker/docker-compose via shepherd, + specified declaratively via Guix configuration has been implemented, this directory and all + files within it should be able to be removed. + +** User Supplied Files Required for Push Based Deployment + +- ~.deploy-key~ :: Folder expected to contain two files (a public and private ssh key, named + ~key.pub~ and ~key~ respectively). + +** Guix Channel Files + +Guix channels[fn:5] allow for Guix to be customized and extended. They are also critical for +replicating a Guix system[fn:6]. As mentioned above, there are two primary classes of +deployments that are managed using this repository, push based and pull based. In both cases, +what specific versions of software that will be installed during deployment depends on the +guix channels in use. To ensure reproducibility, ~channel*.scm~ files are provided in this +repository that are expected to be used during deployment. However, multiple channel files +are provided as it makes sense to lock software versions across different sets of machines in +varying ways. For example, there is value in using the same channel file (and thus, same +software versions) across all virtual machines running on my home hypervisor cluster, but +there is no reason to explicitly lock my personal machines to the same software versions. +Further, cases could arise where my personal computer configuration/s or server +configuration/s need to be pinned to a specific set of software versions, and thus require a +individual channel file. + +Though supporting a channel file per machine is possible, it would cause additional +maintenance overhead. So instead, two channel files are provided, that correspond to the two +classes of machines that are managed. + +- ~channels-vms.scm~ :: Channel file used for push based deployments to vm's running on my + home hypervisor cluster +- ~channels.scm :: Channel file used for pull based deployments of personal computers + +If for some reason channels need to be pinned for a specific deployment, a new channel file +named ~channels-.scm~ can be created and used in place of normally used channel +file. + +*** TODO Updating guix channels used for deployment + +**This doesn't work right unless your channels match what is expected by this repository.** + +#+begin_src shell + guix time-machine -- describe -f channels > channels-vms.scm +#+end_src + +** ~guix-machines~ the Guix Channel + +This repository is itself a Guix channel, which facilitates CI, allowing for changes to it to +be evaluated by Cuirass at [[https://guix-ci.home.rekahsoft.ca]] (only available in my internal +home-network). This channel is not intended to be used directly from guix systems as it +doesn't provide any packages. + +At a later date, this also will allow for building of machine images for immutable +deployment, bootstrapping and more. + +* Push Deployment with ~guix deploy~ + +Push based mutable deployment is the default deployment methodology for the majority of +systems managed by this repository. This is particularity safe because Guix changes are done +as transactions, and thus can easily be rolled back. + +#+begin_src shell + guix time-machine -C channels-vms.scm -- deploy -L ./.guix deploy/.scm +#+end_src + +* Pull Based Deployment + +Pull based mutable deployment is the default deployment methodology for personal computers, +where using a push based method doesn't make sense. It also serves as a secondary deployment +mechanism for systems normally maintained using the push deployment model; for example, this +becomes necessary when facing ~guix deploy~ bugs. + +To manually deploy from the target, first the contents of this repository must be transferred +to the target machine. The easiest way to do this is via git, from the target like so. + +#+begin_src shell + git clone https://git.home.rekahsoft.ca/rekahsoft-public/guix-machines.git +#+end_src + +Once this repository is on the target, pull the [[*Guix Channel Files][appropriate channels]] as root. + +#+begin_src shell + sudo -i guix pull -C $(realpath channels-.scm) +#+end_src + +Once channels have been updated successfully, use the following to reconfigure the system. + +#+begin_src shell + sudo -i guix system reconfigure -L $(realpath .guix) -e '(@ (rekahsoft guix-config ) system)' +#+end_src + +Alternatively, the same effect can be achieved without first pulling the appropriate channels +by instead using ~guix time-machine~ as follows. + +#+begin_src shell + sudo -i guix time-machine -C $(realpath channels-.scm) -- system reconfigure -L $(realpath .guix) -e '(@ (rekahsoft guix-config ) system)' +#+end_src + +* Footnotes + +[fn:1] https://guix.gnu.org/manual/en/html_node/Invoking-guix-deploy.html + +[fn:2] https://guix.gnu.org/manual/en/html_node/Channel-Authentication.html + +[fn:3] https://guix.gnu.org/manual/en/html_node/Package-Modules-in-a-Sub_002ddirectory.html + +[fn:4] https://orgmode.org/ + +[fn:5] https://guix.gnu.org/manual/en/html_node/Channels.html + +[fn:6] https://guix.gnu.org/manual/en/html_node/Replicating-Guix.html diff --git a/TODO.org b/TODO.org new file mode 100644 index 0000000..2e42528 --- /dev/null +++ b/TODO.org @@ -0,0 +1,58 @@ +#+TITLE: guix-machines TODO's +#+AUTHOR: Collin J. Doering + +* DOING VM Status + +- State "DOING" from "TODO" [2022-03-20 Sun 19:53] +** DONE Convert existing [[file:.guix/rekahsoft/guix-config/vms/][.guix/rekahsoft/guix-config/vms/*.scm]] files to guile modules +CLOSED: [2022-03-20 Sun 13:00] + +- State "DONE" from "TODO" [2022-03-20 Sun 13:00] +- [X] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]] + +** TODO Use 'guix deploy'/lvm based common proxmox-vm configuration for all vms + +Checked indicates the vm is using a 'guix deploy' style deployment, and is based on the +common lvm based proxmox configuration [[file:.guix/rekahsoft/guix-config/proxmox-vm-lvm-minimal.scm][prmox-vm-lvm-minimal.scm]]. + +- [ ] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]] + +** TODO Run/configure docker/docker-compose from within guix configurations + +Better docker support within guix configuration is required to make this issue go away. Once +completed, the ~unguix~ directory can be removed. + +Checked indicates VMs that use docker/docker-compose (and either depend on files in the +~unguix~ directory or ~docker-compose~ files on the vm disk. + +- [X] [[file:.guix/rekahsoft/guix-config/vms/ci-runner0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/cloud0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/dash0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/git0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/grocy0-home-rekahsoft-ca.scm]] :: docker-compose +- [ ] [[file:.guix/rekahsoft/guix-config/vms/guix-ci0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/loki-home-rekahsoft-ca.scm]] +- [ ] [[file:.guix/rekahsoft/guix-config/vms/postgres-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/prom0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/searx0-home-rekahsoft-ca.scm]] +- [X] [[file:.guix/rekahsoft/guix-config/vms/vault0-home-rekahsoft-ca.scm]] diff --git a/channels-manual.scm b/channels-manual.scm new file mode 100644 index 0000000..083ab57 --- /dev/null +++ b/channels-manual.scm @@ -0,0 +1,22 @@ +(list (channel + (name 'guix) + (url "https://git.savannah.gnu.org/git/guix.git") + (branch "master") + (commit + "44cd0a4f371db22141832e17b8bdb5130696993a") + (introduction + (make-channel-introduction + "9edb3f66fd807b096b48283debdcddccfea34bad" + (openpgp-fingerprint + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))) + (channel + (name 'nonguix) + (url "https://gitlab.com/nonguix/nonguix") + (branch "master") + (commit + "fea52adbc9356184bff51146c6515fad609baf77") + (introduction + (make-channel-introduction + "897c1a470da759236cc11798f4e0a5f7d4d59fbc" + (openpgp-fingerprint + "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))) diff --git a/channels-vms.scm b/channels-vms.scm new file mode 100644 index 0000000..5cee80a --- /dev/null +++ b/channels-vms.scm @@ -0,0 +1,22 @@ +(list (channel + (name 'guix) + (url "https://git.savannah.gnu.org/git/guix.git") + (branch "master") + (commit + "a4eae0c3adce8e4c4ac153a4959d18b9897a67e1") + (introduction + (make-channel-introduction + "9edb3f66fd807b096b48283debdcddccfea34bad" + (openpgp-fingerprint + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))) + (channel + (name 'rekahsoft-guix) + (url "https://git.rekahsoft.ca/rekahsoft/rekahsoft-guix.git") + (branch "master") + (commit + "b72c13392a9ffab0dd52dcf9e30fb599e364a78e") + (introduction + (make-channel-introduction + "191cdaa0947657e0c85fe89ebbb8e7b1e7a8e0a4" + (openpgp-fingerprint + "F8D5 46F3 AF37 EF53 D1B6 48BE 7B4D EB93 212B 3022"))))) diff --git a/deploy/cloud0-home-rekahsoft-ca.scm b/deploy/cloud0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..72becba --- /dev/null +++ b/deploy/cloud0-home-rekahsoft-ca.scm @@ -0,0 +1,13 @@ +(use-modules + (rekahsoft guix-config vms cloud0-home-rekahsoft-ca)) + +(list (machine + (operating-system system) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "cloud0.home.rekahsoft.ca") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGi4YmUyLgpmFxJzGQF5Ju7CL8d2Wa2VtHMZGms0KO root@(none)") + (system "x86_64-linux") + (user "auto") + (identity ".deploy-key/key") + (port 22))))) diff --git a/deploy/grocy0-home-rekahsoft-ca.scm b/deploy/grocy0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..fc5a48d --- /dev/null +++ b/deploy/grocy0-home-rekahsoft-ca.scm @@ -0,0 +1,13 @@ +(use-modules + (rekahsoft guix-config vms grocy0-home-rekahsoft-ca)) + +(list (machine + (operating-system system) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "grocy0.home.rekahsoft.ca") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSMBcmFdlDI/JKOBC/RRJh2VM0MY45o684OXaTQ3fGm root@(none)") + (system "x86_64-linux") + (user "auto") + (identity ".deploy-key/key") + (port 22))))) diff --git a/deploy/guix-ci0-home-rekahsoft-ca.scm b/deploy/guix-ci0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..dae145c --- /dev/null +++ b/deploy/guix-ci0-home-rekahsoft-ca.scm @@ -0,0 +1,13 @@ +(use-modules + (rekahsoft guix-config vms guix-ci0-home-rekahsoft-ca)) + +(list (machine + (operating-system system) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "guix-ci0.home.rekahsoft.ca") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrv3Ygq47GYt5jYiNPUhvIDOOl4H17Z/abMvA1l/xkj root@(none)") + (system "x86_64-linux") + (user "auto") + (identity ".deploy-key/key") + (port 22))))) diff --git a/deploy/vault0-home-rekahsoft-ca.scm b/deploy/vault0-home-rekahsoft-ca.scm new file mode 100644 index 0000000..e00427e --- /dev/null +++ b/deploy/vault0-home-rekahsoft-ca.scm @@ -0,0 +1,13 @@ +(use-modules + (rekahsoft guix-config vms vault0-home-rekahsoft-ca)) + +(list (machine + (operating-system system) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "vault0.home.rekahsoft.ca") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGi4YmUyLgpmFxJzGQF5Ju7CL8d2Wa2VtHMZGms0KO root@(none)") + (system "x86_64-linux") + (user "auto") + (identity ".deploy-key/key") + (port 22))))) diff --git a/unguix/ci-runner0-home-rekahsoft-ca/drone-runner-guix.sh b/unguix/ci-runner0-home-rekahsoft-ca/drone-runner-guix.sh new file mode 100644 index 0000000..fc5c401 --- /dev/null +++ b/unguix/ci-runner0-home-rekahsoft-ca/drone-runner-guix.