-
-
Notifications
You must be signed in to change notification settings - Fork 9
/
amazon-profile.nix
73 lines (61 loc) · 2.29 KB
/
amazon-profile.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{ lib, modulesPath, config, pkgs, ... }:
{
# TODO: Remove after debugging
services.getty.autologinUser = "root";
boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader = {
timeout = 10; # NOTE: For Debugging
systemd-boot.enable = true;
};
security.sudo.wheelNeedsPassword = false;
users.users.ec2-user = {
isNormalUser = true;
extraGroups = [ "wheel" ];
};
services.openssh.enable = true;
systemd.services.print-ssh-host-keys = {
description = "Print SSH host keys to console";
after = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
StandardOutput = "journal+console";
};
script = ''
echo -----BEGIN SSH HOST KEY KEYS-----
cat /etc/ssh/ssh_host_*_key.pub
echo -----END SSH HOST KEY KEYS-----
echo -----BEGIN SSH HOST KEY FINGERPRINTS-----
for f in /etc/ssh/ssh_host_*_key.pub; do
${pkgs.openssh}/bin/ssh-keygen -l -f $f
done
echo -----END SSH HOST KEY FINGERPRINTS-----
'';
};
systemd.services.ec2-metadata = {
description = "Fetch EC2 metadata and set up ssh keys for ec2-user";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = { Type = "oneshot"; };
# TODO: For some reason /public-keys/ returns a 404 shortly after boot.
script = ''
token=$(${pkgs.curl}/bin/curl --silent --show-error --fail-with-body --retry 20 --retry-connrefused -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60") || exit 1
function imds {
${pkgs.curl}/bin/curl --silent --show-error --fail-with-body --retry 20 --retry-connrefused --header "X-aws-ec2-metadata-token: $token" "http://169.254.169.254/latest/$1"
}
if [ -e /home/ec2-user/.ssh/authorized_keys ]; then
exit 0
fi
mkdir -p /home/ec2-user/.ssh
chmod 700 /home/ec2-user/.ssh
chown -R ec2-user:users /home/ec2-user/.ssh
for i in $(imds meta-data/public-keys/); do
imds "meta-data/public-keys/''${i}openssh-key" >> /home/ec2-user/.ssh/authorized_keys
done
chmod 600 /home/ec2-user/.ssh/authorized_keys
'';
};
# Fetch from DHCP
networking.hostName = lib.mkDefault "";
}