diff options
27 files changed, 105 insertions, 310 deletions
@@ -1,75 +1,86 @@ # VPS ## Workflow + ### Re-creating everything from scratch ```shell +./shell.sh git crypt unlock direnv allow -./terraform-update.sh -# wait for the DNS to propagate, so -# letsencrypt can create the certificates -./nixos-switch.sh +./terraform-apply.sh +./guix-reconfigure.sh ``` ### After an update on `vps.tf` Same as above. -### After editing `vps-configuration.nix` or other OS files - -Just run the `./nixos-switch.sh` script. - -## Base image -The basic `configuration.nix` file in the current snapshots looks just like this: - -```nix -{ config, pkgs, ... }: - -{ - imports = [ - ./hardware-configuration.nix - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vda"; - - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - - environment.systemPackages = with pkgs; [ vim ]; - - services.openssh.enable = true; - services.openssh.permitRootLogin = "no"; - - users.extraUsers.andreh = { - uid = 1000; - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = "...tmp password..."; - openssh.authorizedKeys.keys = [ - "...ssh public key..." - ]; - }; - - system.stateVersion = "19.09"; -} +### After editing `sync/vps.scm` or other OS files + +Just run the `./guix-reconfigure.sh` script. + +## "base-guix-image" + +The base `sync/vps.scm` file in the current snapshot (snapshot ID 5c35fb3a74873) +is: + +```scheme +(use-modules (gnu)) +(use-service-modules networking ssh) +(use-package-modules ssh) + +(define ssh-public-key + "ssh-rsa ...") + +(define sudoers "\ +root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL\n") + +(operating-system + (locale "fr_FR.UTF-8") + (timezone "America/Sao_Paulo") + (keyboard-layout (keyboard-layout "us")) + (host-name "guix-pet-server") + (users (cons* (user-account + (name "andreh") + (group "users") + (home-directory "/home/andreh") + (supplementary-groups '("wheel"))) + %base-user-accounts)) + (sudoers-file (plain-file "sudoers" sudoers)) + (packages + (append (map specification->package + '("nss-certs" + "rsync")) + %base-packages)) + (services + (append + (list (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (password-authentication? #false) + (authorized-keys + `(("andreh" ,(plain-file "id_rsa.pub" ssh-public-key)))))) + (service dhcp-client-service-type)) + %base-services)) + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vda") + (keyboard-layout keyboard-layout))) + (swap-devices + (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca"))) + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28" + 'ext4)) + (type "ext4")) + %base-file-systems))) ``` This basic setup allows it to boot, starts the OpenSSH server agent and allows -the listed `openssh.authorizedKeys.keys` to login. - -I've also changed the ownership of `/etc/nixos/configuration.nix` to allow my -user to write to it by piping through SSH without trying some -[non-working solutions like before][0]: - -```shell -sudo chown andreh /etc/nixos/configuration.nix -``` - -With that `./nixos-switch.sh` can write to the NixOS configuration file without -running into issues with `sudo` password permissions through the SSH pipe while -writing to stdin. - -[0]: https://git.euandreh.xyz/vps/tree/nixos-switch.sh?id=a7983c859f3d8890e35c587176f497b73a7a7dc7#n7 +the listed `ssh-public-key` to login, and commands from the +"andreh" user can run `sudo` without password. @@ -13,10 +13,10 @@ re-creating everything from scratch. *** TODO Email *** TODO Matrix * Services -** TODO =mail.$tld=: email ** TODO =git.$tld=: cgit ** TODO =$project.$tld=: static documentation for projects ** TODO =ci.$tld=: cuirass +** TODO =mail.$tld=: email ** TODO =chat.$tld=: Matrix ** TODO =meet.$tld=: Jitsi/Nextcloud Talk ** TODO =$tld=: Jekyll blog diff --git a/base-image/5d05f383bcf61-snapshot-configuration.nix b/base-image/5d05f383bcf61-snapshot-configuration.nix deleted file mode 120000 index c59f37b..0000000 --- a/base-image/5d05f383bcf61-snapshot-configuration.nix +++ /dev/null @@ -1 +0,0 @@ -e1d5f317b0f7a-snapshot-configuration.nix
