Add an example hermetic configuration

ixmatus · ixmatus · commit c704eb37eb4e · 2021-03-12T10:50:05.000-06:00
As suggested by @zimbatm.
diff --git a/examples/hermetic_config/configuration.nix b/examples/hermetic_config/configuration.nix
@@ -0,0 +1,60 @@
+# A simple, hermetic NixOS configuration for an AWS EC2 instance that
+# uses a nixpkgs pinned to a specific Git revision with an integrity
+# hash to ensure that we construct a NixOS system as purely as
+# possible.
+#
+# i.e. we explicitly specify which nixpkgs to use instead of relying
+# on the nixpkgs supplied on the NIX_PATH.
+#
+# The primary benefit of this is that it removes deployment surprises
+# when other developers supply a different nix-channel in the NIX_PATH
+# of their environment (even if you only add the 20.09 channel,
+# nix-channel --update can mutate that channel to a 20.09 with
+# backported changes).
+#
+# The secondary benefit is that you guard the `nixpkgs` you use, with
+# an integrity hash.
+let
+  nixpkgs =
+    let
+      rev = "cd63096d6d887d689543a0b97743d28995bc9bc3";
+      sha256 = "1wg61h4gndm3vcprdcg7rc4s1v3jkm5xd7lw8r2f67w502y94gcy";
+    in
+      builtins.fetchTarball {
+        url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
+        inherit sha256;
+      };
+
+  system = "x86_64-linux";
+
+  configuration = { config, pkgs, ... }: {
+    imports = [
+      "${nixpkgs}/nixos/modules/virtualisation/amazon-image.nix"
+    ];
+
+    ec2.hvm = true;
+
+    networking.firewall.allowedTCPPorts = [ 22 80 ];
+
+    environment.systemPackages = [
+      pkgs.cloud-utils
+    ];
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "_" = {
+          root = pkgs.writeTextDir "html/index.html" ''
+            <html>
+              <body>
+                <h1>This is a hermetic NixOS configuration!</h1>
+              </body>
+            </html>
+          '';
+        };
+      };
+    };
+  };
+
+in
+  import "${nixpkgs}/nixos" { inherit system configuration; }
diff --git a/examples/hermetic_config/default.tf b/examples/hermetic_config/default.tf
@@ -0,0 +1,27 @@
+provider "aws" {
+  region  = "us-east-1"
+  profile = "yourprofile"
+}
+
+resource "aws_instance" "hermetic-nixos-system" {
+  count         = 1
+  ami           = "ami-068a62d478710462d" # NixOS 20.09 AMI
+
+  instance_type = "t2.micro"
+
+  key_name  = "yourkeyname"
+
+  tags = {
+    Name        = "hermetic-nixos-system-example"
+    Description = "An example of a hermetic NixOS system deployed by Terraform"
+  }
+}
+
+module "deploy_nixos" {
+  source               = "github.com/awakesecurity/terraform-nixos//deploy_nixos?ref=c4b1ee6d24b54e92fa3439a12bce349a6805bcdd"
+  nixos_config         = "${path.module}/configuration.nix"
+  hermetic             = true
+  target_user          = "root"
+  target_host          = aws_instance.hermetic-nixos-system[0].public_ip
+  ssh_private_key_file = pathexpand("~/.ssh/yourkeyname.pem")
+}
