commit e3d2b0149b27b2412ed765e671e2e6db7c86c430 Author: Noah Metz Date: Sat Dec 2 00:43:26 2023 -0700 Initial commit with aws system config for AMI diff --git a/aws.scm b/aws.scm new file mode 100644 index 0000000..9c9206c --- /dev/null +++ b/aws.scm @@ -0,0 +1,138 @@ +;; This is an operating system configuration template +;; for a "bare bones" setup, with no X11 display server. + +(use-modules (gnu) + (guix gexp) + (guix modules) + (gnu services shepherd) + (guix packages) + (guix build-system trivial) + (gnu system shadow) + (guix build download) + (json) + (gnu packages guile)) + +(use-service-modules networking ssh) +(use-package-modules ssh python-web shells) + +(define guile-json + (module-ref (resolve-interface '(gnu packages guile)) + 'guile-json-4)) + +(define guile-zlib + (module-ref (resolve-interface '(gnu packages guile)) + 'guile-zlib)) + +(define gnutls + (module-ref (resolve-interface '(gnu packages tls)) + 'gnutls)) + +(define aws-pubkey-prog + (program-file "aws-pubkey" + (with-imported-modules (source-module-closure '((ice-9 receive) + (guix build + utils) + (guix build + download) + (web uri) + (ice-9 + binary-ports) + (web client))) + + (with-extensions (list guile-json + gnutls + guile-zlib) + #~(begin + (use-modules (ice-9 + receive) + + (guix + build + download) + + (web + uri) + + (web + client) + + (ice-9 + binary-ports)) + (call-with-output-file "/etc/ssh/authorized_keys.d/aws" + (lambda (port) + + (begin + + (format (current-error-port) + "opened-file\n") + + (put-bytevector + port + + (receive (header + body) + (let ((uri + "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key")) + + (http-get + uri + #:port (open-connection-for-uri + (string->uri + uri) + #:timeout + 5) + #:decode-body? + #f)) + body)))))))))) + +;; this should really be an extension of the openssh service +(define (aws-pubkey-service config) + (list (shepherd-service (documentation "") + (provision '(aws-pubkey)) + (requirement '(networking user-processes)) + (one-shot? #t) + (respawn? #t) + (start #~(make-forkexec-constructor (list #$aws-pubkey-prog)))))) + +(define aws-pubkey-service-type + (service-type (name 'aws-pubkey) + (description "AWS public key service") + (extensions (list (service-extension + shepherd-root-service-type + aws-pubkey-service))) + (default-value '()))) + +(operating-system + (host-name "guix-ami") + (timezone "America/Edmonton") + (locale "en_US.utf8") + (bootloader (bootloader-configuration + (bootloader grub-minimal-bootloader) + (targets '("/dev/nvme1n1")))) + (file-systems (cons (file-system + (device (file-system-label "guix-data")) + (mount-point "/") + (type "ext4")) %base-file-systems)) + (groups (cons (user-group + (system? #t) + (name "admin")) %base-groups)) + (users (cons (user-account + (name "aws") + (group "admin") + (password (crypt "root" "$6$salt")) + (shell (file-append zsh "/bin/zsh"))) %base-user-accounts)) + + (sudoers-file (plain-file "sudoers" + (string-join (list "Defaults mail_badpass" + "root ALL=(ALL:ALL) ALL" + "%admin ALL=(ALL:ALL) ALL" "") + "\n"))) + + (packages (cons* openssh awscli %base-packages)) + + (services + (cons* (service dhcp-client-service-type) + (service aws-pubkey-service-type) + (service openssh-service-type + (openssh-configuration (port-number 22))) %base-services))) +