From f0a6911929ad15054e27e471274e0c304d690670 Mon Sep 17 00:00:00 2001
From: Rob Vermaas <rob.vermaas@gmail.com>
Date: Wed, 21 Nov 2012 12:19:38 -0500
Subject: [PATCH] Add ec2.metadata (default false) option whether to allow
 access to EC2 metadata API.

---
 modules/virtualisation/ec2-data.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/modules/virtualisation/ec2-data.nix b/modules/virtualisation/ec2-data.nix
index 65f408262256..e094ae54093c 100644
--- a/modules/virtualisation/ec2-data.nix
+++ b/modules/virtualisation/ec2-data.nix
@@ -5,8 +5,19 @@
 { config, pkgs, ... }:
 
 with pkgs.lib;
-
+let
+  options = {
+    ec2.metadata = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to allow access to EC2 metadata.
+      '';
+    };
+  };
+in
 {
+  require = [options];
 
   jobs.fetchEC2Data =
     { name = "fetch-ec2-data";
@@ -56,9 +67,11 @@ with pkgs.lib;
               echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
           fi
 
+          ${optionalString (! config.ec2.metadata) ''
           # Since the user data is sensitive, prevent it from being
           # accessed from now on.
           ip route add blackhole 169.254.169.254/32
+          ''}
         '';
     };