nixos/modules/services/misc/amazon-ssm-agent.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / amazon-ssm-agent.nix
at 24.11-pre 2.7 kB view raw
 1{ config, pkgs, lib, ... }:
 2
 3with lib;
 4let
 5  cfg = config.services.amazon-ssm-agent;
 6
 7  # The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
 8  # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
 9  # looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
10  fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
11    #!${pkgs.runtimeShell}
12
13    case "$1" in
14      -i) echo "nixos";;
15      -r) echo "${config.system.nixos.version}";;
16    esac
17  '';
18
19  sudoRule = {
20    users = [ "ssm-user" ];
21    commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
22  };
23in {
24  imports = [
25    (mkRenamedOptionModule [ "services" "ssm-agent" "enable" ] [ "services" "amazon-ssm-agent" "enable" ])
26    (mkRenamedOptionModule [ "services" "ssm-agent" "package" ] [ "services" "amazon-ssm-agent" "package" ])
27  ];
28
29  options.services.amazon-ssm-agent = {
30    enable = mkEnableOption "Amazon SSM agent";
31
32    package = mkOption {
33      type = types.path;
34      description = "The Amazon SSM agent package to use";
35      default = pkgs.amazon-ssm-agent.override { overrideEtc = false; };
36      defaultText = literalExpression "pkgs.amazon-ssm-agent.override { overrideEtc = false; }";
37    };
38  };
39
40  config = mkIf cfg.enable {
41    # See https://github.com/aws/amazon-ssm-agent/blob/mainline/packaging/linux/amazon-ssm-agent.service
42    systemd.services.amazon-ssm-agent = {
43      inherit (cfg.package.meta) description;
44      wants    = [ "network-online.target" ];
45      after    = [ "network-online.target" ];
46      wantedBy = [ "multi-user.target" ];
47
48      path = [ fake-lsb-release pkgs.coreutils ];
49
50      serviceConfig = {
51        ExecStart = "${cfg.package}/bin/amazon-ssm-agent";
52        KillMode = "process";
53        # We want this restating pretty frequently. It could be our only means
54        # of accessing the instance.
55        Restart = "always";
56        RestartPreventExitStatus = 194;
57        RestartSec = "90";
58      };
59    };
60
61    # Add user that Session Manager needs, and give it sudo.
62    # This is consistent with Amazon Linux 2 images.
63    security.sudo.extraRules = [ sudoRule ];
64    security.sudo-rs.extraRules = [ sudoRule ];
65
66    # On Amazon Linux 2 images, the ssm-user user is pretty much a
67    # normal user with its own group. We do the same.
68    users.groups.ssm-user = {};
69    users.users.ssm-user = {
70      isNormalUser = true;
71      group = "ssm-user";
72    };
73
74    environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/etc/amazon/ssm/seelog.xml.template";
75
76    environment.etc."amazon/ssm/amazon-ssm-agent.json".source =  "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template";
77
78  };
79}