Nix-copy-closure over ssm/ssh tunnel? or Deploy to private subnet?


I’m trying to deploy changes to a remote ec2 instance. The instance runs in a
private subnet so I can’t connect directly using SSH.

I don’t want to change my local .ssh/config because this should be a portable setup.

The commands below I want to execute are are part of a terraform project:

export TARGET=root@machine-in-private-subnet
nix-copy-closure $TARGET ${var.live_config_path}
ssh $TARGET '${var.live_config_path}/bin/switch-to-configuration switch && nix-collect-garbage'

I have some thought to realize this.

  • setup a ssh tunnel via a jump host or via EC2 Instance Connect Endpoint
  • setup a ssh tunnel via ssm-agent

In both cases I don’t know how to tell nix-copy-closure how to use the ssh tunnel.

I would appreciate advise how to do this in an elegant way. Thanks


nix-copy-closure respects NIX_SSHOPTS, so you should be able to use a jumphost.


I have done this, it works fine.

❯ aws ssm start-session --region <region> --target <instance-name> --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters  "portNumber=22,localPortNumber=2022"

In my case, the instance above was a little jump box, and there was an additional ssh jump step in my config:

Host nixhop
        Port 2022
        User ec2-user

Host nixdev
        HostName <private ip>
        ProxyJump nixhop
        Compression yes

Both hosts and all the various dependencies are built via a cloudformation template, run as spot instances, and the template has outputs for the instance id and ip, above. I did briefly have it launch from direnv when I changed into the directory, but that was a little too annoying and slow.

The tunnel worked fine for vscode remote as well as a build server.

1 Like