+(define %setuid-programs
+ ;; Default set of setuid-root programs.
+ (let ((shadow (@ (gnu packages admin) shadow)))
+ (list #~(string-append #$shadow "/bin/passwd")
+ #~(string-append #$shadow "/bin/su")
+ #~(string-append #$inetutils "/bin/ping")
+ #~(string-append #$sudo "/bin/sudo")
+ #~(string-append #$fuse "/bin/fusermount"))))
+
+(define %sudoers-specification
+ ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
+ ;; group can do anything. See
+ ;; <http://www.sudo.ws/sudo/man/1.8.10/sudoers.man.html>.
+ ;; TODO: Add a declarative API.
+ "root ALL=(ALL) ALL
+%wheel ALL=(ALL) ALL\n")
+
+(define (user-group->gexp group)
+ "Turn GROUP, a <user-group> object, into a list-valued gexp suitable for
+'active-groups'."
+ #~(list #$(user-group-name group)
+ #$(user-group-password group)
+ #$(user-group-id group)))
+
+(define (user-account->gexp account)
+ "Turn ACCOUNT, a <user-account> object, into a list-valued gexp suitable for
+'activate-users'."
+ #~`(#$(user-account-name account)
+ #$(user-account-uid account)
+ #$(user-account-group account)
+ #$(user-account-supplementary-groups account)
+ #$(user-account-comment account)
+ #$(user-account-home-directory account)
+ ,#$(user-account-shell account) ; this one is a gexp
+ #$(user-account-password account)))
+
+(define (operating-system-activation-script os)
+ "Return the activation script for OS---i.e., the code that \"activates\" the
+stateful part of OS, including user accounts and groups, special directories,
+etc."
+ (define %modules
+ '((guix build activation)
+ (guix build utils)
+ (guix build linux-initrd)))
+
+ (define (service-activations services)
+ ;; Return the activation scripts for SERVICES.
+ (let ((gexps (filter-map service-activate services)))
+ (sequence %store-monad (map (cut gexp->file "activate-service.scm" <>)
+ gexps))))
+
+ (mlet* %store-monad ((services (operating-system-services os))
+ (actions (service-activations services))
+ (etc (operating-system-etc-directory os))
+ (modules (imported-modules %modules))
+ (compiled (compiled-modules %modules))
+ (accounts (operating-system-accounts os)))
+ (define setuid-progs
+ (operating-system-setuid-programs os))
+
+ (define user-specs
+ (map user-account->gexp accounts))
+
+ (define groups
+ (append (operating-system-groups os)
+ (append-map service-user-groups services)))
+
+ (define group-specs
+ (map user-group->gexp groups))
+
+ (gexp->file "activate"
+ #~(begin
+ (eval-when (expand load eval)
+ ;; Make sure 'use-modules' below succeeds.
+ (set! %load-path (cons #$modules %load-path))
+ (set! %load-compiled-path
+ (cons #$compiled %load-compiled-path)))
+
+ (use-modules (guix build activation))
+
+ ;; Populate /etc.
+ (activate-etc #$etc)
+
+ ;; Add users and user groups.
+ (setenv "PATH"
+ (string-append #$(@ (gnu packages admin) shadow)
+ "/sbin"))
+ (activate-users+groups (list #$@user-specs)
+ (list #$@group-specs))
+
+ ;; Activate setuid programs.
+ (activate-setuid-programs (list #$@setuid-progs))
+
+ ;; Run the services' activation snippets.
+ ;; TODO: Use 'load-compiled'.
+ (for-each primitive-load '#$actions)
+
+ ;; Set up /run/current-system.
+ (activate-current-system)))))
+