pyrox.dev
1# Configuration for Amazon EC2 instances. (Note that this file is a
2# misnomer - it should be "amazon-config.nix" or so, not
3# "amazon-image.nix", since it's used not only to build images but
4# also to reconfigure instances. However, we can't rename it because
5# existing "configuration.nix" files on EC2 instances refer to it.)
6
7{ config, lib, pkgs, ... }:
8
9with lib;
10
11let
12 cfg = config.ec2;
13in
14
15{
16 imports = [
17 ../profiles/headless.nix
18 # Note: While we do use the headless profile, we also explicitly
19 # turn on the serial console on ttyS0 below. This is because
20 # AWS does support accessing the serial console:
21 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
22 ./ec2-data.nix
23 ./amazon-init.nix
24 ];
25
26 config = {
27
28 assertions = [ ];
29
30 boot.growPartition = true;
31
32 fileSystems."/" = mkIf (!cfg.zfs.enable) {
33 device = "/dev/disk/by-label/nixos";
34 fsType = "ext4";
35 autoResize = true;
36 };
37
38 fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) {
39 # The ZFS image uses a partition labeled ESP whether or not we're
40 # booting with EFI.
41 device = "/dev/disk/by-label/ESP";
42 fsType = "vfat";
43 };
44
45 services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all";
46
47 boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/";
48
49 boot.extraModulePackages = [
50 config.boot.kernelPackages.ena
51 ];
52 boot.initrd.kernelModules = [ "xen-blkfront" ];
53 boot.initrd.availableKernelModules = [ "nvme" ];
54 boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
55
56 # Prevent the nouveau kernel module from being loaded, as it
57 # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
58 # Also blacklist xen_fbfront to prevent a 30 second delay during
59 # boot.
60 boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
61
62 boot.loader.grub.device = if cfg.efi then "nodev" else "/dev/xvda";
63 boot.loader.grub.efiSupport = cfg.efi;
64 boot.loader.grub.efiInstallAsRemovable = cfg.efi;
65 boot.loader.timeout = 1;
66 boot.loader.grub.extraConfig = ''
67 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
68 terminal_output console serial
69 terminal_input console serial
70 '';
71
72 systemd.services.fetch-ec2-metadata = {
73 wantedBy = [ "multi-user.target" ];
74 wants = [ "network-online.target" ];
75 after = ["network-online.target"];
76 path = [ pkgs.curl ];
77 script = builtins.readFile ./ec2-metadata-fetcher.sh;
78 serviceConfig.Type = "oneshot";
79 serviceConfig.StandardOutput = "journal+console";
80 };
81
82 # Amazon-issued AMIs include the SSM Agent by default, so we do the same.
83 # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
84 services.amazon-ssm-agent.enable = true;
85
86 # Allow root logins only using the SSH key that the user specified
87 # at instance creation time.
88 services.openssh.enable = true;
89 services.openssh.settings.PermitRootLogin = "prohibit-password";
90
91 # Enable the serial console on ttyS0
92 systemd.services."serial-getty@ttyS0".enable = true;
93
94 # Creates symlinks for block device names.
95 services.udev.packages = [ pkgs.amazon-ec2-utils ];
96
97 # Force getting the hostname from EC2.
98 networking.hostName = mkDefault "";
99
100 # Always include cryptsetup so that Charon can use it.
101 environment.systemPackages = [ pkgs.cryptsetup ];
102
103 # EC2 has its own NTP server provided by the hypervisor
104 networking.timeServers = [ "169.254.169.123" ];
105
106 # udisks has become too bloated to have in a headless system
107 # (e.g. it depends on GTK).
108 services.udisks2.enable = false;
109 };
110 meta.maintainers = with maintainers; [ arianvp ];
111}