aboutsummaryrefslogtreecommitdiff
path: root/doc/guix-cookbook.texi
diff options
context:
space:
mode:
Diffstat (limited to 'doc/guix-cookbook.texi')
-rw-r--r--doc/guix-cookbook.texi295
1 files changed, 295 insertions, 0 deletions
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index e90d611171..91f08bfcd6 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -23,6 +23,7 @@ Copyright @copyright{} 2020 Christine Lemmer-Webber@*
Copyright @copyright{} 2021 Joshua Branson@*
Copyright @copyright{} 2022, 2023 Maxim Cournoyer@*
Copyright @copyright{} 2023 Ludovic Courtès
+Copyright @copyright{} 2023 Thomas Ieong
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -128,6 +129,7 @@ System Configuration
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server.
+* Running Guix on a Kimsufi Server:: Running Guix on a Kimsufi Server.
* Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
* Setting up NGINX with Lua:: Configuring NGINX web-server to load Lua modules.
@@ -1575,6 +1577,7 @@ reference.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Running Guix on a Linode Server:: Running Guix on a Linode Server.
+* Running Guix on a Kimsufi Server:: Running Guix on a Kimsufi Server.
* Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
* Setting up NGINX with Lua:: Configuring NGINX web-server to load Lua modules.
@@ -2158,6 +2161,51 @@ the @code{yubikey-manager-qt} package and either wholly disable the
@samp{Applications -> OTP} view, delete the slot 1 configuration, which
comes pre-configured with the Yubico OTP application.
+@subsection Requiring a Yubikey to open a KeePassXC database
+@cindex yubikey, keepassxc integration
+The KeePassXC password manager application has support for Yubikeys, but
+it requires installing a udev rules for your Guix System and some
+configuration of the Yubico OTP application on the key.
+
+The necessary udev rules file comes from the
+@code{yubikey-personalization} package, and can be installed like:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (services
+ (cons*
+ ...
+ (udev-rules-service 'yubikey yubikey-personalization))))
+@end lisp
+
+After reconfiguring your system (and reconnecting your Yubikey), you'll
+then want to configure the OTP challenge/response application of your
+Yubikey on its slot 2, which is what KeePassXC uses. It's easy to do so
+via the Yubikey Manager graphical configuration tool, which can be
+invoked with:
+
+@example
+guix shell yubikey-manager-qt -- ykman-gui
+@end example
+
+First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab,
+then navigate to @samp{Applications -> OTP}, and click the
+@samp{Configure} button under the @samp{Long Touch (Slot 2)} section.
+Select @samp{Challenge-response}, input or generate a secret key, and
+click the @samp{Finish} button. If you have a second Yubikey you'd like
+to use as a backup, you should configure it the same way, using the
+@emph{same} secret key.
+
+Your Yubikey should now be detected by KeePassXC. It can be added to a
+database by navigating to KeePassXC's @samp{Database -> Database
+Security...} menu, then clicking the @samp{Add additional
+protection...} button, then @samp{Add Challenge-Response}, selecting the
+security key from the drop-down menu and clicking the @samp{OK} button
+to complete the setup.
+
@node Dynamic DNS mcron job
@section Dynamic DNS mcron job
@@ -2634,6 +2682,253 @@ have an easy time spinning up new Guix images! You may need to
down-size the Guix image to 6144MB, to save it as an image. Then you
can resize it again to the max size.
+@node Running Guix on a Kimsufi Server
+@section Running Guix on a Kimsufi Server
+@cindex kimsufi, Kimsufi, OVH
+
+To run Guix on a server hosted by @uref{https://www.kimsufi.com/,
+Kimsufi}, click on the netboot tab then select rescue64-pro and restart.
+
+OVH will email you the credentials required to ssh into a Debian system.
+
+Now you can run the "install guix from @pxref{Binary Installation,,,
+guix, GNU Guix}" steps:
+
+@example
+wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
+chmod +x guix-install.sh
+./guix-install.sh
+guix pull
+@end example
+
+Partition the drives and format them, first stop the raid array:
+
+@example
+mdadm --stop /dev/md127
+mdadm --zero-superblock /dev/sda2 /dev/sdb2
+@end example
+
+Then wipe the disks and set up the partitions, we will create
+a RAID 1 array.
+
+@example
+wipefs -a /dev/sda
+wipefs -a /dev/sdb
+
+parted /dev/sda --align=opt -s -m -- mklabel gpt
+parted /dev/sda --align=opt -s -m -- \
+ mkpart bios_grub 1049kb 512MiB \
+ set 1 bios_grub on
+parted /dev/sda --align=opt -s -m -- \
+ mkpart primary 512MiB -512MiB
+ set 2 raid on
+parted /dev/sda --align=opt -s -m -- mkpart primary linux-swap 512MiB 100%
+
+parted /dev/sdb --align=opt -s -m -- mklabel gpt
+parted /dev/sdb --align=opt -s -m -- \
+ mkpart bios_grub 1049kb 512MiB \
+ set 1 bios_grub on
+parted /dev/sdb --align=opt -s -m -- \
+ mkpart primary 512MiB -512MiB \
+ set 2 raid on
+parted /dev/sdb --align=opt -s -m -- mkpart primary linux-swap 512MiB 100%
+@end example
+
+Create the array:
+
+@example
+mdadm --create /dev/md127 --level=1 --raid-disks=2 \
+ --metadata=0.90 /dev/sda2 /dev/sdb2
+@end example
+
+Now create file systems on the relevant partitions, first the boot
+partitions:
+
+@example
+mkfs.ext4 /dev/sda1
+mkfs.ext4 /dev/sdb1
+@end example
+
+Then the root partition:
+
+@example
+mkfs.ext4 /dev/md127
+@end example
+
+Initialize the swap partitions:
+
+@example
+mkswap /dev/sda3
+swapon /dev/sda3
+mkswap /dev/sdb3
+swapon /dev/sdb3
+@end example
+
+Mount the guix drive:
+
+@example
+mkdir /mnt/guix
+mount /dev/md127 /mnt/guix
+@end example
+
+Now is time to write an operating system declaration @file{os.scm} file;
+here is a sample:
+
+@lisp
+(use-modules (gnu) (guix))
+(use-service-modules networking ssh vpn virtualization sysctl admin mcron)
+(use-package-modules ssh certs tls tmux vpn virtualization)
+
+(operating-system
+ (host-name "kimsufi")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets (list "/dev/sda" "/dev/sdb"))
+ (terminal-outputs '(console))))
+
+ ;; Add a kernel module for RAID-1 (aka. "mirror").
