From 1bf3861318f9cc362384722d4f312f3dd439c749 Mon Sep 17 00:00:00 2001
From: EuAndreh <eu@euandre.org>
Date: Mon, 16 Nov 2020 22:10:25 -0300
Subject: Add base Guix configuration and start switching to it

- remove NixOS stateVersion from .envrc;
- add guix-reconfigure.sh;
- add vps.scm with initial Guix system configuration;
- update vps.tf to use the new "base-guix" snapshot.

The "base-guix" image doesn't need a password. The "andreh" users has one, but
it is configured for not requiring it when running commands as "sudo".

The expected minimal steps one has to go through for privilege scalation is via
the SSH private key, and accessing the VPS via SSH. Since password login is
disabled and root can't login via SSH either, only the private SSH key allows
access to the server. After that, the attacker will be able to run commands as
root.
---
 .envrc                                             |  11 ++---
 TODOs.org                                          |   2 +
 guix-reconfigure.sh                                |   7 +++
 .../plan-files/2020-11-16T20:02:03-03:00.tfplan    | Bin 0 -> 2074 bytes
 .../plan-files/2020-11-16T20:11:50-03:00.tfplan    | Bin 0 -> 2077 bytes
 .../plan-files/2020-11-16T22:16:40-03:00.tfplan    | Bin 0 -> 2088 bytes
 secrets/terraform/terraform.tfstate                | Bin 264 -> 3079 bytes
 secrets/terraform/terraform.tfstate.backup         | Bin 181 -> 181 bytes
 vps.scm                                            |  53 +++++++++++++++++++++
 vps.tf                                             |   4 +-
 10 files changed, 69 insertions(+), 8 deletions(-)
 create mode 100755 guix-reconfigure.sh
 create mode 100644 secrets/terraform/plan-files/2020-11-16T20:02:03-03:00.tfplan
 create mode 100644 secrets/terraform/plan-files/2020-11-16T20:11:50-03:00.tfplan
 create mode 100644 secrets/terraform/plan-files/2020-11-16T22:16:40-03:00.tfplan
 create mode 100644 vps.scm

diff --git a/.envrc b/.envrc
index 8a97b26..d16dff6 100644
--- a/.envrc
+++ b/.envrc
@@ -2,16 +2,15 @@
 set -Eeuo pipefail
 
 #
-# envsubst variables for:
-# - envsubst-configuration.nix
-export TLD='euandreh.xyz'
-export SYSTEM_STATE_VERSION='20.03'
+# envsubst
+#
+export TLD='arrobaponto.org'
 
