From da404b26a662169e9e83415887bd46825abf8f70 Mon Sep 17 00:00:00 2001 From: Noah Metz Date: Sat, 2 Dec 2023 20:00:21 -0700 Subject: [PATCH] Added metznet/aws.scm, and made ta key come from local file by default --- metznet/aws.scm | 91 ++++++++++++++++++++++++++++++++++ metznet/system/base-system.scm | 18 +------ 2 files changed, 92 insertions(+), 17 deletions(-) create mode 100644 metznet/aws.scm diff --git a/metznet/aws.scm b/metznet/aws.scm new file mode 100644 index 0000000..1b04457 --- /dev/null +++ b/metznet/aws.scm @@ -0,0 +1,91 @@ +(define-module (metznet aws) + + #:use-module (gnu services) + #:use-module (guix gexp) + #:use-module (guix modules) + #:use-module (gnu services shepherd) + #:use-module (gnu packages certs) + #:use-module (guix build download) + + #:export (aws-service-type)) + +(define guile-json + (module-ref (resolve-interface '(gnu packages guile)) + 'guile-json-4)) + +(define guile-zlib + (module-ref (resolve-interface '(gnu packages guile)) + 'guile-zlib)) + +(define gnutls + (module-ref (resolve-interface '(gnu packages tls)) + 'gnutls)) + +(define aws-pubkey-prog + (program-file "aws-pubkey" + (with-imported-modules (source-module-closure '((ice-9 receive) + (guix build + utils) + (guix build + download) + (web uri) + (ice-9 + binary-ports) + (web client))) + + (with-extensions (list guile-json + gnutls + guile-zlib) + #~(begin + (use-modules (ice-9 + receive) + (guix + build + download) + (web + uri) + (web + client) + (ice-9 + binary-ports)) + (call-with-output-file "/etc/ssh/authorized_keys.d/aws" + (lambda (port) + (begin + (format (current-error-port) + "opened-file\n") + (put-bytevector + port + (receive (header + body) + (let ((uri + "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key")) + (http-get + uri + #:port (open-connection-for-uri + (string->uri + uri) + #:timeout + 5) + #:decode-body? + #f)) + body)))))))))) + +;; this should really be an extension of the openssh service +(define (aws-pubkey-service config) + (list (shepherd-service (documentation "") + (provision '(aws-pubkey)) + (requirement '(networking user-processes)) + (one-shot? #t) + (respawn? #t) + (start #~(make-forkexec-constructor (list #$aws-pubkey-prog)))))) + +(define-public aws-service-type + (service-type (name 'aws) + (description "AWS public key service") + (extensions (list (service-extension profile-service-type + (lambda (val) + val)) + (service-extension + shepherd-root-service-type + aws-pubkey-service))) + (default-value (list le-certs nss-certs)))) diff --git a/metznet/system/base-system.scm b/metznet/system/base-system.scm index 26397b4..ea34604 100644 --- a/metznet/system/base-system.scm +++ b/metznet/system/base-system.scm @@ -165,23 +165,7 @@ (define-configuration/no-serialization metznet-system-configuration (certs (file-like le-certs) "certificate package") - (vpn-ta-key (file-like (computed-file - "ta.key" - (with-imported-modules ' - ((guix build - utils)) - #~(begin - (use-modules - (guix - build - utils)) - (invoke #$ - (file-append - openvpn - "/sbin/openvpn") - "--genkey" - "secret" - #$output))))) + (vpn-ta-key (file-like (local-file (or (getenv "VPN_TA") "pki/ta.key"))) "ta.key for openvpn") (vpn-ca (file-like (local-file (or (getenv "VPN_CA")