;; This is an operating system configuration template ;; for a "bare bones" setup, with no X11 display server. (use-modules (gnu) (guix gexp) (guix modules) (gnu services shepherd) (gnu packages certs) (guix packages) (guix build-system trivial) (gnu system shadow) (guix build download) (json) (gnu packages guile)) (use-service-modules networking ssh) (use-package-modules ssh python-web shells) (define guile-json (module-ref (resolve-interface '(gnu packages guile)) 'guile-json-4)) (define guile-zlib (module-ref (resolve-interface '(gnu packages guile)) 'guile-zlib)) (define gnutls (module-ref (resolve-interface '(gnu packages tls)) 'gnutls)) (define aws-pubkey-prog (program-file "aws-pubkey" (with-imported-modules (source-module-closure '((ice-9 receive) (guix build utils) (guix build download) (web uri) (ice-9 binary-ports) (web client))) (with-extensions (list guile-json gnutls guile-zlib) #~(begin (use-modules (ice-9 receive) (guix build download) (web uri) (web client) (ice-9 binary-ports)) (call-with-output-file "/etc/ssh/authorized_keys.d/aws" (lambda (port) (begin (format (current-error-port) "opened-file\n") (put-bytevector port (receive (header body) (let ((uri "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key")) (http-get uri #:port (open-connection-for-uri (string->uri uri) #:timeout 5) #:decode-body? #f)) body)))))))))) ;; this should really be an extension of the openssh service (define (aws-pubkey-service config) (list (shepherd-service (documentation "") (provision '(aws-pubkey)) (requirement '(networking user-processes)) (one-shot? #t) (respawn? #t) (start #~(make-forkexec-constructor (list #$aws-pubkey-prog)))))) (define aws-service-type (service-type (name 'aws) (description "AWS public key service") (extensions (list (service-extension profile-service-type (lambda (val) val)) (service-extension shepherd-root-service-type aws-pubkey-service))) (default-value (list le-certs nss-certs)))) (operating-system (host-name "guix-ami") (kernel-arguments (append '("console=ttyS0") %default-kernel-arguments)) (timezone "America/Edmonton") (locale "en_US.utf8") (bootloader (bootloader-configuration (bootloader grub-minimal-bootloader) (targets '("/dev/nvme1n1")))) (file-systems (cons (file-system (device (file-system-label "guix-data")) (mount-point "/") (type "ext4")) %base-file-systems)) (groups (cons (user-group (system? #t) (name "admin")) %base-groups)) (users (cons (user-account (name "aws") (group "admin") (password (crypt "aws" "$6$salt")) (shell (file-append zsh "/bin/zsh"))) %base-user-accounts)) (sudoers-file (plain-file "sudoers" (string-join (list "Defaults mail_badpass" "root ALL=(ALL:ALL) ALL" "%admin ALL=(ALL:ALL) ALL" "") "\n"))) (packages (cons* openssh awscli %base-packages)) (services (cons* (service dhcp-client-service-type) (service aws-service-type) (service openssh-service-type (openssh-configuration (port-number 22) (password-authentication? #f))) %base-services)))