\ No newline at end of file diff --git a/base-image/c565f318e4aea-snapshot-configuration.nix b/base-image/c565f318e4aea-snapshot-configuration.nix deleted file mode 120000 index c59f37b..0000000 --- a/base-image/c565f318e4aea-snapshot-configuration.nix +++ /dev/null @@ -1 +0,0 @@ -e1d5f317b0f7a-snapshot-configuration.nix
\ No newline at end of file diff --git a/base-image/e1d5f317b0f7a-snapshot-configuration.nix b/base-image/e1d5f317b0f7a-snapshot-configuration.nix deleted file mode 100644 index b80eab0..0000000 --- a/base-image/e1d5f317b0f7a-snapshot-configuration.nix +++ /dev/null @@ -1,107 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only - - # networking.hostName = "nixos"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; - # }; - - # Set your time zone. - # time.timeZone = "Europe/Amsterdam"; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ vim ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.permitRootLogin = "no"; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable touchpad support. - # services.xserver.libinput.enable = true; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.sddm.enable = true; - # services.xserver.desktopManager.plasma5.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # }; - - users.extraUsers.andreh = { - uid = 1000; - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = - "...tmp password..."; # stored in secrets/base-image-old-password.txt - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" - ]; - }; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "19.09"; # Did you read the comment? - -} diff --git a/cgit-about.html b/cgit-about.html deleted file mode 100644 index 159a092..0000000 --- a/cgit-about.html +++ /dev/null @@ -1,8 +0,0 @@ -<h1> - EuAndreh's git repositories -</h1> - -<p> - If you're interested in contributing, the README of each repository contains - instructions on how to do it. -</p> diff --git a/ci-gen-index.sh b/ci-gen-index.sh deleted file mode 100755 index 4de179c..0000000 --- a/ci-gen-index.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail -cd "$(dirname "${BASH_SOURCE[0]}")" - -printf "Generating index.html of build logs... " -rm -f index.html - -cat <<EOF >> index.html -<!DOCTYPE html> -<html lang="en"> - <head> - <meta charset="UTF-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1" /> - - <style> - pre { - display: inline; - } - </style> - </head> - <body> - <h1> - Build logs - </h1> -EOF - -PASS='✅' -FAIL='❌' -DUNNO='❔' - -for dir in */; do - d="${dir%/}" - cat <<EOF >> index.html - <h2 id="$d"> - <a href="#$d"> - $dir - </a> - </h2> - <ul> -EOF - for file in "$d"/*; do - REPORT="$(grep '>>>' "$file" ||:)" - if [[ -z "$REPORT" ]]; then - STATUS="$DUNNO" - elif grep '>>> exit status was 0' <(echo "$REPORT") > /dev/null; then - STATUS="$PASS" - else - STATUS="$FAIL" - fi - cat <<EOF >> index.html - <li> - <a href="$file"> - $STATUS - <pre>$file</pre> - </a> - </li> -EOF - done - - cat <<EOF >> index.html - </ul> -EOF -done - -cat <<EOF >> index.html - </body> -</html> -EOF - -echo "done." diff --git a/envsubst-configuration.nix b/envsubst-configuration.nix deleted file mode 100644 index 3ec28c3..0000000 --- a/envsubst-configuration.nix +++ /dev/null @@ -1 +0,0 @@ -{ }: { TLD = "$TLD"; } diff --git a/favicons/git.ico b/favicons/git.ico Binary files differdeleted file mode 100644 index 145b4b0..0000000 --- a/favicons/git.ico +++ /dev/null diff --git a/gen-hash.sh b/gen-hash.sh deleted file mode 100755 index 774f9f9..0000000 --- a/gen-hash.