+ (initrd-modules (cons* "raid1" %base-initrd-modules))
+
+ (mapped-devices
+ (list (mapped-device
+ (source (list "/dev/sda2" "/dev/sdb2"))
+ (target "/dev/md127")
+ (type raid-device-mapping))))
+
+ (swap-devices
+ (list (swap-space
+ (target "/dev/sda3"))
+ (swap-space
+ (target "/dev/sdb3"))))
+
+ (issue
+ ;; Default contents for /etc/issue.
+ "\
+This is the GNU system at Kimsufi. Welcome.\n")
+
+ (file-systems (cons* (file-system
+ (mount-point "/")
+ (device "/dev/md127")
+ (type "ext4")
+ (dependencies mapped-devices))
+ %base-file-systems))
+
+ (users (cons (user-account
+ (name "guix")
+ (comment "guix")
+ (group "users")
+ (supplementary-groups '("wheel"))
+ (home-directory "/home/guix"))
+ %base-user-accounts))
+
+ (sudoers-file
+ (plain-file "sudoers" "\
+root ALL=(ALL) ALL
+%wheel ALL=(ALL) ALL
+guix ALL=(ALL) NOPASSWD:ALL\n"))
+
+ ;; Globally-installed packages.
+ (packages (cons* tmux nss-certs gnutls wireguard-tools %base-packages))
+ (services
+ (cons*
+ (service static-networking-service-type
+ (list (static-networking
+ (addresses (list (network-address
+ (device "enp3s0")
+ (value "@var{server-ip-address}/24"))))
+ (routes (list (network-route
+ (destination "default")
+ (gateway "@var{server-gateway}"))))
+ (name-servers '("213.186.33.99")))))
+
+ (service unattended-upgrade-service-type)
+
+ (service openssh-service-type
+ (openssh-configuration
+ (openssh openssh-sans-x)
+ (permit-root-login #f)
+ (authorized-keys
+ `(("guix" ,(plain-file "@var{ssh-key-name.pub}"
+ "@var{ssh-public-key-content}"))))))
+ (modify-services %base-services
+ (sysctl-service-type
+ config =>
+ (sysctl-configuration
+ (settings (append '(("net.ipv6.conf.all.autoconf" . "0")
+ ("net.ipv6.conf.all.accept_ra" . "0"))
+ %default-sysctl-settings))))))))
+@end lisp
+
+Don't forget to substitute the @var{server-ip-address},
+@var{server-gateway}, @var{ssh-key-name} and
+@var{ssh-public-key-content} variables with your own values.
+
+The gateway is the last usable IP in your block so if you have a server
+with an IP of @samp{37.187.79.10} then its gateway will be
+@samp{37.187.79.254}.
+
+Transfer your operating system declaration @file{os.scm} file on the
+server via the @command{scp} or @command{sftp} commands.
+
+Now all that is left is to install Guix with a @code{guix system init}
+and restart.
+
+However we first need to set up a chroot, because the root partition of
+the rescue system is mounted on an aufs partition and if you try to
+install Guix it will fail at the GRUB install step complaining about the
+canonical path of "aufs".
+
+Install packages that will be used in the chroot:
+
+@example
+guix install bash-static parted util-linux-with-udev coreutils guix
+@end example
+
+Then run the following to create directories needed for the chroot:
+
+@example
+cd /mnt && \
+mkdir -p bin etc gnu/store root/.guix-profile/ root/.config/guix/current \
+ var/guix proc sys dev
+@end example
+
+Copy the host resolv.conf in the chroot:
+
+@example
+cp /etc/resolv.conf etc/
+@end example
+
+Mount block devices, the store and its database and the current guix config:
+
+@example
+mount --rbind /proc /mnt/proc
+mount --rbind /sys /mnt/sys
+mount --rbind /dev /mnt/dev
+mount --rbind /var/guix/ var/guix/
+mount --rbind /gnu/store gnu/store/
+mount --rbind /root/.config/ root/.config/
+mount --rbind /root/.guix-profile/bin/ bin
+mount --rbind /root/.guix-profile root/.guix-profile/
+@end example
+
+Chroot in /mnt and install the system:
+
+@example
+chroot /mnt/ /bin/bash
+
+guix system init /root/os.scm /guix
+@end example
+
+Finally, from the web user interface (UI), change @samp{netboot} to
+@samp{boot to disk} and restart (also from the web UI).
+
+Wait a few minutes and try to ssh with @code{ssh
+guix@@@var{server-ip-address>} -i @var{path-to-your-ssh-key}}
+
+You should have a Guix system up and running on Kimsufi;
+congratulations!
+
@node Setting up a bind mount
@section Setting up a bind mount