mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-24 07:53:19 +00:00
494442762c
This was meant to make amazon-ssm-agent work "out of the box" on non-NixOS systems but the feature never really worked. The problem is that amazon-ssm-agent looks for the files "amazon-ssm-agent.json" and "seelog.xml" but the files in the package are named "amazon-ssm-agent.json.template" and "seelog.xml.template". So even with this overrideEtc = true it would not be able to find the config. E.g. you'd get an error like Error occurred fetching the seelog config file path: open /nix/store/pyfxjr0i0hszcj9b6fqly6344zf9zhcb-amazon-ssm-agent-3.3.484.0/etc/amazon/ssm/seelog.xml: no such file or directory on startup. Removing this parameter from the from the package doesn't break things as it didn't work in the first place.
74 lines
2.4 KiB
Nix
74 lines
2.4 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.services.amazon-ssm-agent;
|
|
|
|
# The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
|
|
# in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
|
|
# looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
|
|
fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
|
|
#!${pkgs.runtimeShell}
|
|
|
|
case "$1" in
|
|
-i) echo "nixos";;
|
|
-r) echo "${config.system.nixos.version}";;
|
|
esac
|
|
'';
|
|
|
|
sudoRule = {
|
|
users = [ "ssm-user" ];
|
|
commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
|
|
};
|
|
in {
|
|
imports = [
|
|
(mkRenamedOptionModule [ "services" "ssm-agent" "enable" ] [ "services" "amazon-ssm-agent" "enable" ])
|
|
(mkRenamedOptionModule [ "services" "ssm-agent" "package" ] [ "services" "amazon-ssm-agent" "package" ])
|
|
];
|
|
|
|
options.services.amazon-ssm-agent = {
|
|
enable = mkEnableOption "Amazon SSM agent";
|
|
package = mkPackageOption pkgs "amazon-ssm-agent" {};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
# See https://github.com/aws/amazon-ssm-agent/blob/mainline/packaging/linux/amazon-ssm-agent.service
|
|
systemd.services.amazon-ssm-agent = {
|
|
inherit (cfg.package.meta) description;
|
|
wants = [ "network-online.target" ];
|
|
after = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
path = [ fake-lsb-release pkgs.coreutils ];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${cfg.package}/bin/amazon-ssm-agent";
|
|
KillMode = "process";
|
|
# We want this restating pretty frequently. It could be our only means
|
|
# of accessing the instance.
|
|
Restart = "always";
|
|
RestartPreventExitStatus = 194;
|
|
RestartSec = "90";
|
|
};
|
|
};
|
|
|
|
# Add user that Session Manager needs, and give it sudo.
|
|
# This is consistent with Amazon Linux 2 images.
|
|
security.sudo.extraRules = [ sudoRule ];
|
|
security.sudo-rs.extraRules = [ sudoRule ];
|
|
|
|
# On Amazon Linux 2 images, the ssm-user user is pretty much a
|
|
# normal user with its own group. We do the same.
|
|
users.groups.ssm-user = {};
|
|
users.users.ssm-user = {
|
|
isNormalUser = true;
|
|
group = "ssm-user";
|
|
};
|
|
|
|
environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/etc/amazon/ssm/seelog.xml.template";
|
|
|
|
environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template";
|
|
|
|
};
|
|
}
|