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail -cd "$(dirname "${BASH_SOURCE[0]}")" - -mkpasswd -m sha-512 \ - "$(cat ./secrets/user-password.txt)" \ - "$(cat ./secrets/user-salt.txt)" \ - | tr -d '\n' \ - > ./secrets/passwords/user-hash.txt diff --git a/guix/channels.scm b/guix/channels.scm new file mode 100644 index 0000000..335210f --- /dev/null +++ b/guix/channels.scm @@ -0,0 +1,20 @@ +(list + (channel + (name 'guix) + (url "https://git.savannah.gnu.org/git/guix.git") + (commit + "dc2de508a38d8e0a3f93e8d6ded225d3a7e32548") + (introduction + (make-channel-introduction + "9edb3f66fd807b096b48283debdcddccfea34bad" + (openpgp-fingerprint + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))) + (channel + (name 'euandreh) + (url "https://git.sr.ht/~euandreh/euandreh-guix-channel") + (branch "master") + (introduction + (make-channel-introduction + "641f9388002cd874040938ab1c6da7ac9d0e54ca" + (openpgp-fingerprint + "5BDA E9B8 B2F6 C6BC BB0D 6CE5 81F9 0EC3 CD35 6060"))))) diff --git a/guix/manifest.scm b/guix/manifest.scm new file mode 100644 index 0000000..b3bbcbe --- /dev/null +++ b/guix/manifest.scm @@ -0,0 +1,5 @@ +(specifications->manifest + '("direnv" + "git-crypt" + "shellcheck" + "terraform")) diff --git a/nixos-switch.sh b/nixos-switch.sh deleted file mode 100755 index 1e46434..0000000 --- a/nixos-switch.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -# shellcheck shell=bash -# shellcheck disable=2086 -set -Eeuo pipefail -cd "$(dirname "${BASH_SOURCE[0]}")" - -set -x - -USER_PASSWORD="$(cat ./secrets/base-image-old-password.txt)" -export TLD='euandreh.xyz' - -# Idempotent init folders and permissions -FOLDERS='/data/ /data/secrets/ /data/favicons/ /data/git/ /data/static/ci-logs/ /data/static/ci-logs/placeholder/ /data/nixos/ /data/static/logrotate/' -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S mkdir -p $FOLDERS -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S chown andreh:users $FOLDERS -ssh "$TLD" touch /data/static/ci-logs/placeholder/f.log -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S chown -R andreh:users /data/ - -# Copy secrets and support files -rsync -avzP secrets/passwords/ "${TLD}:/data/secrets/" -rsync -avzP favicons/ "${TLD}:/data/favicons/" -scp cgit-about.html "${TLD}:/data/git/about.html" -scp ci-gen-index.sh "${TLD}:/data/static/ci-logs/ci-gen-index.sh" - -# Run nixos-rebuild -envsubst < envsubst-configuration.nix | ssh "$TLD" 'cat > /data/nixos/envsubst-configuration.nix' -scp vps-configuration.nix "${TLD}:/etc/nixos/configuration.nix" -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-unstable" nixos -echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade -ssh "$TLD" rm -rf /data/static/ci-logs/placeholder/ diff --git a/scripts/cronjobs/borg.sh b/scripts/cronjobs/borg.sh deleted file mode 100644 index bd6325f..0000000 --- a/scripts/cronjobs/borg.