pyrox.dev
1#!/usr/bin/env bash
2
3set -euo pipefail
4
5WGET() {
6 wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"
7}
8
9# When dealing with cryptographic keys, we want to keep things private.
10umask 077
11mkdir -p /root/.ssh
12
13echo "Fetching authorized keys..."
14WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
15
16# Read keys one by one, split in case Google decided
17# to append metadata (it does sometimes) and add to
18# authorized_keys if not already present.
19touch /root/.ssh/authorized_keys
20while IFS='' read -r line || [[ -n "$line" ]]; do
21 keyLine=$(echo -n "$line" | cut -d ':' -f2)
22 IFS=' ' read -r -a array <<<"$keyLine"
23 if [[ ${#array[@]} -ge 3 ]]; then
24 echo "${array[@]:0:3}" >>/tmp/new_keys
25 echo "Added ${array[*]:2} to authorized_keys"
26 fi
27done </tmp/auth_keys
28mv /tmp/new_keys /root/.ssh/authorized_keys
29chmod 600 /root/.ssh/authorized_keys
30
31echo "Fetching host keys..."
32WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
33WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
34mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/
35chmod 600 /etc/ssh/ssh_host_ed25519_key
36chmod 644 /etc/ssh/ssh_host_ed25519_key.pub