nixos/modules/services/misc/amazon-ssm-agent.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / amazon-ssm-agent.nix
at 23.11-beta 2.7 kB view raw
 1{ config, pkgs, lib, ... }:
 2
 3with lib;
 4let
 5  cfg = config.services.amazon-ssm-agent;
 6
 7  # The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
 8  # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
 9  # looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
10  fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
11    #!${pkgs.runtimeShell}
12
13    case "$1" in
14      -i) echo "nixos";;
15      -r) echo "${config.system.nixos.version}";;
16    esac
17  '';
18in {
19  imports = [
20    (mkRenamedOptionModule [ "services" "ssm-agent" "enable" ] [ "services" "amazon-ssm-agent" "enable" ])
21    (mkRenamedOptionModule [ "services" "ssm-agent" "package" ] [ "services" "amazon-ssm-agent" "package" ])
22  ];
23
24  options.services.amazon-ssm-agent = {
25    enable = mkEnableOption (lib.mdDoc "Amazon SSM agent");
26
27    package = mkOption {
28      type = types.path;
29      description = lib.mdDoc "The Amazon SSM agent package to use";
30      default = pkgs.amazon-ssm-agent.override { overrideEtc = false; };
31      defaultText = literalExpression "pkgs.amazon-ssm-agent.override { overrideEtc = false; }";
32    };
33  };
34
35  config = mkIf cfg.enable {
36    # See https://github.com/aws/amazon-ssm-agent/blob/mainline/packaging/linux/amazon-ssm-agent.service
37    systemd.services.amazon-ssm-agent = {
38      inherit (cfg.package.meta) description;
39      after    = [ "network-online.target" ];
40      wantedBy = [ "multi-user.target" ];
41
42      path = [ fake-lsb-release pkgs.coreutils ];
43
44      serviceConfig = {
45        ExecStart = "${cfg.package}/bin/amazon-ssm-agent";
46        KillMode = "process";
47        # We want this restating pretty frequently. It could be our only means
48        # of accessing the instance.
49        Restart = "always";
50        RestartPreventExitStatus = 194;
51        RestartSec = "90";
52      };
53    };
54
55    # Add user that Session Manager needs, and give it sudo.
56    # This is consistent with Amazon Linux 2 images.
57    security.sudo.extraRules = [
58      {
59        users = [ "ssm-user" ];
60        commands = [
61          {
62            command = "ALL";
63            options = [ "NOPASSWD" ];
64          }
65        ];
66      }
67    ];
68    # On Amazon Linux 2 images, the ssm-user user is pretty much a
69    # normal user with its own group. We do the same.
70    users.groups.ssm-user = {};
71    users.users.ssm-user = {
72      isNormalUser = true;
73      group = "ssm-user";
74    };
75
76    environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/etc/amazon/ssm/seelog.xml.template";
77
78    environment.etc."amazon/ssm/amazon-ssm-agent.json".source =  "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template";
79
80  };
81}