Provision turing with guix

This places a starting point for Guix experiments on Turing. At present,
it configures the following things on Turing:

- SSH
- nginx with `certbot`
- PostgreSQL
- nftables blocking everything but SSH

It serves to test out fully declarative deployments and in no point aims
to replace our Ansible setup. This commit is purely proposed for merge
to enable collaboration.

Author: jchristgit

guix/README.md

@@ -0,0 +1,26 @@
+# DevOps Area 51
+
+> This directory is a declarative deployment... and part of a system of
+> declarative deployments... pay attention to it!
+
+Here we test out declarative deployments using Guix on Turing. It serves mainly
+as a playground for ideas.
+
+## Deploying
+
+**Prerequisites**
+
+- Relevant SSH key (see `./ssh-keys/`) in your SSH agent
+- Guix packaging ACL key deployed on turing
+  - This is usually at `/etc/guix/signing-key`. If not, run `guix archive
+    --generate-key` as root.
+  - This is needed for the remote Guix instance to accept packages we build
+    locally.
+
+**Deploying**
+
+```sh
+# Optional, but recommended
+# guix pull
+guix deploy turing.scm
+```

guix/guix-acl-keys/jc.pub

@@ -0,0 +1,6 @@
+(public-key 
+ (ecc 
+  (curve Ed25519)
+  (q #4D454A6338DCC455670972224BC70BEB22BA45E5D90010B9982B8BADF3BF1391#)
+  )
+ )

guix/guix-acl-keys/lovelace.pub

@@ -0,0 +1,6 @@
+(public-key 
+ (ecc 
+  (curve Ed25519)
+  (q #C2F473C5A16D14256DC6CBE78DB3F2D782B7723AECCCBCB123BE84DB110BF348#)
+  )
+ )

guix/ssh-keys/chris-lovelace.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9bVRTi9UIihz9B2wRpnsyl/1NqXJXuea6aPrH/h+o2 cj@lovelace.box.pydis.wtf

guix/ssh-keys/chris.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMxOPLzQEOJtBJJ6Od9ucrDUpAFOviqJaUAvoG8NzyM chris@neptune

guix/ssh-keys/jb.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyNdEOw7tfOHWCM0w2A7UzspnYYpNiF+nak51dcx3d7

guix/ssh-keys/jb2.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBAeclEz5F0yR4ip/cCbsJ6uHdo8QPK5FBPb6aH/e2Fg

guix/ssh-keys/jc.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoHtDPD+w3rKGW4JVEDXidpRM1UXksC+/cMFgCykQBy jc@turing.box.chrisjl.dev

