Can you share expected example user data?

@colemickens if you mean username/password: it's just nixos/nixos. It should be able to sudo without a password.

I got into a console and looked at the systemd journal. I can't copy-paste from the console so I apologize for the screenshot of text instead of copy-paste:

It looks like cloud-init isn't very robust and doesn't like having "nixos" as the distro. I'll look into that more tomorrow.

@eamsden I meant example user-data you're passing into the Droplet config, or are you not specifying any and just expecting to see the SSH keys?

The problem isn't there. If you scroll further, you see that the network portion of the "vendor-data" config fails to apply. It then doesn't process the user-data or ssh keys, I suspect.

But this just makes me question all the more if it's worth the fun of cloud-init just to get ssh keys when they're accessible in at least one or two easy ways.

I may have been looking at the wrong log, this is the most recent -u cloud-init log I got: https://gist.github.com/colemickens/98dee80a8f5d08188d0e932cdc1004a1

I added the template file it was complaining about (see 37d3a52) and now it's not able to write /etc/hosts because NixOS makes it read-only. Is there an idiomatic way to override that?

Log:
https://gist.github.com/eamsden/bfb5153844f800241549695b48606f11

I don't know. I'm still stuck on the last line of the log which reminds the same: handlers.py[DEBUG]: finish: init-network: FAIL: searching for network datasources. I'm not an expert, but the previous lines make me think the /etc/hosts issue is non-fatal: util.py[WARNING]: Running module update_etc_hosts (<module 'cloudinit.config.cc_update_etc_hosts' from '/nix/store/lfb4vx0fl1v2n30hs79bsy5pwfk622ip-cloud-init-0.7.9/lib/python2.7/site-packages/cloudinit/config/cc_update_etc_hosts.pyc'>) failed since it only says WARNING ? Again, cloud-init could have provided slightly more useful logging and this would be less of a guessing exercise.

To be honest, the time already spent reading cloud-init logs reminded me why I've gone to lengths to avoid this in the past, especially on NixOS where it's only real utility is better served with a few lines of bash.

In case it's useful -- I did write up a nixos/maintainers script that will auto-build and upload the image to Digital Ocean. I got the iteration cycle down to a few minutes. I also opened another PR that reduces the size of the image by about ~230MB by changing the cloud-init->cloud-utils packages. You can find it in here: https://github.com/colemickens/nixpkgs/blob/digitalocean/nixos/maintainers/scripts/digitalocean/upload-image.sh

@colemickens Perhaps I should go ahead and build a utility that can parse the digital ocean metadata and set things properly. The only thing that wouldn't work for would be resetting the root password, since (for obvious reasons) they don't expose that in the metadata, but it isn't too hard to do from the nix config anyway if you really want a root password set.

@nlewo the stuff you mentioned in the review is to help me debug the nixos image on digital ocean, and will most certainly be removed before the draft tag comes off the PR

It looks like the best approach is going to be a very optional module that can load bits and pieces of configuration from the config drive. Digital Ocean uses an OpenStack config drive so maybe we should just have a generic OpenStack service module? This would let us set (optionally according to the NixOS config)

• root password
• root SSH keys
• network interface configurations
• DNS resolvers
• hostname
• entropy seed

from the Digital Ocean metadata

Further, we could do as the Amazon AMI image does and allow loading of a NixOS module from the user data, so users of the NixOS image could quickly spin up a custom NixOS system directly from a cloud console.

The goal with this is not to enforce compliance with the host provider's metadata, but to make starting with NixOS in a Digital Ocean droplet as painless as possible, while also not interfering with the operation of e.g. NixOps or other deployment tools.

