From 0eb49edba3aa10d3dca13c9c6c8edb2583b4e9b5 Mon Sep 17 00:00:00 2001 From: Rutherther Date: Fri, 28 Mar 2025 18:30:31 +0100 Subject: [PATCH] feat: add simple iso for making openpgp keys This is mainly to make openpgp keys on a system that is not connected to the internet. --- isos/simple.scm | 184 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 isos/simple.scm diff --git a/isos/simple.scm b/isos/simple.scm new file mode 100644 index 0000000..77607b1 --- /dev/null +++ b/isos/simple.scm @@ -0,0 +1,184 @@ +(use-modules (gnu) (guix) (srfi srfi-1) + (nongnu packages linux) + (gnu system locale)) +(use-service-modules desktop mcron networking spice ssh xorg sddm + avahi security-token) +(use-package-modules bootloaders fonts password-utils ssh + gnupg version-control screen disk + linux cryptsetup file-systems + texinfo guile python security-token + package-management xdisorg xorg) + +(define bare-bones-os + (operating-system + (host-name "komputilo") + (timezone "Europe/Berlin") + (locale "en_US.utf8") + + ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the + ;; target hard disk, and "my-root" is the label of the target + ;; root file system. + ;; (bootloader (bootloader-configuration + ;; (bootloader grub-bootloader) + ;; (targets '("/dev/sdX")))) + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")))) + ;; It's fitting to support the equally bare bones ‘-nographic’ + ;; QEMU option, which also nicely sidesteps forcing QWERTY. + (kernel-arguments (list "console=ttyS0,115200")) + (file-systems (cons* (file-system + (device (file-system-label "my-root")) + (mount-point "/") + (type "ext4")) + (file-system + (device (uuid "1234-ABCD" 'fat)) + (mount-point "/boot/efi") + (type "vfat")) + %base-file-systems)) + + ;; This is where user accounts are specified. The "root" + ;; account is implicit, and is initially created with the + ;; empty password. + (users (cons (user-account + (name "alice") + (comment "Bob's sister") + (group "users") + + ;; Adding the account to the "wheel" group + ;; makes it a sudoer. Adding it to "audio" + ;; and "video" allows the user to play sound + ;; and access the webcam. + (supplementary-groups '("wheel" + "audio" "video"))) + %base-user-accounts)) + + ;; Globally-installed packages. + (packages (cons screen %base-packages)) + + ;; Add services to the baseline: a DHCP client and an SSH + ;; server. You may wish to add an NTP service here. + (services (append (list (service dhcp-client-service-type) + (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (port-number 2222)))) + %base-services)))) + +(operating-system + (host-name "gnu") + (timezone "Etc/UTC") + (locale "en_US.utf8") + (keyboard-layout (keyboard-layout "us" "altgr-intl")) + + ;; Label for the GRUB boot menu. + (label (string-append "GNU Guix " + (or (getenv "GUIX_DISPLAYED_VERSION") + (package-version guix)))) + + + (kernel linux-6.13) + (firmware (cons* linux-firmware + %base-firmware)) + + (kernel-arguments '()) + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/sda")))) + (file-systems + ;; Note: the disk image build code overrides this root file system with + ;; the appropriate one. + (append %base-live-file-systems + + ;; XXX: This should be %BASE-FILE-SYSTEMS but we don't need + ;; elogind's cgroup file systems. + (list %pseudo-terminal-file-system + %shared-memory-file-system + %efivars-file-system + %immutable-store))) + + (users (cons (user-account + (name "ruther") + (comment "GNU Guix Live") + (password "") ;no password + (group "users") + (supplementary-groups '("wheel" "netdev" + "audio" "video"))) + %base-user-accounts)) + + (sudoers-file (plain-file "sudoers" "\ +root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL\n")) + + (packages + (cons* password-store + pass-otp + gnupg + python + python-yubikey-manager + yubikey-personalization + pinentry-tty + git + openssh + parted gptfdisk ddrescue + ;; Use the static LVM2 because it's already pulled in by the installer. + lvm2-static + ;; We used to provide fdisk from GNU fdisk, but as of version 2.0.0a + ;; it pulls Guile 1.8, which takes unreasonable space; furthermore + ;; util-linux's fdisk is already available, in %base-packages-linux. + cryptsetup mdadm + dosfstools + btrfs-progs + e2fsprogs + f2fs-tools + jfsutils + xfsprogs + %base-packages)) + + (pam-services + ;; Explicitly allow for empty passwords. + (base-pam-services #:allow-empty-passwords? #t)) + + (services + (cons* + ;; Add the 'cow-store' service, which users have to start manually + ;; since it takes the installation directory as an argument. + ((@@ (gnu system install) cow-store-service)) + + ;; Uncomment the line below to add an SSH server. + (service openssh-service-type + (openssh-configuration + (permit-root-login #t) + (allow-empty-passwords? #f) + (password-authentication? #f) + (%auto-start? #f))) + + ;; Use the DHCP client service rather than NetworkManager. + (service dhcp-client-service-type) + + ;; yubikey + (service pcscd-service-type) + + (service gc-root-service-type + (append + (list bare-bones-os + (libc-utf8-locales-for-target (%current-system)) + texinfo + guile-3.0) + %default-locale-libcs)) + + ;; Remove some services that don't make sense in a VM. + (modify-services %desktop-services + (delete gdm-service-type) + ;; (delete sddm-service-type) + (delete network-manager-service-type) + (delete modem-manager-service-type) + (guix-service-type config => + (guix-configuration + (inherit config) + ;; Register the default substitute server key(s) as + ;; trusted to allow the installation process to use + ;; substitutes by default. + (authorize-key? #t) + (guix (current-guix)))))))) -- 2.48.1