guix/turing.scm

@@ -0,0 +1,178 @@
+;; Module imports
+(use-modules (gnu)
+             (guix)
+             (gnu packages databases)
+             (gnu packages linux)
+             (gnu packages tmux)
+             (gnu packages vim)
+             (gnu services admin)
+             (gnu services certbot)
+             (gnu services databases)
+             (gnu services networking)
+             (gnu services web))
+(use-service-modules networking ssh)
+(use-package-modules bootloaders)
+
+;; Getting "unauthorized public key"?
+;; your key needs to be in the guix authorized-keys, search for `guix-archive-key`.
+;; Add your key there, then:
+;;     scp -r . turing.box.chrisjl.dev:guix
+;;     ssh turing.box.chrisjl.dev
+;;     cd guix
+;;     vim turing.scm
+;;     # Delete the `(list (machine ...))` stuff
+;;     # Add %turing-os
+;;     # Save
+;;     sudo guix system reconfigure turing.scm
+
+(define %this-dir (dirname (current-filename)))
+
+(define (file-from-cwd path)
+  (local-file (string-append %this-dir path)))
+
+(define (ssh-key name)
+  (file-from-cwd (string-append "/ssh-keys/" name ".pub")))
+
+(define (guix-archive-key name)
+  (file-from-cwd (string-append "/guix-acl-keys/" name ".pub")))
+
+(define %hidden-service-turing
+    (simple-service 'hidden-service-turing tor-service-type
+                    (list (tor-onion-service-configuration
+                            (name "turing")
+                            (mapping '((22 "127.0.0.1:22")))))))
+
+(define %certbot-deploy-hook
+  (program-file
+   "nginx-deploy-hook"
+   #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
+       (kill pid SIGHUP))))
+
+(define (letsencrypt-path hostname filename)
+  (string-append "/etc/letsencrypt/live/" hostname "/" filename))
+
+(define (letsencrypt-key hostname)
+  (letsencrypt-path hostname "privkey.pem"))
+
+(define (letsencrypt-cert hostname)
+  (letsencrypt-path hostname "fullchain.pem"))
+
+(define %services
+  (append (list (service openssh-service-type
+                   (openssh-configuration
+                     (permit-root-login #f)
+                     (password-authentication?  #f)
+                     (authorized-keys `(("cj" ,(ssh-key "chris")
+                                              ,(ssh-key "chris-lovelace"))
+                                        ("jc" ,(ssh-key "jc"))
+                                        ("j" ,(ssh-key "jb")
+                                             ,(ssh-key "jb2"))))))
+                (service dhcp-client-service-type)
+                (service postgresql-service-type
+                         (postgresql-configuration
+                           (postgresql postgresql-16)))
+                (service tor-service-type)
+                (service nftables-service-type)
+                (service ntp-service-type)
+                %hidden-service-turing
+                (service nginx-service-type
+                         (nginx-configuration
+                           (server-blocks
+                             (list
+                               (nginx-server-configuration
+                                 (listen '("443 ssl http2"))
+                                 (server-name '("turing.box.pydis.wtf"))
+                                 (ssl-certificate (letsencrypt-cert "turing.box.pydis.wtf"))
+                                 (ssl-certificate-key (letsencrypt-key "turing.box.pydis.wtf"))
+                                 (root "/var/www/turing.box.pydis.wtf"))))))
+; The below is added by the certbot role
+;                                     (listen '("80" "[::]:80"))
+;                                     (server-name '("turing.box.pydis.wtf"))
+;                                     (root "/var/www/owlcorp.uk")
+;                                     (locations
+;                                       (list
+;                                         (nginx-location-configuration
+;                                           ; Certbot webroot serving
+;                                           (uri "/.well-known")
+;                                           (body (list "root /var/www; "))))))))))
+;
+                (service certbot-service-type
+                         (certbot-configuration
+                          (email "ops@owlcorp.uk")
+                          ; Do not add certbot configuration to nginx automatically
+                          ; XXX: seems broken, report upstream?
+                          ; (default-location #f)
+                          (webroot "/var/www")
+                          (certificates
+                           (list
+                            (certificate-configuration
+                             (domains '("turing.box.pydis.wtf"))
+                             (deploy-hook %certbot-deploy-hook))))))
+                (service unattended-upgrade-service-type)
+                (simple-service 'resolv-conf etc-service-type
+                                (list `("resolv.conf" ,(plain-file
+                                                        "resolv.conf"
+                                                        "nameserver 1.1.1.1 1.0.0.1\n")))))
+               %base-services))
+
+;; Operating system description
+(define %turing-os
+  (operating-system
+    (locale "en_GB.utf8")
+    (timezone "UTC")
+    (keyboard-layout (keyboard-layout "gb"))
+    (bootloader (bootloader-configuration
+                  (bootloader grub-bootloader)
+                  (targets '("/dev/vda"))
+                  (keyboard-layout keyboard-layout)))
+    (file-systems (cons* (file-system
+                           (mount-point "/")
+                           (device "/dev/vda2")
+                           (type "ext4"))
+                          %base-file-systems))
+    (host-name "u-76")
+    (users (cons* (user-account
+                    (name "cj")
+                    (comment "Chris")
+                    (group "users")
+                    (home-directory "/home/cj")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  (user-account
+                    (name "jc")
+                    (comment "void")
+                    (group "users")
+                    (home-directory "/home/jc")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  (user-account
+                    (name "j")
+                    (comment "J")
+                    (group "users")
+                    (home-directory "/home/j")
+                    (supplementary-groups '("wheel" "netdev" "audio" "video")))
+                  %base-user-accounts))
+    (packages (cons* %base-packages))
+    (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL
+%wheel ALL=NOPASSWD: ALL
+"))
+    (services (modify-services %services
+                (guix-service-type config =>
+                                   (guix-configuration
+                                     (inherit config)
+                                     (authorized-keys
+                                       (append (list (guix-archive-key "jc")
+                                                     (guix-archive-key "lovelace"))
+                                               %default-authorized-guix-keys))))))))
+
+; local deployments:
+; SSHKEY=path/to/key USER=myuser guix deploy turing.scm
+; USER is usually implicitly declared somewhere
+(list (machine
+        (operating-system %turing-os)
+        (environment managed-host-environment-type)
+        (configuration (machine-ssh-configuration
+                         (host-name "turing.box.chrisjl.dev")
+                         (build-locally? #f)
+                         (system "x86_64-linux")
+                         (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvvi6P/G+rZ2qUZ+anluvFQwYM/WFZkERygd9X9+xqU")
+                         (user (getenv "USER"))
+                         (identity (getenv "SSHKEY"))))))