I’m trying to deploy a nixos aws ami into a vpc where the outbound internet access is behind a MITM TLS intercepting firewall, so (rightly) the default nix config doesn’t trust the TLS cert it sees from the nixos cache (or anything else)
I had hoped it would be as easy as setting security.pki.certificates with appropriate content for the corporate CA, via the instance metadata user data field. The content I set there gets used, and put into /etc/nixos/configuration.nix, but the rebuild fails and is never switched to because (even without updating the channel) nix still wants to fetch a whole lot of stuff. I’m guessing the store in the AMI has been aggressively gc’d of build tools.
Is there some way to do this using the stock AMI, or am I going to need to build my own AMI with prepared content?
I can build it locally. Copying it to the remote machine involves more manual shenanigans than is worthwhile until the system configuration has run (notably, until ssm-agent is enabled) and of course, the goal is no manual shenanigans at all.
Once I build it locally, I might as well build an AMI locally. Which is fine, and probably where I’ll end up regardless — I was just hoping to be able to ride the horse before I had to build the cart.
Yes, well, it’s not my idea
Indeed. But it might as well be the world because everything else is blocked behind those.