2015-09-27 12:01:43 -07:00
|
|
|
|
# Configuration for Amazon EC2 instances. (Note that this file is a
|
|
|
|
|
# misnomer - it should be "amazon-config.nix" or so, not
|
|
|
|
|
# "amazon-image.nix", since it's used not only to build images but
|
|
|
|
|
# also to reconfigure instances. However, we can't rename it because
|
|
|
|
|
# existing "configuration.nix" files on EC2 instances refer to it.)
|
|
|
|
|
|
2014-04-14 07:26:48 -07:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2010-01-20 10:10:02 -08:00
|
|
|
|
|
2014-04-14 07:26:48 -07:00
|
|
|
|
with lib;
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2019-02-06 03:16:22 -08:00
|
|
|
|
let
|
|
|
|
|
cfg = config.ec2;
|
|
|
|
|
metadataFetcher = import ./ec2-metadata-fetcher.nix {
|
|
|
|
|
targetRoot = "$targetRoot/";
|
|
|
|
|
wgetExtraOptions = "-q";
|
|
|
|
|
};
|
|
|
|
|
in
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2015-09-27 12:01:43 -07:00
|
|
|
|
{
|
2018-01-06 05:52:51 -08:00
|
|
|
|
imports = [ ../profiles/headless.nix ./ec2-data.nix ./amazon-init.nix ];
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2015-09-27 12:01:43 -07:00
|
|
|
|
config = {
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2017-04-04 04:07:15 -07:00
|
|
|
|
assertions = [
|
|
|
|
|
{ assertion = cfg.hvm;
|
|
|
|
|
message = "Paravirtualized EC2 instances are no longer supported.";
|
|
|
|
|
}
|
2019-05-25 02:53:15 -07:00
|
|
|
|
{ assertion = cfg.efi -> cfg.hvm;
|
|
|
|
|
message = "EC2 instances using EFI must be HVM instances.";
|
|
|
|
|
}
|
2017-04-04 04:07:15 -07:00
|
|
|
|
];
|
|
|
|
|
|
2018-01-06 05:52:51 -08:00
|
|
|
|
boot.growPartition = cfg.hvm;
|
2016-02-17 04:02:59 -08:00
|
|
|
|
|
2015-09-27 12:01:43 -07:00
|
|
|
|
fileSystems."/" = {
|
|
|
|
|
device = "/dev/disk/by-label/nixos";
|
2019-03-14 02:30:20 -07:00
|
|
|
|
fsType = "ext4";
|
2015-09-27 12:01:43 -07:00
|
|
|
|
autoResize = true;
|
|
|
|
|
};
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2019-05-25 02:53:15 -07:00
|
|
|
|
fileSystems."/boot" = mkIf cfg.efi {
|
|
|
|
|
device = "/dev/disk/by-label/ESP";
|
|
|
|
|
fsType = "vfat";
|
|
|
|
|
};
|
|
|
|
|
|
2019-08-14 16:58:22 -07:00
|
|
|
|
boot.extraModulePackages = [
|
|
|
|
|
config.boot.kernelPackages.ena
|
|
|
|
|
];
|
2016-07-11 03:15:39 -07:00
|
|
|
|
boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ];
|
2017-11-09 08:47:29 -08:00
|
|
|
|
boot.initrd.availableKernelModules = [ "ixgbevf" "ena" "nvme" ];
|
2015-09-27 12:01:43 -07:00
|
|
|
|
boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" ];
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2015-02-17 14:18:11 -08:00
|
|
|
|
# Prevent the nouveau kernel module from being loaded, as it
|
|
|
|
|
# interferes with the nvidia/nvidia-uvm modules needed for CUDA.
|
2015-09-28 12:57:54 -07:00
|
|
|
|
# Also blacklist xen_fbfront to prevent a 30 second delay during
|
|
|
|
|
# boot.
|
|
|
|
|
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
|
2015-02-17 14:18:11 -08:00
|
|
|
|
|
2014-05-21 01:55:34 -07:00
|
|
|
|
# Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
|
2014-06-19 01:56:52 -07:00
|
|
|
|
boot.loader.grub.version = if cfg.hvm then 2 else 1;
|
2019-05-25 02:53:15 -07:00
|
|
|
|
boot.loader.grub.device = if (cfg.hvm && !cfg.efi) then "/dev/xvda" else "nodev";
|
2015-09-28 04:34:19 -07:00
|
|
|
|
boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)";
|
2019-05-25 02:53:15 -07:00
|
|
|
|
boot.loader.grub.efiSupport = cfg.efi;
|
|
|
|
|
boot.loader.grub.efiInstallAsRemovable = cfg.efi;
|
2016-05-25 01:34:54 -07:00
|
|
|
|
boot.loader.timeout = 0;
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2016-02-02 10:03:13 -08:00
|
|
|
|
boot.initrd.network.enable = true;
