NixOS AWS - Public Room Timeline - Matrix Static

	NixOS AWS	64 Members
		14 Servers

You have reached the beginning of time (for this room).

Sender	Message	Time
28 Apr 2025
dbalan	Our scripts do some s3 gets / aws ssm get-parmeters etc to assemble the final nix config. We do have workaround for this to wrap the execution in `nix-env`. But IMO awscli seems quite useful on an amazon AMI.	11:31:24
dbalan	Another option would be to look for nix-shell shebang, like `#! /usr/bin/env nix-shell #! nix-shell -i runghc --packages 'haskellPackages.ghcWithPackages (ps: [ps.download-curl ps.tagsoup])'` in the init script where we determine the type in amazon-init.nix and run it with `nix-shell` instead of `${pkgs.runtimeShell}`	11:51:29
Arian	we download a closure and nixos-rebuild switch into ti	11:57:01
Arian	why would you want to run imperative scripts if you can just deploy a new NixOS build with the script you want to run? Sounds more robust :D	11:58:04
dbalan	Haha -- we use imperative secrets to assemble a nix config that we can switch to (mostly secrets and some other foo). But this is definitely not a blocker for us or anything.	11:59:41
Arian	That sounds terrible :D	12:00:14
Arian	you can also build your own ami. there are instructions in https://github.com/nixos/amis But I highly advise against building NixOS configs with secrets in them. The nix store is world-readable and not a suitable place for storing any kind of secret. Secrets should either be avoided (by using IAM roles) or should be a runtime concern and fetched with said IAM roles	12:14:52
Arian	anything else is bound to cause serious security issues	12:15:20
Arian	And I can’t suggest int good faith to go that route	12:15:33
Arian	*	12:15:41
Arian	* you can also build your own ami. there are instructions in https://github.com/nixos/amis But I highly advise against building NixOS configs with secrets in them. The nix store is world-readable and not a suitable place for storing any kind of secret. Secrets should either be avoided (by using IAM roles) or should be a runtime concern and fetched with said IAM roles from a dedicated secrets manager like SSM parameter store, AWS SecretsManager, or something like OpenBao or Vault	12:16:19
dbalan	Redacted or Malformed Event	14:41:19
dbalan	Yup, We do this weird route more or less for avoiding storing secrets anywhere other than the instance.	15:04:12
dbalan	Secrets are in vault or aws depending on the layer and they get populated on first boot in the config	15:04:57

Show newer messages

Back to Room ListRoom Version: 10