NixOS AWS - Public Room Timeline

	NixOS AWS	64 Members
		15 Servers

Load older messages

Sender	Message	Time
11 Oct 2024
Arian	ah nope just works! sick	19:46:55
commiterate	In reply to @arianvp:matrix.org Problem is people doing nixos-rebuild switch on an existing instance Wait are the AMIs tracking the ami repo for something? If they `nixos-rebuild switch`, I don't see what would go awry if they're just tracking the normal NixOS channels like any regular user.	21:55:02
commiterate	In reply to @arianvp:matrix.org Problem is people doing nixos-rebuild switch on an existing instance * Wait are the AMIs tracking the ami repo for something? If they `nixos-rebuild switch`, I don't see what would go awry if they're just tracking the normal NixOS channels like any regular user and using their local `configuration.nix` (which I'm assuming doesn't have any inputs from the ami repo).	21:56:00
commiterate	* Wait are the AMIs tracking the ami repo for something? If they `nixos-rebuild switch`, I don't see what would go awry if they're just tracking the normal NixOS channels like any regular system and using their local `configuration.nix` (which I'm assuming doesn't have any inputs from the ami repo).	21:56:35
commiterate	* Wait are the AMIs' `configuration.nix` files tracking the ami repo for something? If they `nixos-rebuild switch`, I don't see what would go awry if they're just tracking the normal NixOS channels like any regular system and using their local `configuration.nix` (which I'm assuming doesn't have any inputs from the ami repo).	21:57:02
commiterate	Nope. EIC itself just works by having an OpenSSH AuthorizedKeysCommand program which calls IMDS (has EIC endpoints that return SSH keys, just like regular EC2 Key Pairs).	21:58:30
commiterate	I need to follow up next week to see if they're willing to take ownership of my Go rewrite over the existing Bash script abomination. https://github.com/commiterate/amazon-ec2-ssh-utils	21:59:12
commiterate	* I need to follow up next week to see if they're willing to take ownership of my Go rewrite to replace the existing Bash script abomination. https://github.com/commiterate/amazon-ec2-ssh-utils	21:59:55
commiterate	* Nope. EIC itself just works by having an OpenSSH `AuthorizedKeysCommand` program which calls IMDS (has EIC endpoints that return SSH keys, just like regular EC2 Key Pairs) and just writes an OpenSSH authorized keys file contents to `stdout`.	22:02:02
commiterate	* Nope. EIC itself just works by having an OpenSSH `AuthorizedKeysCommand` program which calls IMDS (has EIC endpoints that return SSH keys, just like regular EC2 Key Pairs) and just writes OpenSSH authorized keys file contents to `stdout`.	22:02:15
commiterate	* Nope. EIC itself works inside the instance by having an OpenSSH `AuthorizedKeysCommand` program which calls IMDS (has EIC endpoints that return SSH keys, just like regular EC2 Key Pairs) and just writes OpenSSH authorized keys file contents to `stdout`.	22:33:29
Arian	The Ami is built from nixpkgs repo	23:20:45
Arian	The configuration.nix should pull in modules/virtualisation/Amazon-Image.nix which i need to change for the non-bios support	23:22:01
Arian	If it suddenly gets changed when someone pulls nixpkgs it will try to install grub on a non-existent ESP and fail	23:23:08
Arian	So I think I'll need to conditionalize those bits on stateVersion	23:23:41
commiterate	ah yeah that's a bit cursed then	23:28:52
commiterate	one day we'll move to systemd-repart	23:29:28
commiterate	* one day we'll move to systemd-repart for a fully self-contained image	23:31:06
Arian	That's why I'm making this change. As repart can't make bios images	23:44:11
Arian	* That's why I'm making this change. As repart can't make mbr partition tables	23:44:24
Arian	So I want to make sure all images are GPT Partition tables. Then I can move to repart builder later	23:44:42
13 Oct 2024
Arian	urgh bad news	13:22:36
Arian	the NixOS config we ship in the base image doesn't set `stateVersion`	13:22:50
14 Oct 2024
Arian	PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances : https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63	10:03:47
Arian	* PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances if using ssh. SSM still works https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63	10:04:07
Arian	* PSA: we shipped a pretty serious bug to unstable that will lock you out of your EC2 instances if using ssh. SSM still works. Please refrain from updating untill the fix has landed on the unstable branch https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/63	10:04:30
Arian	hmm one with that worries me with AuthorizedKeysCommand for the main ssh key is http://blog.champtar.fr/Metadata_MITM_root_EKS_GKE/ i.e. EC2 instance connect goes out of its way to protect against a rogue IMDS. But the normal ssh key does not	13:48:06
Arian	idk if this is really in scope...	13:48:12
Arian	I just find it interesting that EC2 instance connect goes all the way to protect against such attacks	13:48:24
Arian	but then the normal SSH key doesn't get protected by this at all	13:48:32

Show newer messages

Back to Room ListRoom Version: 10