The previous restriction seems rather arbitrary. By allowing full
access to nodes, one can for example derive security group rules
from the NixOS firewall options (or custom options), simplifying
deployments substantially.
For context:
Without this, the security groups must be hand-written for each
node, which is cumbersome and error-prone.
Also note that it's easy to hit the max SGs per node, so using
an SG per service does not scale.
SGs themselves are much less limited at around 2500 per VPC, so
you can get away with a security group per node. A particularly
huge VPC could even use a naming scheme to deduplicate equivalent
SGs, although you'd be hitting NixOps practical limitations such
as evaluation performance well before that.
The previous restriction seems rather arbitrary. By allowing full access to
nodes, one can for example derive security group rules from the NixOS firewall options (or custom options), simplifying deployments substantially.For context:
Without this, the security groups must be hand-written for each node, which is cumbersome and error-prone. Also note that it's easy to hit the max SGs per node, so using an SG per service does not scale. SGs themselves are much less limited at around 2500 per VPC, so you can get away with a security group per node. A particularly huge VPC could even use a naming scheme to deduplicate equivalent SGs, although you'd be hitting NixOps practical limitations such as evaluation performance well before that.