moved aws-service-type to module, and added vpn.metznet.ca aws config

2023-12-02 20:02:34 -07:00 · 2023-12-02 20:02:34 -07:00 · 58845be09a
parent 92c10ab3ee
commit 58845be09a
2 changed files with 70 additions and 97 deletions
--- a/aws.scm
+++ b/aws.scm
@ -2,104 +2,16 @@
 ;; for a "bare bones" setup, with no X11 display server.

 (use-modules (gnu)
-             (guix gexp)
-             (guix modules)
+             (metznet aws)
             (gnu services shepherd)
-             (gnu packages certs)
-             (guix packages)
-             (guix build-system trivial)
-             (gnu system shadow)
-             (guix build download)
-             (json)
-             (gnu packages guile))
-
-(use-service-modules networking ssh)
-(use-package-modules ssh python-web shells)
-
-(define guile-json
-  (module-ref (resolve-interface '(gnu packages guile))
-              'guile-json-4))
-
-(define guile-zlib
-  (module-ref (resolve-interface '(gnu packages guile))
-              'guile-zlib))
-
-(define gnutls
-  (module-ref (resolve-interface '(gnu packages tls))
-              'gnutls))
-
-(define aws-pubkey-prog
-  (program-file "aws-pubkey"
-                (with-imported-modules (source-module-closure '((ice-9 receive)
-                                                                (guix build
-                                                                      utils)
-                                                                (guix build
-                                                                 download)
-                                                                (web uri)
-                                                                (ice-9
-                                                                 binary-ports)
-                                                                (web client)))
-
-                                       (with-extensions (list guile-json
-                                                              gnutls
-                                                              guile-zlib)
-                                                        #~(begin
-                                                            (use-modules (ice-9
-                                                                          receive)
-                                                                         (guix
-                                                                          build
-                                                                          download)
-                                                                         (web
-                                                                          uri)
-                                                                         (web
-                                                                          client)
-                                                                         (ice-9
-                                                                          binary-ports))
-                                                            (call-with-output-file "/etc/ssh/authorized_keys.d/aws"
-                                                              (lambda (port)
-                                                                (begin
-                                                                  (format (current-error-port)
-                                                                   "opened-file\n")
-                                                                  (put-bytevector
-                                                                   port
-                                                                   (receive (header
-                                                                             body)
-                                                                    (let ((uri
-                                                                           "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key"))
-                                                                      (http-get
-                                                                       uri
-                                                                       #:port (open-connection-for-uri
-                                                                               (string->uri
-                                                                                uri)
-                                                                               #:timeout
-                                                                               5)
-                                                                       #:decode-body?
-                                                                       #f))
-                                                                    body))))))))))
-
-;; this should really be an extension of the openssh service
-(define (aws-pubkey-service config)
-  (list (shepherd-service (documentation "")
-                          (provision '(aws-pubkey))
-                          (requirement '(networking user-processes))
-                          (one-shot? #t)
-                          (respawn? #t)
-                          (start #~(make-forkexec-constructor (list #$aws-pubkey-prog))))))
-
-(define aws-service-type
-  (service-type (name 'aws)
-                (description "AWS public key service")
-                (extensions (list (service-extension profile-service-type
-                                                     (lambda (val)
-                                                       val))
-                                  (service-extension
-                                   shepherd-root-service-type
-                                   aws-pubkey-service)))
-                (default-value (list le-certs nss-certs))))
+             (gnu services networking)
+             (gnu services ssh)
+             (gnu packages ssh)
+             (gnu packages python-web)
+             (gnu packages shells))

 (operating-system
  (host-name "guix-ami")
-  (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments))
  (timezone "America/Edmonton")
  (locale "en_US.utf8")
  (bootloader (bootloader-configuration
@ -111,17 +23,17 @@
                        (type "ext4")) %base-file-systems))
  (groups (cons (user-group
                  (system? #t)
-                  (name "admin")) %base-groups))
+                  (name "aws")) %base-groups))
  (users (cons (user-account
                 (name "aws")
-                 (group "admin")
+                 (group "aws")
                 (password (crypt "aws" "$6$salt"))
                 (shell (file-append zsh "/bin/zsh"))) %base-user-accounts))

  (sudoers-file (plain-file "sudoers"
                            (string-join (list "Defaults mail_badpass"
                                               "root ALL=(ALL:ALL) ALL"
-                                               "%admin ALL=(ALL:ALL) ALL" "")
+                                               "%aws ALL=(ALL:ALL) ALL" "")
                                         "\n")))

  (packages (cons* openssh awscli %base-packages))
--- a/vpn.metznet.ca.scm
+++ b/vpn.metznet.ca.scm
@ -0,0 +1,61 @@
+;; This is an operating system configuration template
+;; for a "bare bones" setup, with no X11 display server.
+
+(use-modules (gnu)
+             (metznet aws)
+             (metznet machines vpn)
+             (metznet system base-system)
+             (gnu services sssd)
+             (gnu packages guile)
+             (gnu packages vim)
+             (gnu services networking)
+             (gnu services ssh)
+             (gnu packages ssh)
+             (gnu packages python-web)
+             (gnu packages shells))
+
+
+(operating-system
+  (inherit vpn.metznet.ca)
+  (bootloader (bootloader-configuration
+                (bootloader grub-minimal-bootloader)
+                (targets '("/dev/nvme0n1"))))
+  (file-systems (cons (file-system
+                        (device (file-system-label "guix-data"))
+                        (mount-point "/")
+                        (type "ext4")) %base-file-systems))
+  (groups (cons (user-group
+                  (system? #t)
+                  (name "admin")) %base-groups))
+  (users (cons (user-account
+                 (name "aws")
+                 (group "admin")
+                 (password (crypt "aws" "$6$salt"))
+                 (shell (file-append zsh "/bin/zsh"))) %base-user-accounts))
+
+  (sudoers-file (plain-file "sudoers"
+                            (string-join (list "Defaults mail_badpass"
+                                               "root ALL=(ALL:ALL) ALL"
+                                               "%admin ALL=(ALL:ALL) ALL" "")
+                                         "\n")))
+
+  (packages (cons* openssh awscli neovim %metznet-base-packages))
+
+  (services
+   (cons* (service aws-service-type)
+          (modify-services vpn-services
+            (metznet-vpn-service-type config =>
+                                      (local-file "/home/root/vpn/dh2048.pem"))
+            (sssd-service-type configuration =>
+                               (sssd-configuration (config (local-file
+                                                            "/home/root/sssd.conf"))))
+            (metznet-service-type config =>
+                                  (metznet-system-configuration (vpn-ta-key (local-file
+                                                                             "/home/root/vpn/ta.key"))
+                                                                (vpn-ca (local-file
+                                                                         "/home/root/vpn/ca.crt"))
+                                                                (vpn-cert (local-file
+                                                                           "/home/root/vpn/vpn.crt"))
+                                                                (vpn-key (local-file
+                                                                          "/home/root/vpn/vpn.key"))))))))
+