From 3b8c7424d1948e52bc2afe0e41e3b64db3f2c22b Mon Sep 17 00:00:00 2001 From: AmineChikhaoui Date: Sat, 28 Apr 2018 16:52:46 +0100 Subject: [PATCH 1/3] pull the ssh host keys from the metadata service as expected by NixOps. Issues: #38623 https://github.com/NixOS/nixops/issues/930. --- .../modules/virtualisation/google-compute-image.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 0b6bec786da..e0d8027c67a 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -221,7 +221,7 @@ in echo "Obtaining SSH keys..." mkdir -m 0700 -p /root/.ssh AUTH_KEYS=$(${mktemp}) - ${wget} -O $AUTH_KEYS --header="Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys + ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys if [ -s $AUTH_KEYS ]; then # Read in key one by one, split in case Google decided @@ -246,6 +246,17 @@ in false fi rm -f $AUTH_KEYS + SSH_HOST_KEYS_DIR=$(${mktemp} -d) + ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key + ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub + if [ -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key -a -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub ]; then + mv -f $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key* /etc/ssh/ + chmod 600 /etc/ssh/ssh_host_ed25519_key + chmod 644 /etc/ssh/ssh_host_ed25519_key.pub + else + echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed." + fi + rm -f $SSH_HOST_KEYS_DIR/* ''; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; From 4a86f8c9abd99b880b8a9c3609d330c7ff398ad5 Mon Sep 17 00:00:00 2001 From: AmineChikhaoui Date: Sat, 28 Apr 2018 17:06:25 +0100 Subject: [PATCH 2/3] remove the entire temporary directory --- nixos/modules/virtualisation/google-compute-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index e0d8027c67a..f175be673ba 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -256,7 +256,7 @@ in else echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed." fi - rm -f $SSH_HOST_KEYS_DIR/* + rm -f $SSH_HOST_KEYS_DIR ''; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; From f514a6896919f090cd811ebd9866ace1bb4b2b54 Mon Sep 17 00:00:00 2001 From: AmineChikhaoui Date: Sat, 28 Apr 2018 17:07:54 +0100 Subject: [PATCH 3/3] barf if pulling the ssh host keys fails --- nixos/modules/virtualisation/google-compute-image.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index f175be673ba..374a8433235 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -255,6 +255,7 @@ in chmod 644 /etc/ssh/ssh_host_ed25519_key.pub else echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed." + false fi rm -f $SSH_HOST_KEYS_DIR '';