In reply to @adam:robins.wtf
I wrote a simple module that will pull a secret down with the CLI given an ARN and some permissions. Creates a basic dir in /run to avoid storing them on disk

might be easier to write a systemd unit (e.g. oneshot + optional timer or ExecStartPre) which does the credential pull than relying on boot user scripts.

Ideally the boot userscript just does a nixos-rebuild switch --flake {flake URL} and nothing else

might be easier to write a systemd unit (e.g. oneshot + optional timer or ExecStartPre) which does the credential pull ratherer than relying on boot user scripts.

Ideally the boot userscript just does a nixos-rebuild switch --flake {flake URL} and nothing else

might be easier to write a systemd unit (e.g. oneshot + optional timer or ExecStartPre) which does the credential pull rather than relying on boot user scripts.

Ideally the boot userscript just does a nixos-rebuild switch --flake {flake URL} and nothing else

Hey all, I have a message from the foundation I think makes sense to forward here:

⁦Hey everyone, happy almost‑Monday for some, and full‑on Monday for most! 😉

We’re kicking off our AWS cache sponsorship renewal (shoutout to the AWS Open Source teams for sponsoring us for two consecutive years now) and could use your help. If you work at AWS, or know someone who does, please drop me a note!

Each year we put together a summary of how Nix adds value on AWS, and real‑world examples make our case much stronger. If you’ve used Nix for anything on EC2, Lambda, EKS, CodeBuild, caching Docker layers, reducing build times, improving deploy consistency, or anything else in the AWS ecosystem, I’d love to hear about it. Even a quick bullet point or link to a project helps!

Thanks in advance for any pointers or introductions you can share. 🙏

We use Nix + system-manager to bake reproducible Amazon Linux 2023 AMIs. There's a shell script snippet in this GitHub issue: https://github.com/aws/ec2-image-builder-roadmap/issues/110

# Switch from ssm-user to the default user.
sudo su ec2-user

# Install RPM packages.
sudo dnf install --assumeyes curl-minimal git

# Install Nix.
curl --fail --location https://install.determinate.systems/nix/tag/v3.1.1 --proto '=https' --show-error --silent --tlsv1.2 | sh -s -- install --no-confirm
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh

# Setup Nix flake registry.
nix registry add nixpkgs github:NixOS/nixpkgs/{Git revision hash}
nix registry add system-manager github:numtide/system-manager/{Git revision hash}

# Install Nix packages.
nix profile install system-manager

# Apply system-manager configuration (installs system-wide packages and sets up systemd units).
sudo $(command -v system-manager) pre-populate --flake 'git+{Git HTTPs URL}&rev={Git revision hash}#{system-manager flake output key}'

CloudFormation templates are generated with the AWS CDK. The infrastructure code essentially:

• Locks an Amazon-managed AMI ARN from their SSM public parameters into the cdk.context.json file.
• Calls nix flake metadata to get the flake's Git hash and construct a flake URL (we run Nix eval on a system in a VPC with company network connectivity).
• Generates an SSM document with the flake URL.
• Sets up the EC2 Image Builder infrastructure that auto-builds an AMI on CloudFormation stack deploys.
• Reference the AMI in a launch template which is then used in an auto-scaling group.
• Use CloudFormation rolling update to bounce the auto-scaling group (until ASG instance refresh is supported in CloudFormation).

Once the CloudFormation image import situation is improved, we'll move the non-bootstrap stuff to use NixOS disk images created with the systemd-repart helpers.

We use Nix + system-manager to bake reproducible Amazon Linux 2023 AMIs. There's a shell script snippet in this GitHub issue: https://github.com/aws/ec2-image-builder-roadmap/issues/110

# Switch from ssm-user to the default user.
sudo su ec2-user

# Install RPM packages.
sudo dnf install --assumeyes curl-minimal git

# Install Nix.
curl --fail --location https://install.determinate.systems/nix/tag/v3.1.1 --proto '=https' --show-error --silent --tlsv1.2 | sh -s -- install --no-confirm
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh

# Setup Nix flake registry.
nix registry add nixpkgs github:NixOS/nixpkgs/{Git revision hash}
nix registry add system-manager github:numtide/system-manager/{Git revision hash}

# Install Nix packages.
nix profile install system-manager

# Apply system-manager configuration (installs system-wide packages and sets up systemd units).
sudo $(command -v system-manager) pre-populate --flake 'git+{Git HTTPs URL}&rev={Git revision hash}#{system-manager flake output key}'

CloudFormation templates are generated with the AWS CDK. The infrastructure code essentially:

• Locks an Amazon-managed AMI ARN from their SSM public parameters into the cdk.context.json file.
• Calls nix flake metadata to get the flake's Git hash and construct a flake URL (we run Nix eval on a system in a VPC with company network connectivity).
• Generates an SSM document with the flake URL.
• Sets up the EC2 Image Builder infrastructure that auto-builds an AMI on CloudFormation stack deploys.
• Reference the AMI in a launch template which is then used in an auto-scaling group.
• Use CloudFormation rolling update to bounce the auto-scaling group (until ASG instance refresh is supported in CloudFormation).

Once the CloudFormation image import situation is improved, we'll move the non-bootstrap stuff to use NixOS disk images created with the systemd-repart helpers.