nixpkgs/nixos/modules/virtualisation/ec2-data.nix

# This module defines a systemd service that sets the SSH host key and
# authorized client key and host name of virtual machines running on
# Amazon EC2, Eucalyptus and OpenStack Compute (Nova).

{ config, lib, pkgs, ... }:

with lib;

{
  config = {

    systemd.services.apply-ec2-data =
      { description = "Apply EC2 Data";

        wantedBy = [ "multi-user.target" "sshd.service" ];
        before = [ "sshd.service" ];

        path = [ pkgs.iproute ];

        script =
          ''
            ${optionalString (config.networking.hostName == "") ''
              echo "setting host name..."
              if [ -s /etc/ec2-metadata/hostname ]; then
                  ${pkgs.nettools}/bin/hostname $(cat /etc/ec2-metadata/hostname)
              fi
            ''}

            if ! [ -e /root/.ssh/authorized_keys ]; then
                echo "obtaining SSH key..."
                mkdir -m 0700 -p /root/.ssh
                if [ -s /etc/ec2-metadata/public-keys-0-openssh-key ]; then
                    cat /etc/ec2-metadata/public-keys-0-openssh-key >> /root/.ssh/authorized_keys
                    echo "new key added to authorized_keys"
                    chmod 600 /root/.ssh/authorized_keys
                fi
            fi

            # Extract the intended SSH host key for this machine from
            # the supplied user data, if available.  Otherwise sshd will
            # generate one normally.
            userData=/etc/ec2-metadata/user-data

            mkdir -m 0755 -p /etc/ssh

            if [ -s "$userData" ]; then
              key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' $userData)"
              key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' $userData)"
              if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then
                  (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
                  echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
              fi

              key="$(sed 's/|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' $userData)"
              key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' $userData)"
              if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then
                  (umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key)
                  echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub
              fi
            fi
          '';

        serviceConfig.Type = "oneshot";
        serviceConfig.RemainAfterExit = true;
      };

    systemd.services."print-host-key" =
      { description = "Print SSH Host Key";
        wantedBy = [ "multi-user.target" ];
        after = [ "sshd.service" ];
        script =
          ''
            # Print the host public key on the console so that the user
            # can obtain it securely by parsing the output of
            # ec2-get-console-output.
            echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console
            for i in /etc/ssh/ssh_host_*_key.pub; do
                ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console
            done
            echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console
          '';
        serviceConfig.Type = "oneshot";
        serviceConfig.RemainAfterExit = true;
      };

  };
}
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`# This module defines a systemd service that sets the SSH host key and`
			`# authorized client key and host name of virtual machines running on`
			`# Amazon EC2, Eucalyptus and OpenStack Compute (Nova).`
* Added a module to create a disk image for Nova. svn path=/nixos/trunk/; revision=26721 2011-04-06 15:09:34 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
* Added a module to create a disk image for Nova. svn path=/nixos/trunk/; revision=26721 2011-04-06 15:09:34 +00:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
			`{`
			`config = {`

Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`systemd.services.apply-ec2-data =`
			`{ description = "Apply EC2 Data";`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
amazon ec2: Make fetch-ec2-data more robust curl does not retry if it is unable to connect to the metadata server. For some reason, when creating a new AMI with a recent nixpkgs, the metadata server would not be available when fetch-ec2-data ran. Switching to wget that can retry even on TCP connection errors solved this problem. I also made the fetch-ec2-data depend on ip-up.target, to get it to start a bit later. 2014-07-30 17:55:30 +02:00			`wantedBy = [ "multi-user.target" "sshd.service" ];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`before = [ "sshd.service" ];`

Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`path = [ pkgs.iproute ];`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00
			`script =`
			`''`
			`${optionalString (config.networking.hostName == "") ''`
fetch-ec2-data: Don't restart This service only needs to run once on system startup, so it doesn't need to be restarted by switch-to-configuration. 2015-05-04 16:56:46 +02:00			`echo "setting host name..."`
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`if [ -s /etc/ec2-metadata/hostname ]; then`
			`${pkgs.nettools}/bin/hostname $(cat /etc/ec2-metadata/hostname)`
			`fi`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`''}`

			`if ! [ -e /root/.ssh/authorized_keys ]; then`
			`echo "obtaining SSH key..."`
Paranoia 2015-01-15 18:36:38 +01:00			`mkdir -m 0700 -p /root/.ssh`
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`if [ -s /etc/ec2-metadata/public-keys-0-openssh-key ]; then`
			`cat /etc/ec2-metadata/public-keys-0-openssh-key >> /root/.ssh/authorized_keys`
ec2-data.nix: Remove superfluous check 2015-09-28 13:31:28 +02:00			`echo "new key added to authorized_keys"`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`chmod 600 /root/.ssh/authorized_keys`
			`fi`
			`fi`

			`# Extract the intended SSH host key for this machine from`
			`# the supplied user data, if available. Otherwise sshd will`
			`# generate one normally.`
Fetch all EC2 metadata / user data in the initrd Since we're already fetching one datum, we may as well fetch the others needed by fetch-ec2-data. This also eliminates the dependency on wget. 2016-02-04 15:42:49 +01:00			`userData=/etc/ec2-metadata/user-data`
ec2-data.nix: Support ed25519 host keys 2015-09-23 00:03:13 +02:00
			`mkdir -m 0755 -p /etc/ssh`

ec2-data: ensure providing a SSH host key is actually optional 27016659046a8f8e7b4fd61ecbceaf9f5e306258 broke this. 2016-02-19 11:49:31 -06:00			`if [ -s "$userData" ]; then`
			`key="$(sed 's/\|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' $userData)"`
			`key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' $userData)"`
			`if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then`
			`(umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)`
			`echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub`
			`fi`
ec2-data.nix: Support ed25519 host keys 2015-09-23 00:03:13 +02:00
ec2-data: ensure providing a SSH host key is actually optional 27016659046a8f8e7b4fd61ecbceaf9f5e306258 broke this. 2016-02-19 11:49:31 -06:00			`key="$(sed 's/\|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' $userData)"`
			`key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' $userData)"`
			`if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then`
			`(umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key)`
			`echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub`
			`fi`
ec2-data.nix: Support ed25519 host keys 2015-09-23 00:03:13 +02:00			`fi`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`'';`

			`serviceConfig.Type = "oneshot";`
			`serviceConfig.RemainAfterExit = true;`
			`};`

			`systemd.services."print-host-key" =`
			`{ description = "Print SSH Host Key";`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "sshd.service" ];`
			`script =`
			`''`
			`# Print the host public key on the console so that the user`
			`# can obtain it securely by parsing the output of`
			`# ec2-get-console-output.`
			`echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console`
ec2-data.nix: Print all SSH host keys Also, don't barf if there is no DSA key. 2015-09-24 10:36:50 +02:00			`for i in /etc/ssh/ssh_host_*_key.pub; do`
			`${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console`
			`done`
Update all legacy-style modules I.e., modules that use "require = [options]". Nowadays that should be written as { options = { ... }; config = { ... }; }; Also, use "imports" instead of "require" in places where we actually import another module. 2013-09-04 13:05:09 +02:00			`echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console`
			`'';`
			`serviceConfig.Type = "oneshot";`
			`serviceConfig.RemainAfterExit = true;`
			`};`

			`};`
* Added a module to create a disk image for Nova. svn path=/nixos/trunk/; revision=26721 2011-04-06 15:09:34 +00:00			`}`