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +docker run -d \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e DRONE_RPC_PROTO="https" \ + -e DRONE_RPC_HOST="ci.home.rekahsoft.ca" \ + -e DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \ + -e DRONE_RUNNER_CAPACITY=4 \ + -e DRONE_RUNNER_NAME="ci-runner1.home.rekahsoft.ca" \ + -e DRONE_RUNNER_LABELS=guix:on \ + -e DRONE_RUNNER_VOLUMES=/var/guix/daemon-socket/socket:/var/guix/daemon-socket/socket,/gnu/store:/gnu/store,/home/collin/guix-ci-cache:/.cache/guix \ + -e DRONE_DEBUG=true \ + -p 3001:3000 \ + --restart unless-stopped \ + --name runner-guix \ + --log-driver=loki \ + --log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \ + --log-opt loki-retries=5 \ + --log-opt loki-batch-size=400 \ + docker.nexus.home.rekahsoft.ca/drone/drone-runner-docker:1.6.3 diff --git a/unguix/ci-runner0-home-rekahsoft-ca/drone-runner.sh b/unguix/ci-runner0-home-rekahsoft-ca/drone-runner.sh new file mode 100644 index 0000000..b2d6c1e --- /dev/null +++ b/unguix/ci-runner0-home-rekahsoft-ca/drone-runner.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +docker run -d \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -e DRONE_RPC_PROTO="https" \ + -e DRONE_RPC_HOST="ci.home.rekahsoft.ca" \ + -e DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \ + -e DRONE_RUNNER_CAPACITY=4 \ + -e DRONE_RUNNER_NAME="ci-runner0.home.rekahsoft.ca" \ + -p 3000:3000 \ + --restart unless-stopped \ + --name runner \ + --log-driver=loki \ + --log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \ + --log-opt loki-retries=5 \ + --log-opt loki-batch-size=400 \ + docker.nexus.home.rekahsoft.ca/drone/drone-runner-docker:1.6.3 diff --git a/unguix/ci0-home-rekahsoft-ca/drone.sh b/unguix/ci0-home-rekahsoft-ca/drone.sh new file mode 100644 index 0000000..9374974 --- /dev/null +++ b/unguix/ci0-home-rekahsoft-ca/drone.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +docker run \ + --volume=/var/lib/drone:/data \ + --env=DRONE_GITEA_SERVER="https://git.home.rekahsoft.ca" \ + --env=DRONE_GITEA_CLIENT_ID="25793ca8-0057-494b-b6a5-e7534104f546" \ + --env=DRONE_GITEA_CLIENT_SECRET="Br9vQ-WG4nkC4cVwnCEFsfQg_WD6ax5Ebi5hNwiSd9M=" \ + --env=DRONE_RPC_SECRET="8cb1a6fbc4febc68a99c4f1cc3f11f2a" \ + --env=DRONE_SERVER_HOST="ci.home.rekahsoft.ca" \ + --env=DRONE_SERVER_PROTO=https \ + --env=DRONE_USER_CREATE=username:rekahsoft,admin:true \ + --env=DRONE_JSONNET_ENABLED=true \ + --publish=80:80 \ + --restart=always \ + --detach=true \ + --name=drone \ + --log-driver=loki \ + --log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \ + --log-opt loki-retries=5 \ + --log-opt loki-batch-size=400 \ + docker.nexus.home.rekahsoft.ca/drone/drone:2 diff --git a/unguix/cloud0-home-rekahsoft-ca/nextcloud.sh b/unguix/cloud0-home-rekahsoft-ca/nextcloud.sh new file mode 100755 index 0000000..5f5272b --- /dev/null +++ b/unguix/cloud0-home-rekahsoft-ca/nextcloud.sh @@ -0,0 +1,16 @@ +#/usr/bin/env bash + +docker run -d --name nextcloud \ + -p 80:80 \ + --restart unless-stopped \ + -v nextcloud:/var/www/html \ + -v apps:/var/www/html/custom_apps \ + -v config:/var/www/html/config \ + -v /mnt/cephfs:/var/www/html/data \ + -e APACHE_DISABLE_REWRITE_IP=1 \ + -e TRUSTED_PROXIES="172.16.0.1" \ + -e NEXTCLOUD_TRUSTED_DOMAINS="cloud.home.rekahsoft.ca,cloud0.home.rekahsoft.ca" \ + docker.nexus.home.rekahsoft.ca/nextcloud:stable + +# Last working: 22.2.3-apache +# Broken upgrade: 22.2.5.1 diff --git a/unguix/dash0-home-rekahsoft-ca/grafana.sh b/unguix/dash0-home-rekahsoft-ca/grafana.sh new file mode 100644 index 0000000..dec49be --- /dev/null +++ b/unguix/dash0-home-rekahsoft-ca/grafana.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +docker run -d \ + -p 80:3000 \ + --restart unless-stopped \ + --name grafana \ + -v grafana:/var/lib/grafana \ + -e "GF_INSTALL_PLUGINS=vonage-status-panel,grafana-piechart-panel" \ + -e "GF_SECURITY_ALLOW_EMBEDDING=true" \ + docker.nexus.home.rekahsoft.ca/grafana/grafana:8.1.5 diff --git a/unguix/git0-home-rekahsoft-ca/gitea.sh b/unguix/git0-home-rekahsoft-ca/gitea.sh new file mode 100644 index 0000000..07040a9 --- /dev/null +++ b/unguix/git0-home-rekahsoft-ca/gitea.