pyrox.dev
1# Configuration for Amazon EC2 instances. (Note that this file is a
2# misnomer - it should be "amazon-config.nix" or so, not
3# "amazon-image.nix", since it's used not only to build images but
4# also to reconfigure instances. However, we can't rename it because
5# existing "configuration.nix" files on EC2 instances refer to it.)
6
7{
8 config,
9 lib,
10 pkgs,
11 ...
12}:
13
14let
15 inherit (lib) mkDefault mkIf;
16 cfg = config.ec2;
17in
18
19{
20 imports = [
21 ../profiles/headless.nix
22 # Note: While we do use the headless profile, we also explicitly
23 # turn on the serial console on ttyS0 below. This is because
24 # AWS does support accessing the serial console:
25 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
26 ./ec2-data.nix
27 ./amazon-init.nix
28 ];
29
30 config = {
31
32 assertions = [ ];
33
34 boot.growPartition = true;
35
36 fileSystems."/" = mkIf (!cfg.zfs.enable) (
37 lib.mkDefault {
38 device = "/dev/disk/by-label/nixos";
39 fsType = "ext4";
40 autoResize = true;
41 }
42 );
43
44 fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) (
45 lib.mkDefault {
46 # The ZFS image uses a partition labeled ESP whether or not we're
47 # booting with EFI.
48 device = "/dev/disk/by-label/ESP";
49 fsType = "vfat";
50 }
51 );
52
53 services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all";
54
55 boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/";
56
57 boot.extraModulePackages = [
58 config.boot.kernelPackages.ena
59 ];
60 boot.initrd.kernelModules = [ "xen-blkfront" ];
61 boot.initrd.availableKernelModules = [ "nvme" ];
62 boot.kernelParams = [
63 "console=ttyS0,115200n8"
64 "random.trust_cpu=on"
65 ];
66
67 # Prevent the nouveau kernel module from being loaded, as it
68 # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
69 # Also blacklist xen_fbfront to prevent a 30 second delay during
70 # boot.
71 boot.blacklistedKernelModules = [
72 "nouveau"
73 "xen_fbfront"
74 ];
75
76 boot.loader.grub.device = if cfg.efi then "nodev" else "/dev/xvda";
77 boot.loader.grub.efiSupport = cfg.efi;
78 boot.loader.grub.efiInstallAsRemovable = cfg.efi;
79 boot.loader.timeout = 1;
80 boot.loader.grub.extraConfig = ''
81 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
82 terminal_output console serial
83 terminal_input console serial
84 '';
85
86 systemd.services.fetch-ec2-metadata = {
87 wantedBy = [ "multi-user.target" ];
88 wants = [ "network-online.target" ];
89 after = [ "network-online.target" ];
90 path = [ pkgs.curl ];
91 script = builtins.readFile ./ec2-metadata-fetcher.sh;
92 serviceConfig.Type = "oneshot";
93 serviceConfig.StandardOutput = "journal+console";
94 };
95
96 # Amazon-issued AMIs include the SSM Agent by default, so we do the same.
97 # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
98 services.amazon-ssm-agent.enable = true;
99
100 # Allow root logins only using the SSH key that the user specified
101 # at instance creation time.
102 services.openssh.enable = true;
103 services.openssh.settings.PermitRootLogin = "prohibit-password";
104
105 # Enable the serial console on ttyS0
106 systemd.services."serial-getty@ttyS0".enable = true;
107
108 # Creates symlinks for block device names.
109 services.udev.packages = [ pkgs.amazon-ec2-utils ];
110
111 # Force getting the hostname from EC2.
112 networking.hostName = mkDefault "";
113
114 # Always include cryptsetup so that Charon can use it.
115 environment.systemPackages = [ pkgs.cryptsetup ];
116
117 # EC2 has its own NTP server provided by the hypervisor
118 networking.timeServers = [ "169.254.169.123" ];
119
120 # udisks has become too bloated to have in a headless system
121 # (e.g. it depends on GTK).
122 services.udisks2.enable = false;
123 };
124 meta.maintainers = with lib.maintainers; [ arianvp ];
125}