180 lines
6.5 KiB
Scheme
180 lines
6.5 KiB
Scheme
(define-module (rekahsoft guix-config proxmox-vm-lvm-minimal)
|
|
#:use-module (gnu)
|
|
#:use-module (gnu packages)
|
|
#:use-module (gnu system nss)
|
|
#:use-module (srfi srfi-1)
|
|
|
|
#:use-module (gnu services dbus)
|
|
#:use-module (gnu services desktop)
|
|
#:use-module (gnu services guix)
|
|
#:use-module (gnu services networking)
|
|
#:use-module (gnu services monitoring)
|
|
#:use-module (gnu services shepherd)
|
|
#:use-module (gnu services ssh)
|
|
#:use-module (gnu services xorg)
|
|
#:use-module (gnu packages admin)
|
|
#:use-module (gnu packages bash)
|
|
#:use-module (gnu packages shells)
|
|
#:use-module (rekahsoft guix-config home)
|
|
#:export (%proxmox-vm-lvm-minimal-services
|
|
proxmox-vm-lvm-minimal))
|
|
|
|
(define %automation-user "auto")
|
|
(define %guix-key (local-file "../../../.pubkeys/guix-coordinator-key.pub"))
|
|
|
|
;; Keys used for ssh access
|
|
(define %deploy-key (local-file "../../../.pubkeys/deploy-key.pub"))
|
|
(define %collin-ed25519-key (local-file "../../../.pubkeys/ed25519-861CD08E.pub"))
|
|
(define %collin-rsa4096-key (local-file "../../../.pubkeys/rsa4096-6765FB18.pub"))
|
|
(define %collin-rsa-key (local-file "../../../.pubkeys/rsa2048-ED51AB07.pub"))
|
|
|
|
(define syslog-configuration
|
|
(plain-file "syslog.conf"
|
|
"
|
|
# Log all error messages, authentication messages of
|
|
# level notice or higher and anything of level err or
|
|
# higher to the console.
|
|
# Don't log private authentication messages!
|
|
*.alert;auth.notice;authpriv.none -/dev/console
|
|
|
|
# Log anything (except mail) of level info or higher.
|
|
# Don't log private authentication messages!
|
|
*.info;mail.none;authpriv.none -/var/log/messages
|
|
|
|
# Log \"debug\"-level entries and nothing else.
|
|
*.=debug -/var/log/debug
|
|
|
|
# Same, in a different place.
|
|
*.info;mail.none;authpriv.none -/dev/tty12
|
|
|
|
# The authpriv file has restricted access.
|
|
# 'fsync' the file after each line (hence the lack of a leading dash).
|
|
authpriv.* /var/log/secure
|
|
|
|
# Log all the mail messages in one place.
|
|
mail.* -/var/log/maillog
|
|
|
|
# Forward all logs to remote syslog server
|
|
*.* @logs.home.rekahsoft.ca
|
|
"))
|
|
|
|
;; TODO: this is a temporary solution; the syslogd service configuration should be extended
|
|
;; to allow for the various options supported by inetutils syslogd.
|
|
(define syslog-service-hop
|
|
(simple-service 'syslogd shepherd-root-service-type
|
|
(list
|
|
;; Taken from 'gnu/services/base.scm' and and adjusted to allow forwarding to
|
|
;; remote hosts using the '-h|--hop' option
|
|
(shepherd-service
|
|
(documentation "Run the syslog daemon (syslogd).")
|
|
(provision '(syslogd))
|
|
(requirement '(user-processes))
|
|
(actions (list (shepherd-configuration-action syslog-configuration)))
|
|
(start #~(let ((spawn (make-forkexec-constructor
|
|
(list #$(file-append inetutils "/libexec/syslogd")
|
|
"--rcfile" #$syslog-configuration "--hop")
|
|
#:pid-file "/var/run/syslog.pid")))
|
|
(lambda ()
|
|
;; Set the umask such that file permissions are #o640.