|
|
|
|
|
|
2014-05-21 01:55:34 -07:00
|
|
|
|
# Mount all formatted ephemeral disks and activate all swap devices.
|
|
|
|
|
# We cannot do this with the ‘fileSystems’ and ‘swapDevices’ options
|
|
|
|
|
# because the set of devices is dependent on the instance type
|
2018-06-03 10:03:34 -07:00
|
|
|
|
# (e.g. "m1.small" has one ephemeral filesystem and one swap device,
|
2014-05-21 01:55:34 -07:00
|
|
|
|
# while "m1.large" has two ephemeral filesystems and no swap
|
|
|
|
|
# devices). Also, put /tmp and /var on /disk0, since it has a lot
|
|
|
|
|
# more space than the root device. Similarly, "move" /nix to /disk0
|
|
|
|
|
# by layering a unionfs-fuse mount on top of it so we have a lot more space for
|
|
|
|
|
# Nix operations.
|
|
|
|
|
boot.initrd.postMountCommands =
|
|
|
|
|
''
|
2019-02-06 03:16:22 -08:00
|
|
|
|
${metadataFetcher}
|
2016-02-04 06:42:49 -08:00
|
|
|
|
|
2014-05-21 01:55:34 -07:00
|
|
|
|
diskNr=0
|
|
|
|
|
diskForUnionfs=
|
|
|
|
|
for device in /dev/xvd[abcde]*; do
|
|
|
|
|
if [ "$device" = /dev/xvda -o "$device" = /dev/xvda1 ]; then continue; fi
|
|
|
|
|
fsType=$(blkid -o value -s TYPE "$device" || true)
|
|
|
|
|
if [ "$fsType" = swap ]; then
|
|
|
|
|
echo "activating swap device $device..."
|
|
|
|
|
swapon "$device" || true
|
|
|
|
|
elif [ "$fsType" = ext3 ]; then
|
|
|
|
|
mp="/disk$diskNr"
|
|
|
|
|
diskNr=$((diskNr + 1))
|
|
|
|
|
if mountFS "$device" "$mp" "" ext3; then
|
2016-02-02 10:10:00 -08:00
|
|
|
|
if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi
|
2014-05-21 01:55:34 -07:00
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
echo "skipping unknown device type $device"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ -n "$diskForUnionfs" ]; then
|
|
|
|
|
mkdir -m 755 -p $targetRoot/$diskForUnionfs/root
|
|
|
|
|
|
|
|
|
|
mkdir -m 1777 -p $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp
|
|
|
|
|
mount --bind $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp
|
|
|
|
|
|
2016-02-02 07:17:20 -08:00
|
|
|
|
if [ "$(cat "$metaDir/ami-manifest-path")" != "(unknown)" ]; then
|
2014-05-21 01:55:34 -07:00
|
|
|
|
mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/var $targetRoot/var
|
|
|
|
|
mount --bind $targetRoot/$diskForUnionfs/root/var $targetRoot/var
|
|
|
|
|
|
|
|
|
|
mkdir -p /unionfs-chroot/ro-nix
|
|
|
|
|
mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix
|
|
|
|
|
|
|
|
|
|
mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/nix
|
|
|
|
|
mkdir -p /unionfs-chroot/rw-nix
|
|
|
|
|
mount --rbind $targetRoot/$diskForUnionfs/root/nix /unionfs-chroot/rw-nix
|
|
|
|
|
|
|
|
|
|
unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
boot.initrd.extraUtilsCommands =
|
|
|
|
|
''
|
|
|
|
|
# We need swapon in the initrd.
|
2015-03-28 17:15:41 -07:00
|
|
|
|
copy_bin_and_libs ${pkgs.utillinux}/sbin/swapon
|
2014-05-21 01:55:34 -07:00
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
# Don't put old configurations in the GRUB menu. The user has no
|
|
|
|
|
# way to select them anyway.
|
2015-05-29 13:26:51 -07:00
|
|
|
|
boot.loader.grub.configurationLimit = 0;
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
|
|
|
|
# Allow root logins only using the SSH key that the user specified
|
|
|
|
|
# at instance creation time.
|
|
|
|
|
services.openssh.enable = true;
|
2016-10-01 10:23:56 -07:00
|
|
|
|
services.openssh.permitRootLogin = "prohibit-password";
|
2014-05-21 01:55:34 -07:00
|
|
|
|
|
2019-08-23 05:12:33 -07:00
|
|
|
|
# Creates symlinks for block device names.
|
|
|
|
|
services.udev.packages = [ pkgs.ec2-utils ];
|
|
|
|
|
|
2014-05-21 01:55:34 -07:00
|
|
|
|
# Force getting the hostname from EC2.
|
|
|
|
|
networking.hostName = mkDefault "";
|
|
|
|
|
|
|
|
|
|
# Always include cryptsetup so that Charon can use it.
|
|
|
|
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
|
|
|
|
|
|
|
|
|
boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
|
2018-10-15 12:47:51 -07:00
|
|
|
|
|
2017-11-29 19:48:00 -08:00
|
|
|
|
# EC2 has its own NTP server provided by the hypervisor
|
|
|
|
|
networking.timeServers = [ "169.254.169.123" ];
|
2018-10-15 12:47:51 -07:00
|
|
|
|
|
|
|
|
|
# udisks has become too bloated to have in a headless system
|
2019-09-03 15:49:40 -07:00
|
|
|
|
# (e.g. it depends on GTK).
|
2018-10-15 12:47:51 -07:00
|
|
|
|
services.udisks2.enable = false;
|
2014-05-21 01:55:34 -07:00
|
|
|
|
};
|
2010-01-20 10:10:02 -08:00
|
|
|
|
}
|