nixos/modules/services/misc/ssm-agent.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / ssm-agent.nix
at 23.11-pre 2.3 kB view raw
 1{ config, pkgs, lib, ... }:
 2
 3with lib;
 4let
 5  cfg = config.services.ssm-agent;
 6
 7  # The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
 8  # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
 9  # looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
10  fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
11    #!${pkgs.runtimeShell}
12
13    case "$1" in
14      -i) echo "nixos";;
15      -r) echo "${config.system.nixos.version}";;
16    esac
17  '';
18in {
19  options.services.ssm-agent = {
20    enable = mkEnableOption (lib.mdDoc "AWS SSM agent");
21
22    package = mkOption {
23      type = types.path;
24      description = lib.mdDoc "The SSM agent package to use";
25      default = pkgs.ssm-agent.override { overrideEtc = false; };
26      defaultText = literalExpression "pkgs.ssm-agent.override { overrideEtc = false; }";
27    };
28  };
29
30  config = mkIf cfg.enable {
31    systemd.services.ssm-agent = {
32      inherit (cfg.package.meta) description;
33      after    = [ "network.target" ];
34      wantedBy = [ "multi-user.target" ];
35
36      path = [ fake-lsb-release pkgs.coreutils ];
37      serviceConfig = {
38        ExecStart = "${cfg.package}/bin/amazon-ssm-agent";
39        KillMode = "process";
40        # We want this restating pretty frequently. It could be our only means
41        # of accessing the instance.
42        Restart = "always";
43        RestartSec = "1min";
44      };
45    };
46
47    # Add user that Session Manager needs, and give it sudo.
48    # This is consistent with Amazon Linux 2 images.
49    security.sudo.extraRules = [
50      {
51        users = [ "ssm-user" ];
52        commands = [
53          {
54            command = "ALL";
55            options = [ "NOPASSWD" ];
56          }
57        ];
58      }
59    ];
60    # On Amazon Linux 2 images, the ssm-user user is pretty much a
61    # normal user with its own group. We do the same.
62    users.groups.ssm-user = {};
63    users.users.ssm-user = {
64      isNormalUser = true;
65      group = "ssm-user";
66    };
67
68    environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template";
69
70    environment.etc."amazon/ssm/amazon-ssm-agent.json".source =  "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template";
71
72  };
73}