Add ec2.metadata (default false) option whether to allow access to EC2 metadata API.

2012-11-21 12:19:38 -05:00 · 2012-11-21 12:19:38 -05:00 · f0a6911929
commit f0a6911929
parent 0f15d75017
1 changed files with 14 additions and 1 deletions
--- a/modules/virtualisation/ec2-data.nix
+++ b/modules/virtualisation/ec2-data.nix
@ -5,8 +5,19 @@
 { config, pkgs, ... }:

 with pkgs.lib;
-
+let
+  options = {
+    ec2.metadata = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to allow access to EC2 metadata.
+      '';
+    };
+  };
+in
 {
+  require = [options];

  jobs.fetchEC2Data =
    { name = "fetch-ec2-data";
@ -56,9 +67,11 @@ with pkgs.lib;
              echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
          fi

+          ${optionalString (! config.ec2.metadata) ''
          # Since the user data is sensitive, prevent it from being
          # accessed from now on.
          ip route add blackhole 169.254.169.254/32
+          ''}
        '';
    };