nixpkgs/nixos/modules/virtualisation/amazon-init.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.virtualisation.amazon-init;

  script = ''
    #!${pkgs.runtimeShell} -eu

    echo "attempting to fetch configuration from EC2 user data..."

    export HOME=/root
    export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH
    export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels

    userData=/etc/ec2-metadata/user-data

    # Check if user-data looks like a shell script and execute it with the
    # runtime shell if it does. Otherwise treat it as a nixos configuration
    # expression
    if IFS= LC_ALL=C read -rN2 shebang < $userData && [ "$shebang" = '#!' ]; then
      # NB: we cannot chmod the $userData file, this is why we execute it via
      # `pkgs.runtimeShell`. This means we have only limited support for shell
      # scripts compatible with the `pkgs.runtimeShell`.
      exec ${pkgs.runtimeShell} $userData
    fi

    if [ -s "$userData" ]; then
      # If the user-data looks like it could be a nix expression,
      # copy it over. Also, look for a magic three-hash comment and set
      # that as the channel.
      if sed '/^\(#\|SSH_HOST_.*\)/d' < "$userData" | grep -q '\S'; then
        channels="$(grep '^###' "$userData" | sed 's|###\s*||')"
        while IFS= read -r channel; do
          echo "writing channel: $channel"
        done < <(printf "%s\n" "$channels")

        if [[ -n "$channels" ]]; then
          printf "%s" "$channels" > /root/.nix-channels
          nix-channel --update
        fi

        echo "setting configuration from EC2 user data"
        cp "$userData" /etc/nixos/configuration.nix
      else
        echo "user data does not appear to be a Nix expression; ignoring"
        exit
      fi
    else
      echo "no user data is available"
      exit
    fi

    nixos-rebuild switch
  '';
in {

  options.virtualisation.amazon-init = {
    enable = mkOption {
      default = true;
      type = types.bool;
      description = ''
        Enable or disable the amazon-init service.
      '';
    };
  };

  config = mkIf cfg.enable {
    systemd.services.amazon-init = {
      inherit script;
      description = "Reconfigure the system from EC2 userdata on startup";

      wantedBy = [ "multi-user.target" ];
      after = [ "multi-user.target" ];
      requires = [ "network-online.target" ];

      restartIfChanged = false;
      unitConfig.X-StopOnRemoval = false;

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
  };
}
virtualization/amazon-init: enable option 2021-02-07 21:00:00 +00:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
			`let`
virtualization/amazon-init: enable option 2021-02-07 21:00:00 +00:00			`cfg = config.virtualisation.amazon-init;`

amazon-init NixOS module: fix (I think) race condition with network The initialization code is now a systemd service that explicitly waits for network-online, so the occasional failure I was seeing because the `nixos-rebuild` couldn't get anything from the binary cache should stop. I hope! 2017-02-15 22:32:45 +00:00			`script = ''`
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00			`#!${pkgs.runtimeShell} -eu`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
amazon-init.nix: Don't run nixos-rebuild if we don't have to 2016-02-04 15:15:19 +01:00			`echo "attempting to fetch configuration from EC2 user data..."`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
amazon-init NixOS module: fix (I think) race condition with network The initialization code is now a systemd service that explicitly waits for network-online, so the occasional failure I was seeing because the `nixos-rebuild` couldn't get anything from the binary cache should stop. I hope! 2017-02-15 22:32:45 +00:00			`export HOME=/root`
amazon-init: add xz to PATH 2020-04-14 14:39:48 -04:00			`export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH`
virtualization/amazon-init: fix logging, nix path The missing `\n` in the printf format string prevented multiple channels from being logged. The missing `nixpkgs=` in the `NIX_PATH` prevented `nixos-rebuild` from working if the system configuration has any reference to `nixpkgs`. Additionally: * Use process substitution instead of piping printf to avoid creating a subshell. * Set an empty `IFS` to avoid word splitting. * Add the `-r` flag to `read` to avoid mangling backslashes. 2019-12-27 19:32:12 +00:00			`export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`userData=/etc/ec2-metadata/user-data`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
nixos/amazon-init: add user-data shell script support 2021-04-18 10:19:06 +01:00			`# Check if user-data looks like a shell script and execute it with the`
			`# runtime shell if it does. Otherwise treat it as a nixos configuration`
			`# expression`
			`if IFS= LC_ALL=C read -rN2 shebang < $userData && [ "$shebang" = '#!' ]; then`
			`# NB: we cannot chmod the $userData file, this is why we execute it via`
			# `pkgs.runtimeShell`. This means we have only limited support for shell
			# scripts compatible with the `pkgs.runtimeShell`.
			`exec ${pkgs.runtimeShell} $userData`
			`fi`

Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`if [ -s "$userData" ]; then`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`# If the user-data looks like it could be a nix expression,`
			`# copy it over. Also, look for a magic three-hash comment and set`
			`# that as the channel.`
			`if sed '/^\(#\\|SSH_HOST_.*\)/d' < "$userData" \| grep -q '\S'; then`
			`channels="$(grep '^###' "$userData" \| sed 's\|###\s*\|\|')"`
virtualization/amazon-init: fix logging, nix path The missing `\n` in the printf format string prevented multiple channels from being logged. The missing `nixpkgs=` in the `NIX_PATH` prevented `nixos-rebuild` from working if the system configuration has any reference to `nixpkgs`. Additionally: * Use process substitution instead of piping printf to avoid creating a subshell. * Set an empty `IFS` to avoid word splitting. * Add the `-r` flag to `read` to avoid mangling backslashes. 2019-12-27 19:32:12 +00:00			`while IFS= read -r channel; do`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`echo "writing channel: $channel"`
virtualization/amazon-init: fix logging, nix path The missing `\n` in the printf format string prevented multiple channels from being logged. The missing `nixpkgs=` in the `NIX_PATH` prevented `nixos-rebuild` from working if the system configuration has any reference to `nixpkgs`. Additionally: * Use process substitution instead of piping printf to avoid creating a subshell. * Set an empty `IFS` to avoid word splitting. * Add the `-r` flag to `read` to avoid mangling backslashes. 2019-12-27 19:32:12 +00:00			`done < <(printf "%s\n" "$channels")`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00
			`if [[ -n "$channels" ]]; then`
			`printf "%s" "$channels" > /root/.nix-channels`
			`nix-channel --update`
			`fi`

amazon-init.nix: Don't run nixos-rebuild if we don't have to 2016-02-04 15:15:19 +01:00			`echo "setting configuration from EC2 user data"`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`cp "$userData" /etc/nixos/configuration.nix`
			`else`
amazon-init.nix: Don't run nixos-rebuild if we don't have to 2016-02-04 15:15:19 +01:00			`echo "user data does not appear to be a Nix expression; ignoring"`
			`exit`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`fi`
			`else`
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`echo "no user data is available"`
amazon-init.nix: Don't run nixos-rebuild if we don't have to 2016-02-04 15:15:19 +01:00			`exit`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`fi`

			`nixos-rebuild switch`
			`'';`
			`in {`
amazon-init NixOS module: fix (I think) race condition with network The initialization code is now a systemd service that explicitly waits for network-online, so the occasional failure I was seeing because the `nixos-rebuild` couldn't get anything from the binary cache should stop. I hope! 2017-02-15 22:32:45 +00:00
virtualization/amazon-init: enable option 2021-02-07 21:00:00 +00:00			`options.virtualisation.amazon-init = {`
			`enable = mkOption {`
			`default = true;`
			`type = types.bool;`
			`description = ''`
			`Enable or disable the amazon-init service.`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.amazon-init = {`
			`inherit script;`
			`description = "Reconfigure the system from EC2 userdata on startup";`

			`wantedBy = [ "multi-user.target" ];`
			`after = [ "multi-user.target" ];`
			`requires = [ "network-online.target" ];`
nixos/amazon-init.nix: add git to amazon-init script PATH 2019-12-29 12:00:35 +00:00
virtualization/amazon-init: enable option 2021-02-07 21:00:00 +00:00			`restartIfChanged = false;`
			`unitConfig.X-StopOnRemoval = false;`
amazon-init NixOS module: fix (I think) race condition with network The initialization code is now a systemd service that explicitly waits for network-online, so the occasional failure I was seeing because the `nixos-rebuild` couldn't get anything from the binary cache should stop. I hope! 2017-02-15 22:32:45 +00:00
virtualization/amazon-init: enable option 2021-02-07 21:00:00 +00:00			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`};`
amazon-init NixOS module: fix (I think) race condition with network The initialization code is now a systemd service that explicitly waits for network-online, so the occasional failure I was seeing because the `nixos-rebuild` couldn't get anything from the binary cache should stop. I hope! 2017-02-15 22:32:45 +00:00			`};`
			`};`
Initial attempt at configuring from EC2 userdata (with input from cstrahan). Now with VM tests! 2015-04-10 06:06:52 +02:00			`}`