pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / ec2-data.nix
at v206 3.5 kB view raw
1# This module defines a systemd service that obtains the SSH key and 2# host name of virtual machines running on Amazon EC2, Eucalyptus and 3# OpenStack Compute (Nova). 4 5{ config, lib, pkgs, ... }: 6 7with lib; 8 9{ 10 config = { 11 12 systemd.services.fetch-ec2-data = 13 { description = "Fetch EC2 Data"; 14 15 wantedBy = [ "multi-user.target" "sshd.service" ]; 16 before = [ "sshd.service" ]; 17 wants = [ "ip-up.target" ]; 18 after = [ "ip-up.target" ]; 19 20 path = [ pkgs.wget pkgs.iproute ]; 21 22 script = 23 '' 24 wget="wget -q --retry-connrefused -O -" 25 26 ${optionalString (config.networking.hostName == "") '' 27 echo "setting host name..." 28 ${pkgs.nettools}/bin/hostname $($wget http://169.254.169.254/1.0/meta-data/hostname) 29 ''} 30 31 # Don't download the SSH key if it has already been injected 32 # into the image (a Nova feature). 33 if ! [ -e /root/.ssh/authorized_keys ]; then 34 echo "obtaining SSH key..." 35 mkdir -m 0700 -p /root/.ssh 36 $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub 37 if [ $? -eq 0 -a -e /root/key.pub ]; then 38 cat /root/key.pub >> /root/.ssh/authorized_keys 39 echo "new key added to authorized_keys" 40 chmod 600 /root/.ssh/authorized_keys 41 rm -f /root/key.pub 42 fi 43 fi 44 45 # Extract the intended SSH host key for this machine from 46 # the supplied user data, if available. Otherwise sshd will 47 # generate one normally. 48 $wget http://169.254.169.254/2011-01-01/user-data > /root/user-data || true 49 50 mkdir -m 0755 -p /etc/ssh 51 52 key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' /root/user-data)" 53 key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' /root/user-data)" 54 if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then 55 (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key) 56 echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub 57 fi 58 59 key="$(sed 's/|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' /root/user-data)" 60 key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' /root/user-data)" 61 if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then 62 (umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key) 63 echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub 64 fi 65 ''; 66 67 serviceConfig.Type = "oneshot"; 68 serviceConfig.RemainAfterExit = true; 69 }; 70 71 systemd.services."print-host-key" = 72 { description = "Print SSH Host Key"; 73 wantedBy = [ "multi-user.target" ]; 74 after = [ "sshd.service" ]; 75 script = 76 '' 77 # Print the host public key on the console so that the user 78 # can obtain it securely by parsing the output of 79 # ec2-get-console-output. 80 echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console 81 for i in /etc/ssh/ssh_host_*_key.pub; do 82 ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console 83 done 84 echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console 85 ''; 86 serviceConfig.Type = "oneshot"; 87 serviceConfig.RemainAfterExit = true; 88 }; 89 90 }; 91}