NixOS AWS - Public Room Timeline

	NixOS AWS	64 Members
		16 Servers

You have reached the beginning of time (for this room).

Sender Message Time

6 May 2025

Sender	Message	Time
6 May 2025
commiterate	* We use Nix + system-manager to bake reproducible Amazon Linux 2023 AMIs. There's a shell script snippet in this GitHub issue: https://github.com/aws/ec2-image-builder-roadmap/issues/110 # Switch from ssm-user to the default user. sudo su ec2-user # Install RPM packages. sudo dnf install --assumeyes curl-minimal git # Install Nix. curl --fail --location https://install.determinate.systems/nix/tag/v3.1.1 --proto '=https' --show-error --silent --tlsv1.2 \| sh -s -- install --no-confirm . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh # Setup Nix flake registry. nix registry add nixpkgs github:NixOS/nixpkgs/{Git revision hash} nix registry add system-manager github:numtide/system-manager/{Git revision hash} # Install Nix packages. nix profile install system-manager # Apply system-manager configuration (installs system-wide packages and sets up systemd units). sudo $(command -v system-manager) pre-populate --flake 'git+{Git HTTPs URL}&rev={Git revision hash}#{system-manager flake output key}' CloudFormation templates are generated with the AWS CDK. The infrastructure code essentially: Locks an Amazon-managed AMI ARN from their SSM public parameters into the `cdk.context.json` file. Calls `nix flake metadata` to get the flake's Git hash and construct a flake URL for the flake itself and some inputs needed in the script (we run Nix eval on a system in a VPC with company network connectivity). Generates an SSM document with the flake URL. Sets up the EC2 Image Builder infrastructure that auto-builds an AMI on CloudFormation stack deploys. Reference the AMI in a launch template which is then used in an auto-scaling group. Use CloudFormation rolling update to bounce the auto-scaling group (until ASG instance refresh is supported in CloudFormation). Once the CloudFormation image import situation is improved, we'll move the non-bootstrap stuff to use NixOS disk images created with the systemd-repart helpers. This ends up being fully reproducible because Amazon Linux 2023 locks the Amazon Linux package repository version (these are globally versioned now), so any Nix dependencies like `curl` and `git` locked by the AMI itself.	18:13:00

commiterate

We use Nix + system-manager to bake reproducible Amazon Linux 2023 AMIs. There's a shell script snippet in this GitHub issue: https://github.com/aws/ec2-image-builder-roadmap/issues/110

# Switch from ssm-user to the default user.
sudo su ec2-user

# Install RPM packages.
sudo dnf install --assumeyes curl-minimal git

# Install Nix.
curl --fail --location https://install.determinate.systems/nix/tag/v3.1.1 --proto '=https' --show-error --silent --tlsv1.2 | sh -s -- install --no-confirm
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh

# Setup Nix flake registry.
nix registry add nixpkgs github:NixOS/nixpkgs/{Git revision hash}
nix registry add system-manager github:numtide/system-manager/{Git revision hash}

# Install Nix packages.
nix profile install system-manager

# Apply system-manager configuration (installs system-wide packages and sets up systemd units).
sudo $(command -v system-manager) pre-populate --flake 'git+{Git HTTPs URL}&rev={Git revision hash}#{system-manager flake output key}'

CloudFormation templates are generated with the AWS CDK. The infrastructure code essentially:

Locks an Amazon-managed AMI ARN from their SSM public parameters into the cdk.context.json file.
Calls nix flake metadata to get the flake's Git hash and construct a flake URL for the flake itself and some inputs needed in the script (we run Nix eval on a system in a VPC with company network connectivity).
Generates an SSM document with the flake URL.
Sets up the EC2 Image Builder infrastructure that auto-builds an AMI on CloudFormation stack deploys.
Reference the AMI in a launch template which is then used in an auto-scaling group.
Use CloudFormation rolling update to bounce the auto-scaling group (until ASG instance refresh is supported in CloudFormation).

Once the CloudFormation image import situation is improved, we'll move the non-bootstrap stuff to use NixOS disk images created with the systemd-repart helpers.

This ends up being fully reproducible because Amazon Linux 2023 locks the Amazon Linux package repository version (these are globally versioned now), so any Nix dependencies like curl and git locked by the AMI itself.

18:13:00

Show newer messages

Back to Room ListRoom Version: 10