Initial commit with aws system config for AMI
commit
e3d2b0149b
@ -0,0 +1,138 @@
|
||||
;; This is an operating system configuration template
|
||||
;; for a "bare bones" setup, with no X11 display server.
|
||||
|
||||
(use-modules (gnu)
|
||||
(guix gexp)
|
||||
(guix modules)
|
||||
(gnu services shepherd)
|
||||
(guix packages)
|
||||
(guix build-system trivial)
|
||||
(gnu system shadow)
|
||||
(guix build download)
|
||||
(json)
|
||||
(gnu packages guile))
|
||||
|
||||
(use-service-modules networking ssh)
|
||||
(use-package-modules ssh python-web shells)
|
||||
|
||||
(define guile-json
|
||||
(module-ref (resolve-interface '(gnu packages guile))
|
||||
'guile-json-4))
|
||||
|
||||
(define guile-zlib
|
||||
(module-ref (resolve-interface '(gnu packages guile))
|
||||
'guile-zlib))
|
||||
|
||||
(define gnutls
|
||||
(module-ref (resolve-interface '(gnu packages tls))
|
||||
'gnutls))
|
||||
|
||||
(define aws-pubkey-prog
|
||||
(program-file "aws-pubkey"
|
||||
(with-imported-modules (source-module-closure '((ice-9 receive)
|
||||
(guix build
|
||||
utils)
|
||||
(guix build
|
||||
download)
|
||||
(web uri)
|
||||
(ice-9
|
||||
binary-ports)
|
||||
(web client)))
|
||||
|
||||
(with-extensions (list guile-json
|
||||
gnutls
|
||||
guile-zlib)
|
||||
#~(begin
|
||||
(use-modules (ice-9
|
||||
receive)
|
||||
|
||||
(guix
|
||||
build
|
||||
download)
|
||||
|
||||
(web
|
||||
uri)
|
||||
|
||||
(web
|
||||
client)
|
||||
|
||||
(ice-9
|
||||
binary-ports))
|
||||
(call-with-output-file "/etc/ssh/authorized_keys.d/aws"
|
||||
(lambda (port)
|
||||
|
||||
(begin
|
||||
|
||||
(format (current-error-port)
|
||||
"opened-file\n")
|
||||
|
||||
(put-bytevector
|
||||
port
|
||||
|
||||
(receive (header
|
||||
body)
|
||||
(let ((uri
|
||||
"http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key"))
|
||||
|
||||
(http-get
|
||||
uri
|
||||
#:port (open-connection-for-uri
|
||||
(string->uri
|
||||
uri)
|
||||
#:timeout
|
||||
5)
|
||||
#:decode-body?
|
||||
#f))
|
||||
body))))))))))
|
||||
|
||||
;; this should really be an extension of the openssh service
|
||||
(define (aws-pubkey-service config)
|
||||
(list (shepherd-service (documentation "")
|
||||
(provision '(aws-pubkey))
|
||||
(requirement '(networking user-processes))
|
||||
(one-shot? #t)
|
||||
(respawn? #t)
|
||||
(start #~(make-forkexec-constructor (list #$aws-pubkey-prog))))))
|
||||
|
||||
(define aws-pubkey-service-type
|
||||
(service-type (name 'aws-pubkey)
|
||||
(description "AWS public key service")
|
||||
(extensions (list (service-extension
|
||||
shepherd-root-service-type
|
||||
aws-pubkey-service)))
|
||||
(default-value '())))
|
||||
|
||||
(operating-system
|
||||
(host-name "guix-ami")
|
||||
(timezone "America/Edmonton")
|
||||
(locale "en_US.utf8")
|
||||
(bootloader (bootloader-configuration
|
||||
(bootloader grub-minimal-bootloader)
|
||||
(targets '("/dev/nvme1n1"))))
|
||||
(file-systems (cons (file-system
|
||||
(device (file-system-label "guix-data"))
|
||||
(mount-point "/")
|
||||
(type "ext4")) %base-file-systems))
|
||||
(groups (cons (user-group
|
||||
(system? #t)
|
||||
(name "admin")) %base-groups))
|
||||
(users (cons (user-account
|
||||
(name "aws")
|
||||
(group "admin")
|
||||
(password (crypt "root" "$6$salt"))
|
||||
(shell (file-append zsh "/bin/zsh"))) %base-user-accounts))
|
||||
|
||||
(sudoers-file (plain-file "sudoers"
|
||||
(string-join (list "Defaults mail_badpass"
|
||||
"root ALL=(ALL:ALL) ALL"
|
||||
"%admin ALL=(ALL:ALL) ALL" "")
|
||||
"\n")))
|
||||
|
||||
(packages (cons* openssh awscli %base-packages))
|
||||
|
||||
(services
|
||||
(cons* (service dhcp-client-service-type)
|
||||
(service aws-pubkey-service-type)
|
||||
(service openssh-service-type
|
||||
(openssh-configuration (port-number 22))) %base-services)))
|
||||
|
||||
Loading…
Reference in New Issue