diff options
author | Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk> | 2017-05-18 16:59:14 +0100 |
---|---|---|
committer | Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk> | 2017-05-20 22:54:07 +0100 |
commit | a2c900dc879f71a658a5f17d9d83f9e79b25787d (patch) | |
tree | a2d908156f614478abb1e84794a55a019d3a29af /nixos/modules/virtualisation | |
parent | ef8553ba03fa16be6a3b7542971cf25fc7721ca1 (diff) | |
download | nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.gz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.bz2 nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.lz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.xz nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.tar.zst nixlib-a2c900dc879f71a658a5f17d9d83f9e79b25787d.zip |
GCE-service: Update fetch-ssh-keys API usage
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 71 |
1 files changed, 27 insertions, 44 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index ff39f1bf8dae..3943a62f8a45 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -20,7 +20,7 @@ in rm $out/disk.raw popd ''; - configFile = ./google-compute-config.nix; + configFile = <nixpkgs/nixos/modules/virtualisation/google-compute-config.nix>; format = "raw"; inherit diskSize; inherit config lib pkgs; @@ -78,51 +78,34 @@ in # When dealing with cryptographic keys, we want to keep things private. umask 077 # Don't download the SSH key if it has already been downloaded - if ! [ -s /root/.ssh/authorized_keys ]; then - echo "obtaining SSH key..." - mkdir -m 0700 -p /root/.ssh - AUTH_KEYS=$(${mktemp}) - ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys - if [ -s $AUTH_KEYS ]; then - KEY_PUB=$(${mktemp}) - cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB - if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then - cat $KEY_PUB >> /root/.ssh/authorized_keys - echo "New key added to authorized_keys." - fi - chmod 600 /root/.ssh/authorized_keys - rm -f $KEY_PUB - else - echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed." - false + echo "Obtaining SSH keys..." + mkdir -m 0700 -p /root/.ssh + AUTH_KEYS=$(${mktemp}) + ${wget} -O $AUTH_KEYS http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys + if [ -s $AUTH_KEYS ]; then + + # Read in key one by one, split in case Google decided + # to append metadata (it does sometimes) and add to + # authorized_keys if not already present. + touch /root/.ssh/authorized_keys + NEW_KEYS=$(${mktemp}) + # Yes this is a nix escape of two single quotes. + while IFS=''' read -r line || [[ -n "$line" ]]; do + keyLine=$(echo -n "$line" | cut -d ':' -f2) + IFS=' ' read -r -a array <<< "$keyLine" + if [ ''${#array[@]} -ge 3 ]; then + echo ''${array[@]:0:3} >> $NEW_KEYS + echo "Added ''${array[@]:2} to authorized_keys" fi - rm -f $AUTH_KEYS - fi - - countKeys=0 - ${flip concatMapStrings config.services.openssh.hostKeys (k : - let kName = baseNameOf k.path; in '' - PRIV_KEY=$(${mktemp}) - echo "trying to obtain SSH private host key ${kName}" - ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : - if [ $? -eq 0 -a -s $PRIV_KEY ]; then - countKeys=$((countKeys+1)) - mv -f $PRIV_KEY ${k.path} - echo "Downloaded ${k.path}" - chmod 600 ${k.path} - ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub - chmod 644 ${k.path}.pub - else - echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed." - fi - rm -f $PRIV_KEY - '' - )} - - if [[ $countKeys -le 0 ]]; then - echo "failed to obtain any SSH private host keys." - false + done < $AUTH_KEYS + mv $NEW_KEYS /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + rm -f $KEY_PUB + else + echo "Downloading http://metadata.google.internal/computeMetadata/v1/project/attributes/sshKeys failed." + false fi + rm -f $AUTH_KEYS ''; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; |