|
|
(let ((mask (umask #o137))
|
|
(pid (spawn)))
|
|
(umask mask)
|
|
pid))))
|
|
(stop #~(make-kill-destructor))))))
|
|
|
|
;; Services need to be exposed this way so they can be overriden via guix's special
|
|
;; record inheritance. Otherwise, if trying to directly use an operating-system's
|
|
;; services, an error will be recieved about an abiguous-service called 'system.
|
|
(define %proxmox-vm-lvm-minimal-services
|
|
(append
|
|
(list (service guix-home-service-type
|
|
`(("collin" ,%home)))
|
|
(service openssh-service-type
|
|
(openssh-configuration
|
|
(password-authentication? #f)
|
|
(authorized-keys
|
|
`(("auto" ,%deploy-key)
|
|
("collin" ,%collin-ed25519-key ,%collin-rsa4096-key ,%collin-rsa-key)
|
|
("root" ,%collin-ed25519-key ,%collin-rsa4096-key ,%collin-rsa-key)))))
|
|
(service prometheus-node-exporter-service-type)
|
|
(service dhcp-client-service-type)
|
|
(service ntp-service-type)
|
|
|
|
;; Services required by dockerd
|
|
(service dbus-root-service-type)
|
|
(service elogind-service-type)
|
|
|
|
syslog-service-hop)
|
|
(modify-services
|
|
%base-services
|
|
(delete syslog-service-type)
|
|
(guix-service-type
|
|
config => (guix-configuration
|
|
(inherit config)
|
|
(authorized-keys (cons %guix-key %default-authorized-guix-keys))
|
|
(substitute-urls %default-substitute-urls))))))
|
|
|
|
(define (proxmox-vm-lvm-minimal host-name)
|
|
(operating-system
|
|
(host-name host-name)
|
|
(timezone "America/Toronto")
|
|
(locale "en_US.utf8")
|
|
(keyboard-layout (keyboard-layout "us"))
|
|
|
|
(bootloader (bootloader-configuration
|
|
(bootloader grub-bootloader)
|
|
(targets '("/dev/sda"))))
|
|
|
|
(initrd-modules
|
|
(append '("virtio_scsi") %base-initrd-modules))
|
|
|
|
(mapped-devices
|
|
(list (mapped-device
|
|
(source "vg0")
|
|
(targets (list "vg0-root" "vg0-swap"))
|
|
(type lvm-device-mapping))))
|
|
|
|
(swap-devices
|
|
(list (swap-space
|
|
(target (file-system-label "swap"))
|
|
(dependencies mapped-devices))))
|
|
|
|
(file-systems (append
|
|
(list (file-system
|
|
(device (file-system-label "root"))
|
|
(mount-point "/")
|
|
(type "ext4")
|
|
(dependencies mapped-devices)))
|
|
%base-file-systems))
|
|
|
|
(users (cons* (user-account
|
|
(name %automation-user)
|
|
(comment "Automation User")
|
|
(group "users")
|
|
(shell #~(string-append #$bash "/bin/bash"))
|
|
(supplementary-groups
|
|
'("wheel" "netdev" "audio" "video"))
|
|
(home-directory "/home/auto"))
|
|
%base-user-accounts))
|
|
|
|
(sudoers-file
|
|
(plain-file "sudoers"
|
|
(string-append (plain-file-content %sudoers-specification)
|
|
(format #f "~a ALL = NOPASSWD: ALL~%"
|
|
%automation-user))))
|
|
|
|
(packages
|
|
(append
|
|
(map specification->package
|
|
'("recutils"
|
|
"openssh"
|
|
"tmux"
|
|
"emacs"
|
|
"emacs-guix"))
|
|
%base-packages))
|
|
|
|
(services %proxmox-vm-lvm-minimal-services)
|
|
|
|
;; Allow resolution of '.local' host names with mDNS.
|
|
(name-service-switch %mdns-host-lookup-nss)))
|