From e548a4330d858b81d00d9a586b02b494e4df8983 Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Tue, 30 Dec 2014 15:11:52 -0500 Subject: [PATCH 1/6] google-compute-image.nix: use internal google NTP server. --- nixos/modules/virtualisation/google-compute-image.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 5dbb7693fa1..41337c7467e 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -120,6 +120,8 @@ in 169.254.169.254 metadata.google.internal metadata ''; + services.ntp.servers = [ "metadata.google.internal" ]; + networking.usePredictableInterfaceNames = false; systemd.services.fetch-ssh-keys = From b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8 Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 5 Jan 2015 15:01:49 -0500 Subject: [PATCH 2/6] google-comute-image.nix: set umask 077 when downloading private keys from the metadata server. --- nixos/modules/virtualisation/google-compute-image.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 41337c7467e..808b6450182 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -135,6 +135,8 @@ in path = [ pkgs.wget ]; script = '' + # When dealing with cryptographic keys, we want to keep things private. + umask 077 wget="wget --retry-connrefused -t 6 --waitretry=10" # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then From 6382e16014af0e33e33c2e8bdd4fc52fe18c195c Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 5 Jan 2015 15:18:02 -0500 Subject: [PATCH 3/6] google-compute-image.nix: unconditionally clean up /root/key.pub /root/authorized-keys-metadata --- nixos/modules/virtualisation/google-compute-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 808b6450182..287081be01b 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -150,8 +150,8 @@ in echo "new key added to authorized_keys" fi chmod 600 /root/.ssh/authorized_keys - rm -f /root/key.pub /root/authorized-keys-metadata fi + rm -f /root/key.pub /root/authorized-keys-metadata fi echo "obtaining SSH private host key..." From d1cbbff1e36e66dcf1aa9bb445fd03bc0c77433c Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 29 Dec 2014 18:04:37 -0500 Subject: [PATCH 4/6] Call wget directly in fetch-ssh-keys service. --- nixos/modules/virtualisation/google-compute-image.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 287081be01b..f6830b2f09f 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -132,17 +132,15 @@ in after = [ "network-online.target" ]; wants = [ "network-online.target" ]; - path = [ pkgs.wget ]; - script = + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 6 --waitretry=10"; in '' # When dealing with cryptographic keys, we want to keep things private. umask 077 - wget="wget --retry-connrefused -t 6 --waitretry=10" # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -p /root/.ssh - $wget -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys + ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then @@ -155,7 +153,7 @@ in fi echo "obtaining SSH private host key..." - $wget -O /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key + ${wget} -O /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key echo "downloaded ssh_host_ecdsa_key" @@ -163,7 +161,7 @@ in fi echo "obtaining SSH public host key..." - $wget -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub + ${wget} -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub echo "downloaded ssh_host_ecdsa_key.pub" From 3251948029aab3e268c081cb258a835711a86205 Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Mon, 29 Dec 2014 18:08:57 -0500 Subject: [PATCH 5/6] Generate SSH host public key from the private key. --- nixos/modules/virtualisation/google-compute-image.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index f6830b2f09f..bee64866b52 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -158,13 +158,7 @@ in mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key echo "downloaded ssh_host_ecdsa_key" chmod 600 /etc/ssh/ssh_host_ecdsa_key - fi - - echo "obtaining SSH public host key..." - ${wget} -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then - mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub - echo "downloaded ssh_host_ecdsa_key.pub" + ${config.programs.ssh.package}/bin/ssh-keygen -y -f /etc/ssh/ssh_host_ecdsa_key > /etc/ssh/ssh_host_ecdsa_key.pub chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub fi ''; From d1a58ef7c6873677fc95cbd46d405368e160ac2a Mon Sep 17 00:00:00 2001 From: Russell O'Connor Date: Tue, 30 Dec 2014 14:10:32 -0500 Subject: [PATCH 6/6] google-compute-image.nix: Try to download all SSH host keys from metadata server. --- .../virtualisation/google-compute-image.nix | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index bee64866b52..41c7dd62f3e 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -152,14 +152,26 @@ in rm -f /root/key.pub /root/authorized-keys-metadata fi - echo "obtaining SSH private host key..." - ${wget} -O /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then - mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key - echo "downloaded ssh_host_ecdsa_key" - chmod 600 /etc/ssh/ssh_host_ecdsa_key - ${config.programs.ssh.package}/bin/ssh-keygen -y -f /etc/ssh/ssh_host_ecdsa_key > /etc/ssh/ssh_host_ecdsa_key.pub - chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + countKeys=0 + ${flip concatMapStrings config.services.openssh.hostKeys (k : + let kName = baseNameOf k.path; in '' + echo "trying to obtain SSH private host key ${kName}" + ${wget} -O /root/${kName} http://metadata/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -e /root/${kName} ]; then + countKeys=$((countKeys+1)) + mv -f /root/${kName} ${k.path} + echo "downloaded ${k.path}" + chmod 600 ${k.path} + ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub + chmod 644 ${k.path}.pub + fi + rm -f /root/${kName} + '' + )} + + if [[ $countKeys -le 0 ]]; then + echo "failed to obtain any SSH private host keys." + false fi ''; serviceConfig.Type = "oneshot";