diff options
Diffstat (limited to 'nixos/modules/services/misc/ssm-agent.nix')
-rw-r--r-- | nixos/modules/services/misc/ssm-agent.nix | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index 00e806695fd..c29d03d199b 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -22,15 +22,13 @@ in { package = mkOption { type = types.path; description = "The SSM agent package to use"; - default = pkgs.ssm-agent; - defaultText = "pkgs.ssm-agent"; + default = pkgs.ssm-agent.override { overrideEtc = false; }; + defaultText = "pkgs.ssm-agent.override { overrideEtc = false; }"; }; }; config = mkIf cfg.enable { systemd.services.ssm-agent = { - users.extraUsers.ssm-user = {}; - inherit (cfg.package.meta) description; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -39,9 +37,37 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/amazon-ssm-agent"; KillMode = "process"; - Restart = "on-failure"; - RestartSec = "15min"; + # We want this restating pretty frequently. It could be our only means + # of accessing the instance. + Restart = "always"; + RestartSec = "1min"; }; }; + + # Add user that Session Manager needs, and give it sudo. + # This is consistent with Amazon Linux 2 images. + security.sudo.extraRules = [ + { + users = [ "ssm-user" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + # On Amazon Linux 2 images, the ssm-user user is pretty much a + # normal user with its own group. We do the same. + users.groups.ssm-user = {}; + users.users.ssm-user = { + isNormalUser = true; + group = "ssm-user"; + }; + + environment.etc."amazon/ssm/seelog.xml".source = "${cfg.package}/seelog.xml.template"; + + environment.etc."amazon/ssm/amazon-ssm-agent.json".source = "${cfg.package}/etc/amazon/ssm/amazon-ssm-agent.json.template"; + }; } |