try coldsnap

.github/workflows/ami.yml

@@ -0,0 +1,28 @@
+name: Build and Publish AMI
+on:
+  pull_request:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    environment: images
+    steps:
+      - uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
+      - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: eu-north-1
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: build image
+        run: nix build .#legacyAmazonImage
+      - name: upload image with coldnsap
+        run: |
+          file="$(jq -r '.file' < ./result/nix-support/image-info.json)"
+          echo "starting coldsnap"
+          nix run --inputs-from . nixpkgs#coldsnap -- upload --no-progress  "$file"
+          echo "finished coldsnap"
+
+

flake.nix

@@ -19,12 +19,6 @@
         amazonImage = ./modules/amazon-image.nix;
 
         mock-imds = ./modules/mock-imds.nix;
-        version = { config, ... }: {
-          system.stateVersion = config.system.nixos.release;
-          # NOTE: This will cause an image to be built per commit.
-          # system.nixos.versionSuffix = lib.mkForce
-          #  ".${lib.substring 0 8 (nixpkgs.lastModifiedDate or nixpkgs.lastModified or "19700101")}.${nixpkgs.shortRev}.${lib.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}";
-        };
       };
 
       lib.supportedSystems = [ "aarch64-linux" "x86_64-linux" "aarch64-darwin" ];
@@ -52,7 +46,6 @@
             modules = [
               self.nixosModules.ec2-instance-connect
               self.nixosModules.amazonImage
-              self.nixosModules.version
             ];
           }).config.system.build.amazonImage;
           legacyAmazonImage = (lib.nixosSystem {
@@ -61,11 +54,11 @@
             modules = [
               self.nixosModules.legacyAmazonImage
               {
-                boot.loader.grub.enable = false;
-                boot.loader.systemd-boot.enable = true;
+                ec2.efi = true;
+                # amazonImage.sizeMB = "auto";
+                amazonImage.sizeMB = "auto";
+                amazonImage.format = "raw"; # coldsnap requires raw
               }
-              { ec2.efi = true; amazonImage.sizeMB = "auto"; }
-              self.nixosModules.version
             ];
           }).config.system.build.amazonImage;
 
@@ -89,7 +82,6 @@
             node.specialArgs.selfPackages = self.packages.${system};
             defaults = { name, ... }: {
               imports = [
-                self.nixosModules.version
                 self.nixosModules.amazonImage
                 self.nixosModules.mock-imds
               ];

modules/amazon-image.nix

@@ -13,18 +13,19 @@ in
     pkgs.runCommand config.system.build.image.name { } ''
       mkdir -p $out
       mkdir -p $out/nix-support
-      ${pkgs.qemu-utils}/bin/qemu-img convert -f raw -O vpc ${config.system.build.image}/${config.image.repart.imageFile} $out/${config.image.repart.imageFileBasename}.vhd
       cat <<EOF > $out/nix-support/image-info.json
       {
         "boot_mode": "uefi",
+        "format": "raw",
         "label": "${config.system.nixos.label}",
         "system": "${pkgs.stdenv.hostPlatform.system}",
-        "file": "$out/${config.image.repart.imageFileBasename}.vhd"
+        "file": "${config.system.build.image}/${config.image.repart.imageFile}"
       }
       EOF
     '';
 
-  image.repart.name = "${config.system.nixos.distroId}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}";
+  image.repart.name = config.system.nixos.distroId;
+  image.repart.version = config.system.nixos.version;
   image.repart.partitions = {
     "00-esp" = {
       contents = {

tf/iam_github_actions.tf

@@ -34,6 +34,17 @@ data "aws_iam_policy_document" "upload_ami" {
     ]
     resources = ["*"]
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ebs:StartSnapshot",
+      "ebs:PutSnapshotBlock",
+      "ebs:ListChangedBlocks",
+      "ebs:ListSnapshotBlocks",
+      "ebs:CompleteSnapshot",
+    ]
+    resources = ["arn:aws:ec2:*:*:snapshot/*"]
+  }
   statement {
     effect = "Allow"
     actions = [

upload-ami/default.nix

@@ -1,6 +1,8 @@
 { buildPythonApplication
 , python3Packages
 , lib
+, coldsnap
+, qemu-utils
 }:
 
 let
@@ -37,7 +39,11 @@ buildPythonApplication {
       python3Packages.black
     ];
 
-  propagatedBuildInputs = lib.flatten (map resolvePackages pyproject.project.dependencies);
+
+
+  propagatedBuildInputs =
+    lib.flatten (map resolvePackages pyproject.project.dependencies)
+    ++ [ coldsnap qemu-utils ];
 
   checkPhase = ''
     mypy src

upload-ami/pyproject.toml

@@ -17,5 +17,6 @@ disable-image-block-public-access = "upload_ami.disable_image_block_public_acces
 enable-regions = "upload_ami.enable_regions:main"
 request-public-ami-quota-increase  = "upload_ami.request_public_ami_quota_increase:main"
 describe-images = "upload_ami.describe_images:main"
+upload-coldsnap = "upload_ami.upload_coldsnap:main"
 [tool.mypy]
 strict=true

upload-ami/src/upload_ami/upload_ami.py

@@ -9,12 +9,15 @@
 import botocore.exceptions
 
 from mypy_boto3_ec2.client import EC2Client
-from mypy_boto3_ec2.literals import BootModeValuesType
 from mypy_boto3_ec2.type_defs import RegionTypeDef
 from mypy_boto3_s3.client import S3Client
 
 from concurrent.futures import ThreadPoolExecutor
 
+from typing import TypedDict
+
+from mypy_boto3_ec2.literals import BootModeValuesType
+
 
 class ImageInfo(TypedDict):
     file: str