gce/fetch-ssh-keys: Put script in separate file, use PrivateTmp...

...check the script with shfmt and shellcheck + some other minor
refactoring.

nixos/modules/virtualisation/fetch-instance-ssh-keys.bash

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+WGET() {
+    wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"
+}
+
+# When dealing with cryptographic keys, we want to keep things private.
+umask 077
+mkdir -p /root/.ssh
+
+echo "Fetching authorized keys..."
+WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
+
+# Read keys one by one, split in case Google decided
+# to append metadata (it does sometimes) and add to
+# authorized_keys if not already present.
+touch /root/.ssh/authorized_keys
+while IFS='' read -r line || [[ -n "$line" ]]; do
+    keyLine=$(echo -n "$line" | cut -d ':' -f2)
+    IFS=' ' read -r -a array <<<"$keyLine"
+    if [[ ${#array[@]} -ge 3 ]]; then
+        echo "${array[@]:0:3}" >>/tmp/new_keys
+        echo "Added ${array[*]:2} to authorized_keys"
+    fi
+done </tmp/auth_keys
+mv /tmp/new_keys /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+
+echo "Fetching host keys..."
+WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
+WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
+mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/
+chmod 600 /etc/ssh/ssh_host_ed25519_key
+chmod 644 /etc/ssh/ssh_host_ed25519_key.pub

nixos/modules/virtualisation/google-compute-config.nix

@@ -69,67 +69,29 @@ in
   # GC has 1460 MTU
   networking.interfaces.eth0.mtu = 1460;
 
-  systemd.services.fetch-ssh-keys = {
+  # Used by NixOps
+  systemd.services.fetch-instance-ssh-keys = {
     description = "Fetch host keys and authorized_keys for root user";
 
     wantedBy = [ "sshd.service" ];
     before = [ "sshd.service" ];
     after = [ "network-online.target" ];
     wants = [ "network-online.target" ];
+    path = [ pkgs.wget ];
 
-    script =
+    serviceConfig = {
-      let
+      Type = "oneshot";
-        wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'";
+      ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } ''
-        mktemp = "mktemp --tmpdir=/run";
+        cp ${./fetch-instance-ssh-keys.bash} $out
-      in ''
+        chmod +x $out
-        # When dealing with cryptographic keys, we want to keep things private.
+        ${pkgs.shfmt}/bin/shfmt -i 4 -d $out
-        umask 077
+        ${pkgs.shellcheck}/bin/shellcheck $out
-        mkdir -m 0700 -p /root/.ssh
+        patchShebangs $out
-
-        echo "Obtaining SSH keys..."
-        AUTH_KEYS=$(${mktemp})
-        ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
-        if [ -s $AUTH_KEYS ]; then
-            # Read in key one by one, split in case Google decided
-            # to append metadata (it does sometimes) and add to
-            # authorized_keys if not already present.
-            touch /root/.ssh/authorized_keys
-            NEW_KEYS=$(${mktemp})
-            # Yes this is a nix escape of two single quotes.
-            while IFS=''' read -r line || [[ -n "$line" ]]; do
-                keyLine=$(echo -n "$line" | cut -d ':' -f2)
-                IFS=' ' read -r -a array <<< "$keyLine"
-                if [ ''${#array[@]} -ge 3 ]; then
-                    echo ''${array[@]:0:3} >> $NEW_KEYS
-                    echo "Added ''${array[@]:2} to authorized_keys"
-                fi
-            done < $AUTH_KEYS
-            mv $NEW_KEYS /root/.ssh/authorized_keys
-            chmod 600 /root/.ssh/authorized_keys
-            rm -f $KEY_PUB
-        else
-            echo "Downloading http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys failed."
-            false
-        fi
-        rm -f $AUTH_KEYS
-
-        SSH_HOST_KEYS_DIR=$(${mktemp} -d)
-        ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
-        ${wget} -O $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
-        if [ -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key -a -s $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key.pub ]; then
-            mv -f $SSH_HOST_KEYS_DIR/ssh_host_ed25519_key* /etc/ssh/
-            chmod 600 /etc/ssh/ssh_host_ed25519_key
-            chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
-        else
-            echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed."
-            false
-        fi
-        rm -rf $SSH_HOST_KEYS_DIR
       '';
-    serviceConfig.Type = "oneshot";
+      PrivateTmp = true;
-    serviceConfig.RemainAfterExit = true;
+      StandardError = "journal+console";
-    serviceConfig.StandardError = "journal+console";
+      StandardOutput = "journal+console";
-    serviceConfig.StandardOutput = "journal+console";
+    };
   };
 
   systemd.services.google-instance-setup = {