This is a project to produce a barebones production headless web server to run as a QCOW2 machine image, specifically on OpenStack cloud, featuring Nginx, Mariadb, Exim, and Dovecot. Our use-case is described here. The kernel is mostly minimized, but does include Raid, LVM2 and LUKS, and is designed for security: random start point, stack wiping, etc.
Our primary aim is for a small upload file providing a robust and secure system.
You will have to bring your own middleware.
git clone https://rdmp.org/dmbcs/nu-2.git
cd nu-2/config
The formal GIT introduction is (use guix git
authenticate; this is not presented as a GUIX package as
currently manual intervention is required to make it work for you)
COMMIT: f1ef7ccc04715a01c5b4e5d0130370fe55bd4bd1,
SIGNATURE FINGERPRINT: E23C 21ED 864F F4F3 A711 4CDF CA47 1FD5 0161 8A49.
Unless you want to play loose and dangerous, generate your own SSH
keys:
ssh-keygen -f ssh-key
mv ssh-key.pub ssh-key.public
mv ssh-key ssh-key.private
Read and edit config.scm. Really, have a good read at
this and make changes to make it work for you. You should be able
to understand every part of this file.
Now build the system image
guix system image ./config.scm \
--image-type=qcow2 --image-size=20G \
--root ../image-1.qcow2
This will take a bit of time.
While the intention is that the system will be deployed in someone elseʼs OpenStack cloud server, it is useful to be able to run locally too for developing and debugging, and maybe you need a hybrid deployment strategy?
Now cd ..
Read and edit run-emu.sh. We are set up to use a
network bridge called emu, and we have a local DHCP
server running which will provide the virtual machine with its
network configuration. In a cinch, you should be able to manage
without and simply log onto the console as root.
guix shell qemu-minimal -- su root ./run-emu.sh image-1
should be all it takes to have a running system (you will need to
give the root password). You can log in to the console simply as
root.
If you do not have a network bridge or DHCP server configured, you
will have to configure the network stacks of both the host and guest
systems some other way—ip2 is available in the system
for this purpose.
All being well, you might be able to log in now with (on another
terminal)
ssh admin@<IP address> \,
-p 26544
\
-i config/ssh-key.private
where we have configured our SSH with the IP address of the new
system.
In outline, the steps are to upload your QCOW2 image to storage, extricate it to an instance, and then fire up the instance. You should be able to see the IP address given, and should be able to log into that IP with user admin, port 26544, and identity (private key) that you generated earlier. The admin user has sudo privilege.
Your next steps will be to upload your middleware, configure the database and web server, e-mail server and imap server if you expect the system to generate e-mails you need to interact with.
Our next steps are to put basic exim, dovecot, nginx configuration into the standard ν² system. Our long-term targets are described here.