From b5adb70a48afbfbd71a846d1364ccd1484411609 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <qcst@bsod.eu>
Date: Wed, 25 Mar 2026 20:08:30 +0100
Subject: [PATCH 1/2] Allow to override default IMDS endpoint

---
 README.md                      | 15 +++++++++++++++
 bin/imds                       |  3 ++-
 lib/tiny-cloud/tiny-cloud.conf |  5 +++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3ca948b..0e4e268 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,21 @@ Alternatively, you can add `tinycloud=cloud=<cloud>` (preferred) or `ds=<cloud>`
 `/sys/class/dmi/id/product_serial` (QEMU hack) is another way to explicitly
 choose a cloud provider.
 
+### Custom Metadata Service Endpoint
+
+For custom or non-standard metadata services, you can
+override the default IMDS endpoint by setting `IMDS_ENDPOINT` in
+`/etc/tiny-cloud.conf`:
+
+```sh
+# For Tinkerbell or other custom metadata services
+IMDS_ENDPOINT=192.0.2.1:50061
+```
+
+The default endpoint is `169.254.169.254` for most cloud providers. This
+setting allows you to specify a custom IP address and optional port for the
+metadata service.
+
 ## Operation
 
 The first time an instance boots -- either freshly instantiated from an image,
diff --git a/bin/imds b/bin/imds
index 6ccce6b..575ac53 100755
--- a/bin/imds
+++ b/bin/imds
@@ -52,7 +52,8 @@ unset -f \
 ### default variables/functions
 
 # Common to many clouds
-IMDS_ENDPOINT="169.254.169.254"
+# Can be overridden in /etc/tiny-cloud.conf
+: "${IMDS_ENDPOINT:=169.254.169.254}"
 
 # Common to AWS and NoCloud(ish)
 IMDS_HOSTNAME="meta-data/hostname"
diff --git a/lib/tiny-cloud/tiny-cloud.conf b/lib/tiny-cloud/tiny-cloud.conf
index 599c6d5..7100c49 100644
--- a/lib/tiny-cloud/tiny-cloud.conf
+++ b/lib/tiny-cloud/tiny-cloud.conf
@@ -8,6 +8,11 @@
 # User account where instance SSH keys are installed
 #CLOUD_USER=alpine
 
+# IMDS endpoint override (IP:PORT or IP)
+# Defaults to 169.254.169.254 for most clouds
+# Useful for custom metadata services
+#IMDS_ENDPOINT=169.254.169.254
+
 # IMDS token validity, in seconds (AWS only)
 #IMDS_TOKEN_TTL=5
 

From daed749da68f047fa109b4dd4dc4690cc483b3e5 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <qcst@bsod.eu>
Date: Wed, 25 Mar 2026 20:09:10 +0100
Subject: [PATCH 2/2] Add support for AWS IMDSv1

---
 README.md                      | 15 +++++++++++++++
 bin/imds                       |  1 -
 lib/tiny-cloud/cloud/aws/imds  | 18 +++++++++++++-----
 lib/tiny-cloud/tiny-cloud.conf |  7 ++++++-
 4 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 0e4e268..b7d4011 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,21 @@ The default endpoint is `169.254.169.254` for most cloud providers. This
 setting allows you to specify a custom IP address and optional port for the
 metadata service.
 
+### AWS Metadata API Version
+
+For AWS-compatible metadata services that don't support IMDSv2 tokens (like
+Tinkerbell's Hegel), you can specify the API version in `/etc/tiny-cloud.conf`:
+
+```sh
+# Use IMDSv1 (2009-04-04) without tokens for Tinkerbell
+CLOUD=aws
+IMDS_ENDPOINT=192.0.2.1:50061
+IMDS_URI=2009-04-04
+```
+
+The default is `latest` which uses IMDSv2 with token authentication. Setting
+`IMDS_URI=2009-04-04` uses the older IMDSv1 API without tokens.
+
 ## Operation
 
 The first time an instance boots -- either freshly instantiated from an image,
diff --git a/bin/imds b/bin/imds
index 575ac53..5d3c657 100755
--- a/bin/imds
+++ b/bin/imds
@@ -41,7 +41,6 @@ fi
 
 unset \
 	IMDS_HEADER \
-	IMDS_URI \
 	IMDS_QUERY
 unset -f \
 	_imds_token \
diff --git a/lib/tiny-cloud/cloud/aws/imds b/lib/tiny-cloud/cloud/aws/imds
index f7b877d..26f1633 100644
--- a/lib/tiny-cloud/cloud/aws/imds
+++ b/lib/tiny-cloud/cloud/aws/imds
@@ -5,14 +5,22 @@
 IMDS_HEADER="X-aws-ec2-metadata-token"
 IMDS_TOKEN_TTL_HEADER="X-aws-ec2-metadata-token-ttl-seconds"
 : "${IMDS_TOKEN_TTL:=5}"
-IMDS_URI="latest"
+# Allow override of IMDS API version (default: latest, can use 2009-04-04 for IMDSv1)
+: "${IMDS_URI:=latest}"
 
 _imds_token() {
-	printf "PUT /latest/api/token HTTP/1.0\r\n%s: %s\r\n\r\n" \
-		"$IMDS_TOKEN_TTL_HEADER" "$IMDS_TOKEN_TTL" \
-		| nc -w 1 "$IMDS_ENDPOINT" 80 | tail -n 1
+	# Only try to get token if using 'latest' API version (IMDSv2)
+	# Older versions like 2009-04-04 don't support tokens (IMDSv1)
+	if [ "$IMDS_URI" = "latest" ]; then
+		printf "PUT /latest/api/token HTTP/1.0\r\n%s: %s\r\n\r\n" \
+			"$IMDS_TOKEN_TTL_HEADER" "$IMDS_TOKEN_TTL" \
+			| nc -w 1 "$IMDS_ENDPOINT" 80 | tail -n 1
+	fi
 }
 
 _imds_header() {
-	echo "$IMDS_HEADER: $(_imds_token)"
+	local token="$(_imds_token)"
+	if [ -n "$token" ]; then
+		echo "$IMDS_HEADER: $token"
+	fi
 }
diff --git a/lib/tiny-cloud/tiny-cloud.conf b/lib/tiny-cloud/tiny-cloud.conf
index 7100c49..2a22b4a 100644
--- a/lib/tiny-cloud/tiny-cloud.conf
+++ b/lib/tiny-cloud/tiny-cloud.conf
@@ -13,7 +13,12 @@
 # Useful for custom metadata services
 #IMDS_ENDPOINT=169.254.169.254
 
-# IMDS token validity, in seconds (AWS only)
+# IMDS API version (AWS only)
+# Defaults to 'latest' (IMDSv2 with tokens)
+# Use '2009-04-04' for IMDSv1 without tokens (e.g., Tinkerbell)
+#IMDS_URI=latest
+
+# IMDS token validity, in seconds (AWS only, IMDSv2)
 #IMDS_TOKEN_TTL=5
 
 # Location of var directory