public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GCE-service: Update fetch-ssh-keys API usage

Browse Source
This commit is contained in:
Mateusz Kowalczyk 2017-05-18 16:59:14 +01:00
parent ef8553ba03
commit a2c900dc87
1 changed files with 26 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
nixos/modules/virtualisation/google-compute-image.nix
View File

@ -20,7 +20,7 @@ in
rm $out/disk.raw rm $out/disk.raw
popd popd
''; '';
configFile = ./google-compute-config.nix; configFile = <nixpkgs/nixos/modules/virtualisation/google-compute-config.nix>;
format = "raw"; format = "raw";
inherit diskSize; inherit diskSize;
inherit config lib pkgs; inherit config lib pkgs;
@ -78,51 +78,34 @@ in
# When dealing with cryptographic keys, we want to keep things private. # When dealing with cryptographic keys, we want to keep things private.
umask 077 umask 077
# Don't download the SSH key if it has already been downloaded # Don't download the SSH key if it has already been downloaded
if ! [ -s /root/.ssh/authorized_keys ]; then echo "Obtaining SSH keys..."
echo "obtaining SSH key..." mkdir -m 0700 -p /root/.ssh
mkdir -m 0700 -p /root/.ssh AUTH_KEYS=$(${mktemp})
AUTH_KEYS=$(${mktemp}) ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys
${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys if [ -s $AUTH_KEYS ]; then
if [ -s $AUTH_KEYS ]; then
KEY_PUB=$(${mktemp})
cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
cat $KEY_PUB >> /root/.ssh/authorized_keys
echo "New key added to authorized_keys."
fi
chmod 600 /root/.ssh/authorized_keys
rm -f $KEY_PUB
else
echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed."
false
fi
rm -f $AUTH_KEYS
fi
countKeys=0 # Read in key one by one, split in case Google decided
${flip concatMapStrings config.services.openssh.hostKeys (k : # to append metadata (it does sometimes) and add to
let kName = baseNameOf k.path; in '' # authorized_keys if not already present.
PRIV_KEY=$(${mktemp}) touch /root/.ssh/authorized_keys
echo "trying to obtain SSH private host key ${kName}" NEW_KEYS=$(${mktemp})
${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : # Yes this is a nix escape of two single quotes.
if [ $? -eq 0 -a -s $PRIV_KEY ]; then while IFS=''' read -r line || [[ -n "$line" ]]; do
countKeys=$((countKeys+1)) keyLine=$(echo -n "$line" | cut -d ':' -f2)
mv -f $PRIV_KEY ${k.path} IFS=' ' read -r -a array <<< "$keyLine"
echo "Downloaded ${k.path}" if [ ''${#array[@]} -ge 3 ]; then
chmod 600 ${k.path} echo ''${array[@]:0:3} >> $NEW_KEYS
${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub echo "Added ''${array[@]:2} to authorized_keys"
chmod 644 ${k.path}.pub
else
echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed."
fi fi
rm -f $PRIV_KEY done < $AUTH_KEYS
'' mv $NEW_KEYS /root/.ssh/authorized_keys
)} chmod 600 /root/.ssh/authorized_keys
rm -f $KEY_PUB
if [[ $countKeys -le 0 ]]; then else
echo "failed to obtain any SSH private host keys." echo "Downloading http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys failed."
false false
fi fi
rm -f $AUTH_KEYS
''; '';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true; serviceConfig.RemainAfterExit = true;