Note that you can just directly curl the digitalocean metadata API for public keys and userdata. No need for bringing in cloud-init and openstack

https://developers.digitalocean.com/documentation/metadata/

You could put this in a systemd unit that starts up at boot:

curl http://169.254.169.254/metadata/v1/public-keys > /root/.ssh/authorised_keys

and:

curl http://169.254.169.254/metadata/v1/user-data > /etc/nixos/configuration.nix
nixos-rebuild switch

This is similar to what the NixOS amazon, GCE and Azure images do

@arianvp I am working on something similar to this. The issue is that we cannot depend on networking being up when we start to configure the system.

Fortunately, there is a config drive available in a standard location, with the same JSON metadata available. I'm working on making sure the instance can configure its networking etc from this.

Why can't we depend on the network being up?
Because networkd / networking isn't configured yet? You can make that part of the base image config. Then the metadata retrieval systemd unit just blocks until it can reach the metadata server and you make it a RequiredBy=metadata.target to make components that wait on the metadata start in the right order.

This is how the coreos digital ocean image works too.

Interesting. Thank you! It wasn't clear from the Digital Ocean documentation that we could depend on DHCP being enabled and configure networking that way. Since it appears that we can. I'll go with your suggestion as soon as I get time to hack on it again.

I was able to successfully boot an image, set up ssh, and hostname, with this config:
https://github.com/arianvp/nixos-stuff/blob/master/modules/digitalocean/config.nix

Feel free to take inspiration from it, or else I'm also happy to provide a patchset myself on top of this PR

@arianvp I'm certainly not going to complain if someone else does work. :)

That said, my plan this week is to take the config you wrote and wrap the systemd services in options, so a user can turn them off in an updated system config, and add something similar to the Amazon/GCE setup where a user can put a NixOS configuration module in the user data and have the machine rebuild itself to that config on startup. I'd also like to make sure the default config is present on the system so that the user can use /etc/nixos/configuration.nix to configure the system without having to manually replicate everything the image does for Digital Ocean compatibility.

Yeh good idea. we should probably disable the hostname fetching when someone sets the hostname in the NixOS config too. Such that nixos-rebuild doesn't race with the metadata daemon

@arianvp I'm testing an image now and then I'll push, then I have to go to $DAYJOB. Some things I'd like to do before I take off the draft label.

• Duplicate the support from Amazon/GCE images for putting a NixOS config in the user data.
• MIME-decode the vendor data and run the RNG initialization script therein.
• Figure out why we get a complete GNOME install in the image (wallpapers, Pango/Cairo, kitchen sink, etc) and stop that.

@arianvp (In the latest push I did make systemd set the hostname from metadata only if it is not set in the NixOS config)

A bit of hunting reveals that cloud-utils is pulled in by nixos/modules/system/boot/grow-partition.nix, via the option boot.growPartition. That seemingly innocuous option pulls in cloud-utils, but just for the growpart utility, which in turn pulls in qemu, which pulls in GTK3. Which means we really need #58469 to de-bloat the image.

I'm hoping the bloat will be fixed separately when #58471 is merged, so I'm going to make this into a real PR now.

@arianvp @colemickens do either of you want to be in the maintainers list for this image? Or should I leave it as just me?

You can add me to the maintainers list. I'll be actively using this module do I don't mind maintaining it. Good job on the size hunting.

@arianvp I wasn't able to find you in https://github.com/NixOS/nixpkgs/blob/master/maintainers/maintainer-list.nix. Am I searching the wrong handle perhaps? I was grepping for 'arianvp'.

@eamsden I don't maintain any packages so far, so I'm not in that list yet =)
You can add this entry if you want to:

"arianvp" = {
    email = "arian.vanputten@gmail.com";
    name = "Arian van Putten";
    github = "arianvp";
};

A few notes from trying this out.

• a switch fails because /dev/sda doesn't exist, root appears to be /dev/vda instead
• digitalocean-entropy-seed service seems to fail due to munpack tempdesc.txt: File exists

Besides these minor issues it seems to be working pretty well though!

@arcnmx would you want to make a PR based on this PR with your suggested changes? I think this will then be ready to merge

@arianvp sorry was away for a bit but can do!

Closing in favor of #66978