Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #45 from awakesecurity/parnell/custom-configuration
Add support for hermetic nixos configurations
- Loading branch information
Showing
4 changed files
with
112 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# A simple, hermetic NixOS configuration for an AWS EC2 instance that | ||
# uses a nixpkgs pinned to a specific Git revision with an integrity | ||
# hash to ensure that we construct a NixOS system as purely as | ||
# possible. | ||
# | ||
# i.e. we explicitly specify which nixpkgs to use instead of relying | ||
# on the nixpkgs supplied on the NIX_PATH. | ||
# | ||
# The primary benefit of this is that it removes deployment surprises | ||
# when other developers supply a different nix-channel in the NIX_PATH | ||
# of their environment (even if you only add the 20.09 channel, | ||
# nix-channel --update can mutate that channel to a 20.09 with | ||
# backported changes). | ||
# | ||
# The secondary benefit is that you guard the `nixpkgs` you use, with | ||
# an integrity hash. | ||
let | ||
nixpkgs = | ||
let | ||
rev = "cd63096d6d887d689543a0b97743d28995bc9bc3"; | ||
sha256 = "1wg61h4gndm3vcprdcg7rc4s1v3jkm5xd7lw8r2f67w502y94gcy"; | ||
in | ||
builtins.fetchTarball { | ||
url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz"; | ||
inherit sha256; | ||
}; | ||
|
||
system = "x86_64-linux"; | ||
|
||
configuration = { config, pkgs, ... }: { | ||
imports = [ | ||
"${nixpkgs}/nixos/modules/virtualisation/amazon-image.nix" | ||
]; | ||
|
||
ec2.hvm = true; | ||
|
||
networking.firewall.allowedTCPPorts = [ 22 80 ]; | ||
|
||
environment.systemPackages = [ | ||
pkgs.cloud-utils | ||
]; | ||
|
||
services.nginx = { | ||
enable = true; | ||
virtualHosts = { | ||
"_" = { | ||
root = pkgs.writeTextDir "html/index.html" '' | ||
<html> | ||
<body> | ||
<h1>This is a hermetic NixOS configuration!</h1> | ||
</body> | ||
</html> | ||
''; | ||
}; | ||
}; | ||
}; | ||
}; | ||
|
||
in | ||
import "${nixpkgs}/nixos" { inherit system configuration; } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
provider "aws" { | ||
region = "us-east-1" | ||
profile = "yourprofile" | ||
} | ||
|
||
resource "aws_instance" "hermetic-nixos-system" { | ||
count = 1 | ||
ami = "ami-068a62d478710462d" # NixOS 20.09 AMI | ||
|
||
instance_type = "t2.micro" | ||
|
||
key_name = "yourkeyname" | ||
|
||
tags = { | ||
Name = "hermetic-nixos-system-example" | ||
Description = "An example of a hermetic NixOS system deployed by Terraform" | ||
} | ||
} | ||
|
||
module "deploy_nixos" { | ||
source = "github.com/awakesecurity/terraform-nixos//deploy_nixos?ref=c4b1ee6d24b54e92fa3439a12bce349a6805bcdd" | ||
nixos_config = "${path.module}/configuration.nix" | ||
hermetic = true | ||
target_user = "root" | ||
target_host = aws_instance.hermetic-nixos-system[0].public_ip | ||
ssh_private_key_file = pathexpand("~/.ssh/yourkeyname.pem") | ||
} |