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +docker run -d \ + --restart unless-stopped \ + --name gitea \ + -v gitea:/data \ + -v /etc/timezone:/etc/timezone:ro \ + -v /etc/localtime:/etc/localtime:ro \ + -p 80:3000 \ + -p 2222:22 \ + --log-driver=loki \ + --log-opt loki-url="http://loki.home.rekahsoft.ca:3100/loki/api/v1/push" \ + --log-opt loki-retries=5 \ + --log-opt loki-batch-size=400 \ + docker.nexus.home.rekahsoft.ca/gitea/gitea:1.15.6 diff --git a/unguix/loki-home-rekahsoft-ca/loki-config.yaml b/unguix/loki-home-rekahsoft-ca/loki-config.yaml new file mode 100644 index 0000000..a978f40 --- /dev/null +++ b/unguix/loki-home-rekahsoft-ca/loki-config.yaml @@ -0,0 +1,45 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + +ingester: + lifecycler: + address: 127.0.0.1 + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 5m + chunk_retain_period: 30s + max_transfer_retries: 0 + +schema_config: + configs: + - from: 2018-04-15 + store: boltdb + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 168h + +storage_config: + boltdb: + directory: /tmp/loki/index + + filesystem: + directory: /tmp/loki/chunks + +limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h + +chunk_store_config: + max_look_back_period: 0s + +table_manager: + retention_deletes_enabled: false + retention_period: 0s diff --git a/unguix/loki-home-rekahsoft-ca/loki.sh b/unguix/loki-home-rekahsoft-ca/loki.sh new file mode 100644 index 0000000..84a8ef4 --- /dev/null +++ b/unguix/loki-home-rekahsoft-ca/loki.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +docker run -d \ + --restart unless-stopped \ + -v /var/lib/loki/config:/mnt/config \ + -p 3100:3100 \ +docker.nexus.home.rekahsoft.ca/grafana/loki:1.6.0 -config.file=/mnt/config/loki-config.yaml + +docker run -d \ + --restart unless-stopped \ + -v /var/lib/loki/config:/mnt/config \ + -v /var/log:/var/log \ +docker.nexus.home.rekahsoft.ca/grafana/promtail:1.6.0 -config.file=/mnt/config/promtail-config.yaml diff --git a/unguix/loki-home-rekahsoft-ca/promtail-config.yaml b/unguix/loki-home-rekahsoft-ca/promtail-config.yaml new file mode 100644 index 0000000..ed06e8c --- /dev/null +++ b/unguix/loki-home-rekahsoft-ca/promtail-config.yaml @@ -0,0 +1,18 @@ +server: + http_listen_port: 9080 + grpc_listen_port: 0 + +positions: + filename: /tmp/positions.yaml + +clients: + - url: http://loki:3100/loki/api/v1/push + +scrape_configs: +- job_name: system + static_configs: + - targets: + - localhost + labels: + job: varlogs + __path__: /var/log/*log diff --git a/unguix/prom0-home-rekahsoft-ca/prometheus.sh b/unguix/prom0-home-rekahsoft-ca/prometheus.sh new file mode 100644 index 0000000..abdf3e7 --- /dev/null +++ b/unguix/prom0-home-rekahsoft-ca/prometheus.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +docker run -d \ + --name prometheus \ + --restart unless-stopped \ + -p 9090:9090 \ + -v /var/lib/prometheus:/etc/prometheus \ +docker.nexus.home.rekahsoft.ca/prom/prometheus diff --git a/unguix/prom0-home-rekahsoft-ca/prometheus.yaml b/unguix/prom0-home-rekahsoft-ca/prometheus.yaml new file mode 100644 index 0000000..2c4065b --- /dev/null +++ b/unguix/prom0-home-rekahsoft-ca/prometheus.yaml @@ -0,0 +1,210 @@ +# my global config +global: + scrape_interval: 15s + evaluation_interval: 30s + # scrape_timeout is set to the global default (10s). + +# +# Applications + +scrape_configs: +- job_name: grafana + scheme: http + dns_sd_configs: + - type: 'A' + port: 80 + names: + - dash0.home.rekahsoft.ca + +- job_name: gitea + scheme: http + dns_sd_configs: + - type: 'A' + port: 80 + names: + - git0.home.rekahsoft.ca + + +# +# VMs + +- job_name: vm-searx + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - searx0.home.rekahsoft.ca + +- job_name: vm-git0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - git0.home.rekahsoft.ca + +- job_name: vm-ci0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - ci0.home.rekahsoft.ca + +- job_name: vm-ci-runner0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - ci-runner0.home.rekahsoft.ca + +- job_name: vm-my0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - my0.home.rekahsoft.ca + +- job_name: vm-torrent0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - torrent0.home.rekahsoft.ca + +- job_name: vm-plex0 + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - plex0.home.rekahsoft.ca + +- job_name: vm-loki + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - loki.home.rekahsoft.ca + +- job_name: vm-postgres + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - postgres.home.rekahsoft.ca + +# +# Physical hardware + +- job_name: proxmox-nodes + scheme: http + dns_sd_configs: + - type: 'A' + port: 9100 + names: + - pve-0.home.rekahsoft.ca + - type: 'A' + port: 9100 + names: + - pve-1.home.rekahsoft.ca + - type: 'A' + port: 9100 + names: + - pve-2.home.rekahsoft.ca + - type: 'A' + port: 9100 + names: + - pve-3.home.rekahsoft.ca + - type: 'A' + port: 9100 + names: + - pve-4.home.rekahsoft.ca + +# +# Applications running directly on physical hardware + +- job_name: ceph-metrics + scheme: http + dns_sd_configs: + - type: 'A' + port: 9283 + names: + - pve-0.home.rekahsoft.ca + - type: 'A' + port: 9283 + names: + - pve-1.home.rekahsoft.ca + - type: 'A' + port: 9283 + names: + - pve-2.home.rekahsoft.ca + - type: 'A' + port: 9283 + names: + - pve-3.home.rekahsoft.ca + - type: 'A' + port: 9283 + names: + - pve-4.home.rekahsoft.ca + +# - job_name: some-service +# metrics_path: /metrics +# static_configs: +# - targets: +# - localhost:9090 + + +# - job_name: prometheus + +# honor_labels: true +# # scrape_interval is defined by the configured global (15s). +# # scrape_timeout is defined by the global default (10s). + +# # metrics_path defaults to '/metrics' +# # scheme defaults to 'http'. + +# file_sd_configs: +# - files: +# - foo/*.slow.json +# - foo/*.slow.yml +# - single/file.yml +# refresh_interval: 10m +# - files: +# - bar/*.yaml + +# static_configs: +# - targets: ['localhost:9090', 'localhost:9191'] +# labels: +# my: label +# your: label + +# relabel_configs: +# - source_labels: [job, __meta_dns_name] +# regex: (.*)some-[regex] +# target_label: job +# replacement: foo-${1} +# # action defaults to 'replace' +# - source_labels: [abc] +# target_label: cde +# - replacement: static +# target_label: abc +# - regex: +# replacement: static +# target_label: abc + +# bearer_token_file: valid_token_file + + +# - job_name: badfederation +# honor_timestamps: false +# metrics_path: /federate +# static_configs: +# - targets: +# - localhost:9090 diff --git a/unguix/searx0-home-rekahsoft-ca/searx.sh b/unguix/searx0-home-rekahsoft-ca/searx.sh new file mode 100644 index 0000000..c4f8701 --- /dev/null +++ b/unguix/searx0-home-rekahsoft-ca/searx.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +docker run -d \ + --name searx \ + --restart unless-stopped \ + -v /var/lib/searx:/etc/searx \ + -p 8080:8080 \ + -e BASE_URL=https://searx.home.rekahsoft.ca \ +docker.nexus.home.rekahsoft.ca/searx/searx diff --git a/unguix/vault0-home-rekahsoft-ca/vaultwarden.sh b/unguix/vault0-home-rekahsoft-ca/vaultwarden.sh new file mode 100644 index 0000000..9ce4243 --- /dev/null +++ b/unguix/vault0-home-rekahsoft-ca/vaultwarden.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +docker run -d \ + --restart unless-stopped \ + --name bitwarden \ + -v bitwarden:/data \ + -e DOMAIN=https://vault.home.rekahsoft.ca \ + -e ADMIN_TOKEN=82HHZZImGbiZ2WaOybVvIM9ug+MgGO/VhMG5t16DbwpsRrTe3jUlOD76VPUXctB5 \ + -e SIGNUPS_ALLOWED=false \ + -p 80:80 \ + docker.nexus.home.rekahsoft.ca/vaultwarden/server:1.23.0