operating-systems: buer: Configure CI and offloading through Yumiko (also misc changes)

operating-systems/buer.scm

@@ -36,9 +36,10 @@
   #:use-module (guix)
 
   #|Radix|#
-  #:use-module (radix artwork)
-  #:use-module (radix secrets)
-  #:use-module (radix utils)
+  #|A|# #:use-module (radix artwork)
+  #|C|# #:use-module (radix combinators)
+  #|S|# #:use-module (radix secrets)
+  #|U|# #:use-module (radix utils)
 
   #|Radix packages|#
   #|A|# #:use-module (radix packages admin)
@@ -56,10 +57,11 @@
   #|M|# #:use-module (radix system monitoring)
 
   #|Buer files|#
-  #|S|# #:use-module ((buer files substitute-keys) #:prefix public-key:)
+  #|S|# #:use-module ((buer files substitute-keys) #:prefix substitute-key:)
+        #:use-module ((buer files ssh-keys) #:prefix ssh-key:)
   #|T|# #:use-module ((buer files thinkfan)        #:prefix file:thinkfan-)
 
-  #|SRFI's|#
+  #|SRFIs|#
   #:use-module (srfi srfi-1)
 
   #:export (operating-system))
@@ -94,8 +96,8 @@
    (kernel-arguments
     (cons* "modprobe.blacklist=usbmouse,usbkbd,pcspkr"
            "thinkpad_acpi.fan_control=1"
-           (kicksecure-delete "debugfs"
-                              %kicksecure-kernel-arguments)))
+           (filter (negate (partial string-prefix? "debugfs"))
+                   %kicksecure-kernel-arguments)))
 
    (file-systems
     (cons* (file-system
@@ -141,8 +143,7 @@
           #|gawk        |# gawk
           #|guile       |# guile-next guile-colorized guile-readline
           #|less        |# less
-          #|linux       |# e2fsprogs iproute kmod linux-libre-documentation
-                           procps psmisc util-linux
+          #|linux       |# e2fsprogs iproute kmod procps psmisc util-linux
           #|man         |# man-db man-pages
           #|shells      |# dash-next
           #|texinfo     |# info-reader
@@ -210,8 +211,19 @@
                    (guix-configuration
                     (discover? #t)
                     (build-accounts 16)
+                    (build-machines
+                     (list #~(build-machine
+                              (name "yumiko")
+                              (systems (list "x86_64-linux"))
+                              (host-key
+                               (call-with-input-file ssh-key:yumiko.pub
+                                 (@ (ice-9 textual-ports) get-string-all)))
+                              (private-key "/root/.ssh/id_ed25519")
+                              (user "radio")
+                              (port 2222))))
                     (authorized-keys
-                     (cons* public-key:yuria
+                     (cons* substitute-key:yuria.pub
+                            substitute-key:yumiko.pub
                             %default-authorized-guix-keys))
                     (extra-options `("--max-jobs=8" "--cores=4"))))
           (service guix-publish-service-type
@@ -248,13 +260,18 @@
           (service ntp-service-type)
           (service wpa-supplicant-service-type
                    (wpa-supplicant-configuration
-                    (config-file "/etc/wpa_supplicant.conf")
+                    (config-file
+                     (local-file "/etc/wpa_supplicant.conf"))
                     (interface "wlp2s0")
                     (extra-options `("-B"))))
           (service dhcp-client-service-type
                    (dhcp-client-configuration
                     (interfaces 'all)))
           (service tor-service-type)
+          (simple-service 'extra-hosts
+                          hosts-service-type
+                          (list (host "192.168.100.33" "yumiko.local"
+                                      `("yumiko" "substitutes.yumiko"))))
 
           #|Power management services|#
           (service tlp-service-type
@@ -333,16 +350,12 @@
                             ("vm.watermark_boost_factor" . "0")
                             ("vm.watermark_scale_factor" . "125")
                             ("vm.page-cluster" . "0")))
+          (simple-service 'security-syctl-settings sysctl-service-type
+                          (alist-delete "net.core.bpf_jit_harden"
+                                        %kicksecure-sysctl-rules))
 
-          #|Miscellaneous services|#
+          #|Base services|#
           (service urandom-seed-service-type)
-          (service nscd-service-type)
-          (service sysctl-service-type
-                   (sysctl-configuration
-                    (sysctl (file-append procps "/sbin/sysctl"))
-                      (settings (fold kicksecure-delete
-                                      %kicksecure-sysctl-rules
-                                      '("net.core.bpf_jit_harden"
-                                        "kernel.unprivileged_bpf_disabled")))))))))
+          (service nscd-service-type)))))
 
 operating-system

operating-systems/buer/files/ssh-keys.scm

@@ -0,0 +1,10 @@
+(define-module (buer files ssh-keys)
+  #:use-module (gnu)
+  #:export (yumiko.pub))
+
+(define yumiko.pub
+  (plain-file "yumiko.pub"
+    (format #f
+      "ssh-ed25519 ~
+       AAAAC3NzaC1lZDI1NTE5AAAAIPaMmUA71F2BJPkVvArx6VGP21QMuJq4+mD7DHUPWcg9 ~
+       guix@yumiko")))

operating-systems/buer/files/substitute-keys.scm

@@ -1,8 +1,9 @@
 (define-module (buer files substitute-keys)
   #:use-module (gnu)
-  #:export (yuria))
+  #:export (yuria.pub
+            yumiko.pub))
 
-(define yuria
+(define yuria.pub
   (plain-file "yuria.pub"
     "(public-key
       (ecc
@@ -10,3 +11,12 @@
        (q #D5D0C1203D294B410DA106DDC1713B74CBB27353D53F4EE3D9D26972E8687424#)
       )
      )"))
+
+(define yumiko.pub
+  (plain-file "yumiko.pub"
+    "(public-key
+      (ecc
+       (curve Ed25519)
+       (q #EBD4DD318A84F9F0AD13300D8A2ACF022F16088DA59B57E539F6DC3BD9C33A52#)
+      )
+     )"))