nixpkgs-suyu/nixos/modules/services/misc/ssm-agent.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

74 lines
2.2 KiB
Nix
Raw Normal View History

2017-02-13 05:01:28 +01:00
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.ssm-agent;
# The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
# in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
# looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
#!${pkgs.runtimeShell}
2017-02-13 05:01:28 +01:00
case "$1" in
-i) echo "nixos";;
-r) echo "${config.system.nixos.version}";;
2017-02-13 05:01:28 +01:00
esac
'';
in {
options.services.ssm-agent = {
enable = mkEnableOption "AWS SSM agent";
package = mkOption {
type = types.path;
description = "The SSM agent package to use";
default = pkgs.ssm-agent.override { overrideEtc = false; };
defaultText = literalExpression "pkgs.ssm-agent.override { overrideEtc = false; }";
2017-02-13 05:01:28 +01:00
};
};
config = mkIf cfg.enable {
systemd.services.ssm-agent = {
inherit (cfg.package.meta) description;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
2020-06-26 12:15:08 +02:00
path = [ fake-lsb-release pkgs.coreutils ];
2017-02-13 05:01:28 +01:00
serviceConfig = {
2020-06-26 12:15:08 +02:00
ExecStart = "${cfg.package}/bin/amazon-ssm-agent";
2017-02-13 05:01:28 +01:00
KillMode = "process";
# We want this restating pretty frequently. It could be our only means
# of accessing the instance.
Restart = "always";
RestartSec = "1min";
2017-02-13 05:01:28 +01:00
};
};
2020-09-29 01:15:36 +02:00
# Add user that Session Manager needs, and give it sudo.
# This is consistent with Amazon Linux 2 images.
security.sudo.extraRules = [
{
users = [ "ssm-user" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
# On Amazon Linux 2 images, the ssm-user user is pretty much a
# normal user with its own group. We do the same.
users.groups.ssm-user = {};
users.users.ssm-user = {
isNormalUser = true;
group = "ssm-user";
};
environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template";
environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template";
2017-02-13 05:01:28 +01:00
};
}