GCE-service: Update fetch-ssh-keys API usage

author: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk> 2017-05-18 16:59:14 +0100
committer: Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk> 2017-05-20 22:54:07 +0100
commit: a2c900dc879f71a658a5f17d9d83f9e79b25787d (patch)
tree: a2d908156f614478abb1e84794a55a019d3a29af /nixos/modules/virtualisation
parent: ef8553ba03fa16be6a3b7542971cf25fc7721ca1 (diff)
download: nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.gz
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.bz2
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.lz
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.xz
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.zst
nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.zip
1 files changed, 27 insertions, 44 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index ff39f1bf8dae..3943a62f8a45 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -20,7 +20,7 @@ in
       rm $out/disk.raw
       popd
     '';
-    configFile = ./google-compute-config.nix;
+    configFile = <nixpkgs/nixos/modules/virtualisation/google-compute-config.nix>;
     format = "raw";
     inherit diskSize;
     inherit config lib pkgs;
@@ -78,51 +78,34 @@ in
           # When dealing with cryptographic keys, we want to keep things private.
           umask 077
           # Don't download the SSH key if it has already been downloaded
-          if ! [ -s /root/.ssh/authorized_keys ]; then
-              echo "obtaining SSH key..."
-              mkdir -m 0700 -p /root/.ssh
-              AUTH_KEYS=$(${mktemp})
-              ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys
-              if [ -s $AUTH_KEYS ]; then
-                  KEY_PUB=$(${mktemp})
-                  cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
-                  if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
-                      cat $KEY_PUB >> /root/.ssh/authorized_keys
-                      echo "New key added to authorized_keys."
-                  fi
-                  chmod 600 /root/.ssh/authorized_keys
-                  rm -f $KEY_PUB
-              else
-                  echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed."
-                  false
+          echo "Obtaining SSH keys..."
+          mkdir -m 0700 -p /root/.ssh
+          AUTH_KEYS=$(${mktemp})
+          ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys
+          if [ -s $AUTH_KEYS ]; then
+
+            # Read in key one by one, split in case Google decided
+            # to append metadata (it does sometimes) and add to
+            # authorized_keys if not already present.
+            touch /root/.ssh/authorized_keys
+            NEW_KEYS=$(${mktemp})
+            # Yes this is a nix escape of two single quotes.
+            while IFS=''' read -r line || [[ -n "$line" ]]; do
+              keyLine=$(echo -n "$line" | cut -d ':' -f2)
+              IFS=' ' read -r -a array <<< "$keyLine"
+              if [ ''${#array[@]} -ge 3 ]; then
+                echo ''${array[@]:0:3} >> $NEW_KEYS
+                echo "Added ''${array[@]:2} to authorized_keys"
               fi
-              rm -f $AUTH_KEYS
-          fi
-
-          countKeys=0
-          ${flip concatMapStrings config.services.openssh.hostKeys (k :
-            let kName = baseNameOf k.path; in ''
-              PRIV_KEY=$(${mktemp})
-              echo "trying to obtain SSH private host key ${kName}"
-              ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
-              if [ $? -eq 0 -a -s $PRIV_KEY ]; then
-                  countKeys=$((countKeys+1))
-                  mv -f $PRIV_KEY ${k.path}
-                  echo "Downloaded ${k.path}"
-                  chmod 600 ${k.path}
-                  ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
-                  chmod 644 ${k.path}.pub
-              else
-                  echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed."
-              fi
-              rm -f $PRIV_KEY
-            ''
-          )}
-
-          if [[ $countKeys -le 0 ]]; then
-             echo "failed to obtain any SSH private host keys."
-             false
+            done < $AUTH_KEYS
+            mv $NEW_KEYS /root/.ssh/authorized_keys
+            chmod 600 /root/.ssh/authorized_keys
+            rm -f $KEY_PUB
+          else
+            echo "Downloading http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys failed."
+            false
           fi
+          rm -f $AUTH_KEYS
         '';
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = true;
author	Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>	2017-05-18 16:59:14 +0100
committer	Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>	2017-05-20 22:54:07 +0100
commit	a2c900dc879f71a658a5f17d9d83f9e79b25787d (patch)
tree	a2d908156f614478abb1e84794a55a019d3a29af /nixos/modules/virtualisation
parent	ef8553ba03fa16be6a3b7542971cf25fc7721ca1 (diff)
download	nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.gz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.bz2 nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.lz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.xz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.zst nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.zip