 #
 # Terraform
 #
 export TF_VAR_tld="${TLD}"
-export TF_VAR_hostname="sovereignty-nixos"
-export TF_VAR_storage_name="sovereignty-nixos-storage"
+export TF_VAR_hostname="sovereignty-guix-system"
+export TF_VAR_storage_name="sovereignty-storage"
 TF_VAR_vultr_api_key="$(cat ./secrets/terraform/vultr-api-key.txt)"
 export TF_VAR_vultr_api_key
diff --git a/TODOs.org b/TODOs.org
index 7f3b2ad..5b1ebc6 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -1,4 +1,5 @@
 * Tasks
+** TODO External volume
 ** TODO Backups
 If possible, put every data subfolder under the same folder, and just backup the
 toplevel folder. This also allows me to put it on an external volum and grow it
@@ -19,6 +20,7 @@ re-creating everything from scratch.
 ** TODO =ci.$tld=: cuirass
 ** TODO =$tld=: Jekyll blog
 ** TODO =$project.$tld=: static documentation for projects
+** TODO =audio.$tld=: FunkWhale
 * Decisions
 ** Matrix over XMPP
 I'm picking Matrix. Not because of the protocol or anything else, but because it
diff --git a/guix-reconfigure.sh b/guix-reconfigure.sh
new file mode 100755
index 0000000..9eefabb
--- /dev/null
+++ b/guix-reconfigure.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -Eeuox pipefail
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+envsubst < config.scm | ssh "$TLD" 'cat > /data/config.scm'
+ssh "$TLD" guix pull
+ssh "$TLD" sudo -i guix system reconfigure /data/config.scm
diff --git a/secrets/terraform/plan-files/2020-11-16T20:02:03-03:00.tfplan b/secrets/terraform/plan-files/2020-11-16T20:02:03-03:00.tfplan
new file mode 100644
index 0000000..d05d691
Binary files /dev/null and b/secrets/terraform/plan-files/2020-11-16T20:02:03-03:00.tfplan differ
diff --git a/secrets/terraform/plan-files/2020-11-16T20:11:50-03:00.tfplan b/secrets/terraform/plan-files/2020-11-16T20:11:50-03:00.tfplan
new file mode 100644
index 0000000..08d5e79
Binary files /dev/null and b/secrets/terraform/plan-files/2020-11-16T20:11:50-03:00.tfplan differ
diff --git a/secrets/terraform/plan-files/2020-11-16T22:16:40-03:00.tfplan b/secrets/terraform/plan-files/2020-11-16T22:16:40-03:00.tfplan
new file mode 100644
index 0000000..2272d23
Binary files /dev/null and b/secrets/terraform/plan-files/2020-11-16T22:16:40-03:00.tfplan differ
diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate
index df179b7..135ef81 100644
Binary files a/secrets/terraform/terraform.tfstate and b/secrets/terraform/terraform.tfstate differ
diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup
index 21c7872..775ca09 100644
Binary files a/secrets/terraform/terraform.tfstate.backup and b/secrets/terraform/terraform.tfstate.backup differ
diff --git a/vps.scm b/vps.scm
new file mode 100644
index 0000000..8d47891
--- /dev/null
+++ b/vps.scm
@@ -0,0 +1,53 @@
+;; This is an operating system configuration generated
+;; by the graphical installer.
+
+(use-modules (gnu))
+(use-service-modules networking ssh)
+(use-package-modules ssh)
+
+(define ssh-public-key
+  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org")
+
+(operating-system
+  (locale "en_GB.utf8")
+  (timezone "America/Sao_Paulo")
+  (keyboard-layout (keyboard-layout "us"))
+  (host-name "guix-pet-server")
+  (users (cons* (user-account
+                  (name "andreh")
+                  (group "users")
+                  (home-directory "/home/andreh")
+                  (supplementary-groups '("wheel")))
+                %base-user-accounts))
+  (sudoers-file (plain-file "sudoers" "\
+root ALL=(ALL) ALL
+%wheel ALL=NOPASSWD: ALL\n"))
+  (packages
+    (append
+      (list (specification->package "nss-certs"))
+      %base-packages))
+  (services
+    (append
+      (list (service openssh-service-type
+                     (openssh-configuration
+                       (openssh openssh-sans-x)
+                       (password-authentication? #false)
+                       (authorized-keys
+                         `(("andreh" ,(plain-file "id_rsa.pub" ssh-public-key))))))
+            (service dhcp-client-service-type))
+      %base-services))
+  (bootloader
+    (bootloader-configuration
+      (bootloader grub-bootloader)
+      (target "/dev/vda")
+      (keyboard-layout keyboard-layout)))
+  (swap-devices
+    (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca")))
+  (file-systems
+    (cons* (file-system
+             (mount-point "/")
+             (device
+               (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28"
+                     'ext4))
+             (type "ext4"))
+           %base-file-systems)))
diff --git a/vps.tf b/vps.tf
index 8abe76e..5570e80 100644
--- a/vps.tf
+++ b/vps.tf
@@ -35,9 +35,9 @@ resource "vultr_server" "vps_server" {
   # $ curl https://api.vultr.com/v1/regions/list | jq '.["9"]'
   region_id = 9
   # $ curl https://api.vultr.com/v1/plans/list?type=vc2 | jq '.["201"]'
-  plan_id = 202
+  plan_id = 201
   # $ curl -H "API-Key: $TF_VAR_vultr_api_key" https://api.vultr.com/v1/snapshot/list | jq
-  snapshot_id = "5d05f383bcf61"
+  snapshot_id = "2525fb321b412" # base-guix
 }
 
 output "public_ip" {
-- 
cgit v1.2.3