* Added an Upstart job to fetch the SSH key for logging into the root

account of the VM.  However, it doesn't work yet (the machine
  doesn't boot properly and there is no console output).  So use a
  hard-coded password for now (very dangerous!).

svn path=/nixos/trunk/; revision=19589

modules/virtualisation/amazon-image.nix

@@ -3,7 +3,7 @@
 with pkgs.lib;
 
 {
-  system.build.ext2Image =
+  system.build.amazonImage =
     pkgs.vmTools.runInLinuxVM (
       pkgs.runCommand "amazon-image"
         { preVM =
@@ -12,7 +12,7 @@ with pkgs.lib;
               diskImage=$out/nixos.img
               qemu-img create -f raw $diskImage "1024M"
             '';
-          buildInputs = [ pkgs.utillinux pkgs.perl pkgs.rsync ];
+          buildInputs = [ pkgs.utillinux pkgs.perl ];
           exportReferencesGraph = 
             [ "closure" config.system.build.toplevel ];
         }
@@ -26,7 +26,7 @@ with pkgs.lib;
           storePaths=$(perl ${pkgs.pathsFromGraph} $ORIG_TMPDIR/closure)
 
           mkdir -p /mnt/nix/store
-          rsync -av $storePaths /mnt/nix/store/
+          cp -prvd $storePaths /mnt/nix/store/
 
           # Amazon assumes that there is a /sbin/init, so symlink it
           # to the stage 2 init script.  Since we cannot set the path
@@ -36,8 +36,67 @@ with pkgs.lib;
           ln -s ${config.system.build.bootStage2} /mnt/sbin/init
           ln -s ${config.system.build.toplevel} /mnt/system
 
+          set -x
+          sync
           umount /mnt
+          sync
         ''
     );
 
+  # On EC2 we don't get to supply our own kernel, so we can't load any
+  # modules.  However, dhclient fails if the ipv6 module isn't loaded,
+  # unless it's compiled without IPv6 support.  So do that.
+  nixpkgs.config.packageOverrides = pkgsOld:
+    { dhcp = pkgs.lib.overrideDerivation pkgsOld.dhcp (oldAttrs:
+        { configureFlags = "--disable-dhcpv6";
+        });
+    };
+
+  # The root filesystem is mounted by Amazon's kernel/initrd.
+  fileSystems = [ ];
+
+  swapDevices =
+    [ { device = "/dev/sda2"; } ];
+
+  # There are no virtual consoles.
+  services.mingetty.ttys = [ ];
+
+  # Allow root logins only using the SSH key that the user specified
+  # at instance creation time.
+  services.sshd.enable = true;
+  #services.sshd.permitRootLogin = "without-password";
+
+  boot.postBootCommands =
+    ''
+      echo xyzzy_foobar | ${pkgs.pwdutils}/bin/passwd --stdin
+    '';
+
+  # Obtain the SSH key at startup time.
+  /*
+  jobs.fetchSSHKey =
+    { name = "fetch-ssh-key";
+
+      startOn = "ip-up";
+
+      task = true;
+
+      script =
+        ''
+          set -x
+          echo "obtaining SSH key..."
+          mkdir -p /root/.ssh
+          ${pkgs.curl}/bin/curl --retry 3 --retry-delay 0 --fail \
+            -o /root/key.pub \
+            http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
+          if [ $? -eq 0 -a -e /root/key.pub ]; then
+              if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then
+                  cat /root/key.pub >> /root/.ssh/authorized_keys
+                  echo "new key added to authorized_keys"
+              fi
+              chmod 600 /root/.ssh/authorized_keys
+              rm -f /root/key.pub
+          fi
+        '';
+    };
+  */
 }

tests/amazon.nix

@@ -7,22 +7,6 @@ rec {
       services.httpd.enable = true;
       services.httpd.adminAddr = "e.dolstra@tudelft.nl";
       services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
-
-      nixpkgs.config.packageOverrides = pkgsOld:
-        { dhcp = pkgs.lib.overrideDerivation pkgsOld.dhcp (oldAttrs:
-            { configureFlags = "--disable-dhcpv6";
-            });
-        };
-
-      fileSystems = [ ];
-
-      swapDevices =
-        [ { device = "/dev/sda2"; } ];
-
-      services.sshd.enable = true;
-      services.sshd.permitRootLogin = "without-password";
-
-      services.mingetty.ttys = [ ];
     };
 
   config = (import ../lib/eval-config.nix {