nixops-aws
nixops-aws copied to clipboard
NixOS
Deployment to EC2 fails with: Neither the root account nor any wheel user has a password or SSH authorized key.
Problem
Deploying an EC2 instance using the command nixops deploy --debug -d idea-board-aws produces the following error:
Failed assertions:
- Neither the root account nor any wheel user has a password or SSH authorized key.
You must set one to prevent being locked out of your system.
(use ‘--show-trace’ to show detailed location information)
Traceback (most recent call last):
File "/nix/store/s8zczaqr24pvb5fsymqbz6jymn3q0q4v-nixops-1.5.1/bin/..nixops-wrapped-wrapped", line 953, in <module>
args.op()
File "/nix/store/s8zczaqr24pvb5fsymqbz6jymn3q0q4v-nixops-1.5.1/bin/..nixops-wrapped-wrapped", line 380, in op_deploy
repair=args.repair, dry_activate=args.dry_activate)
File "/nix/store/s8zczaqr24pvb5fsymqbz6jymn3q0q4v-nixops-1.5.1/lib/python2.7/site-packages/nixops/deployment.py", line 990, in deploy
self._deploy(**kwargs)
File "/nix/store/s8zczaqr24pvb5fsymqbz6jymn3q0q4v-nixops-1.5.1/lib/python2.7/site-packages/nixops/deployment.py", line 958, in _deploy
self.configs_path = self.build_configs(repair=repair, include=include, exclude=exclude)
File "/nix/store/s8zczaqr24pvb5fsymqbz6jymn3q0q4v-nixops-1.5.1/lib/python2.7/site-packages/nixops/deployment.py", line 633, in build_configs
raise Exception("unable to build all machine configurations")
Exception: unable to build all machine configurations
The assertion is being generated by nixos/modules/config/users-groups.nix, yet strangely I can nixops ssh successfully, confirming the root user does indeed have SSH authorized keys. I even checked the authorized keys file manually. The trouble is that the assertion prevents NixOps from pushing the closure. I had already successfully deployed the same machine to libvirt. Here's the configuration:
deploy.nix - The logical configuration.
{
network.description = "Idea Board SaaS";
app =
{ config, pkgs, ... }:
let
ideaboard = import ./idea-board.nix { inherit pkgs; };
in
{
services.nginx = {
enable = true;
config = ''
events {
worker_connections 2000;
}
http {
server {
listen 80;
location / {
proxy_pass http://localhost:5050;
}
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 ];
environment.systemPackages = [ ideaboard ];
systemd.services.idea-board = {
after = [ "idea-board-key.service" ];
wants = [ "idea-board-key.service" ];
wantedBy = [ "multi-user.target" ];
script = ''
${ideaboard}/bin/idea-board
'';
serviceConfig = {
User = "ideaboard";
Group = "ideaboard";
};
};
users = {
mutableUsers = false;
extraGroups.ideaboard = {};
extraUsers.ideaboard = {
group = "ideaboard";
description = "Idea Board service";
};
};
};
}
deploy-aws.nix - The physical EC2-specific configuration.
let
accessKeyId = "nixops-dev";
region = "us-east-1";
in
{
app =
{ config, pkgs, resources, ... }:
{ deployment = {
targetEnv = "ec2";
ec2 = {
inherit accessKeyId region;
instanceType = "t2.micro";
keyPair = resources.ec2KeyPairs.ideaBoardKeyPair;
securityGroups = [ resources.ec2SecurityGroups.ideaBoardSG ];
tags = {
system = "idea-board";
};
};
};
};
resources.ec2KeyPairs.ideaBoardKeyPair = {
inherit region accessKeyId;
};
resources.ec2SecurityGroups.ideaBoardSG = {
inherit accessKeyId region;
rules = [
{ codeNumber = -1;
typeNumber = -1;
fromPort = 22;
toPort = 22;
protocol = "tcp";
sourceIp = "0.0.0.0/0";
}
{ codeNumber = -1;
typeNumber = -1;
fromPort = 80;
toPort = 80;
protocol = "tcp";
sourceIp = "0.0.0.0/0";
}
];
};
}
Work-around
I got around the problem and achieved a successful deployment by adding a dummy user with an SSH key, to please users-groups, despite the warning of the authorizedKeys option (which I suppose implies the root user):
Warning: If you are using NixOps then don't use this option since it will replace the key required for deployment via ssh.
let
accessKeyId = "nixops-dev";
region = "us-east-1";
in
...
users.extraUsers.emmanuel = {
isNormalUser = true;
uid = 1000;
group = "users";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa ..."
];
};
