diff --git a/aws.scm b/aws.scm index bc45fd3..3c0ce25 100644 --- a/aws.scm +++ b/aws.scm @@ -2,104 +2,16 @@ ;; for a "bare bones" setup, with no X11 display server. (use-modules (gnu) - (guix gexp) - (guix modules) + (metznet aws) (gnu services shepherd) - (gnu packages certs) - (guix packages) - (guix build-system trivial) - (gnu system shadow) - (guix build download) - (json) - (gnu packages guile)) - -(use-service-modules networking ssh) -(use-package-modules ssh python-web shells) - -(define guile-json - (module-ref (resolve-interface '(gnu packages guile)) - 'guile-json-4)) - -(define guile-zlib - (module-ref (resolve-interface '(gnu packages guile)) - 'guile-zlib)) - -(define gnutls - (module-ref (resolve-interface '(gnu packages tls)) - 'gnutls)) - -(define aws-pubkey-prog - (program-file "aws-pubkey" - (with-imported-modules (source-module-closure '((ice-9 receive) - (guix build - utils) - (guix build - download) - (web uri) - (ice-9 - binary-ports) - (web client))) - - (with-extensions (list guile-json - gnutls - guile-zlib) - #~(begin - (use-modules (ice-9 - receive) - (guix - build - download) - (web - uri) - (web - client) - (ice-9 - binary-ports)) - (call-with-output-file "/etc/ssh/authorized_keys.d/aws" - (lambda (port) - (begin - (format (current-error-port) - "opened-file\n") - (put-bytevector - port - (receive (header - body) - (let ((uri - "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key")) - (http-get - uri - #:port (open-connection-for-uri - (string->uri - uri) - #:timeout - 5) - #:decode-body? - #f)) - body)))))))))) - -;; this should really be an extension of the openssh service -(define (aws-pubkey-service config) - (list (shepherd-service (documentation "") - (provision '(aws-pubkey)) - (requirement '(networking user-processes)) - (one-shot? #t) - (respawn? #t) - (start #~(make-forkexec-constructor (list #$aws-pubkey-prog)))))) - -(define aws-service-type - (service-type (name 'aws) - (description "AWS public key service") - (extensions (list (service-extension profile-service-type - (lambda (val) - val)) - (service-extension - shepherd-root-service-type - aws-pubkey-service))) - (default-value (list le-certs nss-certs)))) + (gnu services networking) + (gnu services ssh) + (gnu packages ssh) + (gnu packages python-web) + (gnu packages shells)) (operating-system (host-name "guix-ami") - (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) (timezone "America/Edmonton") (locale "en_US.utf8") (bootloader (bootloader-configuration @@ -111,17 +23,17 @@ (type "ext4")) %base-file-systems)) (groups (cons (user-group (system? #t) - (name "admin")) %base-groups)) + (name "aws")) %base-groups)) (users (cons (user-account (name "aws") - (group "admin") + (group "aws") (password (crypt "aws" "$6$salt")) (shell (file-append zsh "/bin/zsh"))) %base-user-accounts)) (sudoers-file (plain-file "sudoers" (string-join (list "Defaults mail_badpass" "root ALL=(ALL:ALL) ALL" - "%admin ALL=(ALL:ALL) ALL" "") + "%aws ALL=(ALL:ALL) ALL" "") "\n"))) (packages (cons* openssh awscli %base-packages)) diff --git a/vpn.metznet.ca.scm b/vpn.metznet.ca.scm new file mode 100644 index 0000000..e807a15 --- /dev/null +++ b/vpn.metznet.ca.scm @@ -0,0 +1,61 @@ +;; This is an operating system configuration template +;; for a "bare bones" setup, with no X11 display server. + +(use-modules (gnu) + (metznet aws) + (metznet machines vpn) + (metznet system base-system) + (gnu services sssd) + (gnu packages guile) + (gnu packages vim) + (gnu services networking) + (gnu services ssh) + (gnu packages ssh) + (gnu packages python-web) + (gnu packages shells)) + + +(operating-system + (inherit vpn.metznet.ca) + (bootloader (bootloader-configuration + (bootloader grub-minimal-bootloader) + (targets '("/dev/nvme0n1")))) + (file-systems (cons (file-system + (device (file-system-label "guix-data")) + (mount-point "/") + (type "ext4")) %base-file-systems)) + (groups (cons (user-group + (system? #t) + (name "admin")) %base-groups)) + (users (cons (user-account + (name "aws") + (group "admin") + (password (crypt "aws" "$6$salt")) + (shell (file-append zsh "/bin/zsh"))) %base-user-accounts)) + + (sudoers-file (plain-file "sudoers" + (string-join (list "Defaults mail_badpass" + "root ALL=(ALL:ALL) ALL" + "%admin ALL=(ALL:ALL) ALL" "") + "\n"))) + + (packages (cons* openssh awscli neovim %metznet-base-packages)) + + (services + (cons* (service aws-service-type) + (modify-services vpn-services + (metznet-vpn-service-type config => + (local-file "/home/root/vpn/dh2048.pem")) + (sssd-service-type configuration => + (sssd-configuration (config (local-file + "/home/root/sssd.conf")))) + (metznet-service-type config => + (metznet-system-configuration (vpn-ta-key (local-file + "/home/root/vpn/ta.key")) + (vpn-ca (local-file + "/home/root/vpn/ca.crt")) + (vpn-cert (local-file + "/home/root/vpn/vpn.crt")) + (vpn-key (local-file + "/home/root/vpn/vpn.key")))))))) +