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# shellcheck disable=SC1090 -. "${HOME}/.ssh/environment" > /dev/null -BORG_PASSPHRASE="$(cat /data/secrets/borg-passphrase.txt)" -export BORG_PASSPHRASE -R='16686@ch-s010.rsync.net' - -borg create \ - --verbose \ - --stats \ - --progress \ - --compression lzma,6 \ - "$R:vps-borg::{hostname}-{now}-cronjob" \ - /data/ diff --git a/secrets/borg-key-export.txt b/secrets/borg-key-export.txt Binary files differdeleted file mode 100644 index 90e3b37..0000000 --- a/secrets/borg-key-export.txt +++ /dev/null diff --git a/secrets/passwords/matrix-registration.txt b/secrets/passwords/matrix-registration.txt Binary files differdeleted file mode 100644 index 86c632e..0000000 --- a/secrets/passwords/matrix-registration.txt +++ /dev/null diff --git a/secrets/passwords/nextcloud-admin.txt b/secrets/passwords/nextcloud-admin.txt Binary files differdeleted file mode 100644 index 0fd239d..0000000 --- a/secrets/passwords/nextcloud-admin.txt +++ /dev/null diff --git a/secrets/passwords/user-hash.txt b/secrets/passwords/user-hash.txt Binary files differdeleted file mode 100644 index e315081..0000000 --- a/secrets/passwords/user-hash.txt +++ /dev/null diff --git a/secrets/telegram.org b/secrets/telegram.org Binary files differdeleted file mode 100644 index 75514e5..0000000 --- a/secrets/telegram.org +++ /dev/null diff --git a/secrets/terraform/plan-files/2020-11-17T09:04:03-03:00.tfplan b/secrets/terraform/plan-files/2020-11-17T09:04:03-03:00.tfplan Binary files differnew file mode 100644 index 0000000..21870d8 --- /dev/null +++ b/secrets/terraform/plan-files/2020-11-17T09:04:03-03:00.tfplan diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate Binary files differindex 135ef81..550cf6d 100644 --- a/secrets/terraform/terraform.tfstate +++ b/secrets/terraform/terraform.tfstate diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup Binary files differindex 775ca09..135ef81 100644 --- a/secrets/terraform/terraform.tfstate.backup +++ b/secrets/terraform/terraform.tfstate.backup diff --git a/secrets/user-password.txt b/secrets/user-password.txt Binary files differdeleted file mode 100644 index 63555f9..0000000 --- a/secrets/user-password.txt +++ /dev/null diff --git a/secrets/user-salt.txt b/secrets/user-salt.txt Binary files differdeleted file mode 100644 index 60fb774..0000000 --- a/secrets/user-salt.txt +++ /dev/null diff --git a/shell.sh b/shell.sh new file mode 100755 index 0000000..99f67b8 --- /dev/null +++ b/shell.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -Eeuo pipefail +cd "$(dirname "${BASH_SOURCE[0]}")" + +guix time-machine -C guix/channels.scm -- environment -m guix/manifest.scm diff --git a/vps-configuration.nix b/vps-configuration.nix index d8261cd..9189c34 100644 --- a/vps-configuration.nix +++ b/vps-configuration.nix @@ -13,7 +13,7 @@ let matrixServerJSON = { "m.server" = "${matrixDomain}:443"; }; matrixClientJSON = { "m.homeserver" = { "base_url" = "https://${TLD}"; }; }; matrixPort = 8008; - static-sites = [ "boneco" "pdfs-da-d-maria" ]; + static-sites = [ ]; # [ "boneco" "pdfs-da-d-maria" ]; docs-projects = [ "mediator" "libedn" "x-bindgen" ]; # "eq" "songbooks" }; @@ -193,15 +193,14 @@ in { enable-index-owner=0 enable-log-filecount=1 enable-log-linecount=1 - root-desc=public repositories - root-readme=/data/git/about.html + root-desc=Patches welcome! readme=:README.md readme=:README readme=:README.rst readme=:README.org max-repodesc-length=120 remove-suffix=1 - root-title=EuAndreh's git repositories + root-title=EuAndreh's repositories snapshots=tar.gz zip source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh @@ -211,7 +210,7 @@ in { }; logrotate = { - enable = true; + enable = false; extraConfig = '' compress @@ -23,7 +23,6 @@ provider "vultr" { version = "~> 1.3" } - # Instance resource "vultr_server" "vps_server" { @@ -37,7 +36,7 @@ resource "vultr_server" "vps_server" { # $ curl https://api.vultr.com/v1/plans/list?type=vc2 | jq '.["201"]' plan_id = 201 # $ curl -H "API-Key: $TF_VAR_vultr_api_key" https://api.vultr.com/v1/snapshot/list | jq - snapshot_id = "2525fb321b412" # base-guix + snapshot_id = "5c35fb3a74873" # base-guix-image } output "public_ip" { |