| 11 Oct 2024 |
 commiterate | one day we'll move to systemd-repart | 23:29:28 |
| commiterate | * one day we'll move to systemd-repart for a fully self-contained image | 23:31:06 |
 Arian | That's why I'm making this change. As repart can't make bios images | 23:44:11 |
| Arian | * That's why I'm making this change. As repart can't make mbr partition tables | 23:44:24 |
| Arian | So I want to make sure all images are GPT Partition tables. Then I can move to repart builder later | 23:44:42 |
| 13 Oct 2024 |
| Arian | urgh bad news | 13:22:36 |
| Arian | the NixOS config we ship in the base image doesn't set stateVersion | 13:22:50 |
| 14 Oct 2024 |
| Arian | PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances :
https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63 | 10:03:47 |
| Arian | * PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances if using ssh. SSM still works
https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63 | 10:04:07 |
| Arian | * PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances if using ssh. SSM still works. Please refrain from updating untill the fix has landed on the unstable branch
https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63 | 10:04:30 |
| Arian | hmm one with that worries me with AuthorizedKeysCommand for the main ssh key is
http://blog.champtar.fr/Metadata_MITM_root_EKS_GKE/
i.e. EC2 instance connect goes out of its way to protect against a rogue IMDS. But the normal ssh key does not | 13:48:06 |
| Arian | idk if this is really in scope... | 13:48:12 |
| Arian | I just find it interesting that EC2 instance connect goes all the way to protect against such attacks | 13:48:24 |
| Arian | but then the normal SSH key doesn't get protected by this at all | 13:48:32 |
| 15 Oct 2024 |
| commiterate | I wouldn't be surprised if it were on the backlog or if they view the EIC certs from IMDS also providing proof that the EC2 Key Pair is also probably safe | 06:34:32 |
| commiterate | though they don't encrypt the SSH keys and require you to use the certs to decrypt the ciphertext, so... | 06:35:10 |
| commiterate | at least that's my understanding, but the existing EIC AuthorizedKeysCommand Bash scripts aren't the easiest to read | 06:35:41 |
| commiterate | Might be interesting for people who use Nix on non-NixOS EC2 instances (e.g. macOS): https://github.com/DeterminateSystems/nix-installer/issues/1235 | 06:37:05 |
| commiterate | * I wouldn't be surprised if it were on the backlog or if they view the EIC certs from IMDS also providing proof that the EC2 Key Pair from IMDS also hasn't been tampered with | 06:39:01 |
| commiterate | * at least that's my understanding and what that security finding points out, but the existing EIC AuthorizedKeysCommand Bash scripts aren't the easiest to read | 06:45:23 |
| commiterate | * at least that's my understanding and what that security finding outlines, but the existing EIC AuthorizedKeysCommand Bash scripts aren't the easiest to read | 06:45:31 |
| commiterate | even if they did encrypt the keys with the cert, it would still be vulnerable to MITM since it can just replace all IMDS responses | 06:46:28 |
| Arian | I think the trick here is maybe to point to flakehub? | 09:53:30 |
| Arian | Note there's a determinate systems discord. I'd suggest discussing a bit there | 09:53:50 |
| Arian | P.S. MacOS is such a pain on EC2 holy moly | 09:54:18 |
| Arian | You have to install NixOS on the (unsupported) instance store | 09:54:43 |
| Arian | * You have to install Nix on the (unsupported) instance store | 09:54:51 |
| Arian | and I have had several occasions where the instance store is just... broken | 09:55:02 |
| Arian | Installing nix on the EBS volume isn't possible automatically. You need to do a GUI step | 09:55:20 |
| Arian | I've wasted days and hours of my life on this at work | 09:55:37 |
