;;; Channels
(list (channel
       (name 'guix)
       (url "https://git.savannah.gnu.org/git/guix.git")
       (branch "master")
       (commit
        "1a63aea94340f6a24ac09e1c348401e9dfd05395")
       (introduction
        (make-channel-introduction
         "9edb3f66fd807b096b48283debdcddccfea34bad"
         (openpgp-fingerprint
          "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"))))
      ;; For rstudio service
      (channel
       (name 'guix-science)
       (url "https://github.com/guix-science/guix-science.git")
       (branch "master")
       (commit
        "12079bc862044cf149afb57ffb38c117b0470bf9")
       (introduction
        (make-channel-introduction
         "b1fe5aaff3ab48e798a4cce02f0212bc91f423dc"
         (openpgp-fingerprint
          "CA4F 8CF4 37D7 478F DA05  5FD4 4213 7701 1A37 8446")))))


;;; OS declaration

;; This container system is configured to use the host system's
;; sssd via PAM.  It uses the sssd client libraries to talk to the
;; host system for user authentication.  For this to work
;; /var/lib/sss/pipes must be made available to the container.
(use-modules (gnu)
             (gnu system pam)
             (ice-9 match)
             (srfi srfi-1)
             (guix packages)
             (guix profiles))
(use-service-modules networking shepherd sysctl)
(use-package-modules bash statistics linux sssd)
(use-modules (guix-science services rstudio))

(define (manifest->packages manifest)
  "Return the list of packages in MANIFEST."
  (delete-duplicates
   (filter-map (lambda (entry)
                 (let ((item (manifest-entry-item entry)))
                   (if (package? item) item #f)))
               (manifest-entries manifest))))

(define bash (specification->package "bash"))

(define %packages
  (specifications->manifest
   (list "rstudio-server-multi-version"

         "r-minimal"
         "r-guix-install"

         ;; Certs and locales
         "glibc-locales"
         "nss-certs"

         ;; Common command line tools lest the container is too empty.
         "bash"
         "coreutils"
         "which"
         "wget"
         "sed"

         ;; R markdown tools
         "pandoc"

         ;; Toolchain and common libraries for "install.packages"
         "gcc-toolchain@10"
         "gfortran-toolchain"
         "gawk"
         "tar"
         "gzip"
         "unzip"
         "make"
         "cmake"
         "pkg-config"
         "cairo"
         "libxt"
         "libxml2"
         "openssl"
         "curl"
         "zlib")))

(operating-system
  (host-name "rstudio.mdc-berlin.net")
  (timezone "Europe/Berlin")
  (locale "en_US.utf8")
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets '("/dev/sdX"))))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
  (packages (append (manifest->packages %packages)
                %base-packages))
  (services
   (list
    (simple-service 'link-/etc/ssl
                    activation-service-type
                    #~(let ((source "/run/current-system/profile/etc/ssl")
                            (target "/etc/ssl"))
                        (when (and (file-exists? target)
                                   (not (file-exists? target)))
                          (symlink source target))))
    ;; Needed for things like "id".
    (simple-service 'sss-everywhere
                    session-environment-service-type
                    `(("LD_LIBRARY_PATH"
                       . ,(file-append sssd "/lib"))))
    (service rstudio-server-service-type
             (rstudio-server-configuration
              (www-address "127.0.0.1")
              (www-port "9888")
              (auth-none? #false)
              ;; Without this "rserver" does not see any external users.
              (environment
               #~((string-append "LD_LIBRARY_PATH=" #$sssd "/lib")))
              ;; Require the use of the host system's sssd via the shared
              ;; sockets.
              (pam (pam-entry
                    (control "required")
                    (module (file-append sssd "/lib/security/pam_sss.so")))))) 
    (service special-files-service-type
             `(("/bin/bash" ,(file-append bash "/bin/bash"))
               ("/bin/sh" ,(file-append bash "/bin/sh"))
               ;; Convenient for pre-compiled binaries, e.g. those downloaded
               ;; by r-tinytex.
               ("/lib64/ld-linux-x86-64.so.2"
                ,(file-append glibc "/lib/ld-linux-x86-64.so.2"))))
    (service login-service-type)
    (syslog-service)
    (service static-networking-service-type
             (list %loopback-static-networking))
    ;; Use host system's sssd by extending the nscd environment.
    (service nscd-service-type
             (nscd-configuration
              (name-services (list sssd))))
    (service udev-service-type)
    (service sysctl-service-type)))
  (name-service-switch
   (let ((sources (list (name-service
                         (name "files"))
                        (name-service
                         (name "sss")))))
     (name-service-switch
      (inherit %default-nss)
      (password sources)
      (shadow   sources)
      (group    sources)
      (netgroup sources)
      (gshadow  sources)))))


;;; How we use it

#|

LAUNCH=$(guix time-machine --channels=channels.scm -- system container --network os.scm)
$LAUNCH --share=/var/lib/sss/pipes \
        --share=/data/akalin \
        --share=/home \
        --share=/local \
        --share=/fast \
        --expose=/gnu/store \
        --expose=/var/guix/profiles &
|#

Generated by Ricardo Wurmus using scpaste at Fri Dec 2 00:32:53 2022. CET. (original)