First rebuild without internet access?

I’m trying to deploy a nixos aws ami into a vpc where the outbound internet access is behind a MITM TLS intercepting firewall, so (rightly) the default nix config doesn’t trust the TLS cert it sees from the nixos cache (or anything else)

I had hoped it would be as easy as setting security.pki.certificates with appropriate content for the corporate CA, via the instance metadata user data field. The content I set there gets used, and put into /etc/nixos/configuration.nix, but the rebuild fails and is never switched to because (even without updating the channel) nix still wants to fetch a whole lot of stuff. I’m guessing the store in the AMI has been aggressively gc’d of build tools.

Is there some way to do this using the stock AMI, or am I going to need to build my own AMI with prepared content?


You can build the system configuration locally, copy it to the remote machine and activate it there.

That in itself is already a bad idea for anything other than test setups.

Most likely it just wants to fetch the build tools which are ~15 or so packages which is not much.

1 Like

I can build it locally. Copying it to the remote machine involves more manual shenanigans than is worthwhile until the system configuration has run (notably, until ssm-agent is enabled) and of course, the goal is no manual shenanigans at all.

Once I build it locally, I might as well build an AMI locally. Which is fine, and probably where I’ll end up regardless — I was just hoping to be able to ride the horse before I had to build the cart.

Yes, well, it’s not my idea :man_shrugging:

Indeed. But it might as well be the world because everything else is blocked behind those.

If you can’t copy to the instance then I don’t have a good idea other than building the image yourself and upload it.