pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #6732 from oconnorr/master

Use mktemp to create temporary files to hold ssh host keys and authorized keys

Wout Mertens 0666ee47 0307c272

options
unified split
Changed files
+29 -19
nixos
modules
virtualisation
google-compute-image.nix
+29 -19
nixos/modules/virtualisation/google-compute-image.nix 
···

       
137

       
137

       
 

       
      after = [ "network-online.target" "ip-up.target" ];


     

       
138

       
138

       
 

       
      wants = [ "network-online.target" "ip-up.target" ];


     

       
139

       
139

       
 

       



     

       
140

       

       
-

       
      script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; in


     

       

       
140

       
+

       
      script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'";


     

       

       
141

       
+

       
                   mktemp = "mktemp --tmpdir=/run"; in


     

       
141

       
142

       
 

       
        ''


     

       
142

       
143

       
 

       
          # When dealing with cryptographic keys, we want to keep things private.


     

       
143

       
144

       
 

       
          umask 077


     

       
144

       
145

       
 

       
          # Don't download the SSH key if it has already been downloaded


     

       
145

       

       
-

       
          if ! [ -e /root/.ssh/authorized_keys ]; then


     

       
146

       

       
-

       
                echo "obtaining SSH key..."


     

       
147

       

       
-

       
                mkdir -m 0700 -p /root/.ssh


     

       
148

       

       
-

       
                ${wget} -O /root/authorized-keys-metadata http://metadata.google.internal/0.1/meta-data/authorized-keys


     

       
149

       

       
-

       
                if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then


     

       
150

       

       
-

       
                    cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub


     

       
151

       

       
-

       
                    if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then


     

       
152

       

       
-

       
                        cat /root/key.pub >> /root/.ssh/authorized_keys


     

       
153

       

       
-

       
                        echo "new key added to authorized_keys"


     

       
154

       

       
-

       
                    fi


     

       
155

       

       
-

       
                    chmod 600 /root/.ssh/authorized_keys


     

       
156

       

       
-

       
                fi


     

       
157

       

       
-

       
                rm -f /root/key.pub /root/authorized-keys-metadata


     

       

       
146

       
+

       
          if ! [ -s /root/.ssh/authorized_keys ]; then


     

       

       
147

       
+

       
              echo "obtaining SSH key..."


     

       

       
148

       
+

       
              mkdir -m 0700 -p /root/.ssh


     

       

       
149

       
+

       
              AUTH_KEYS=$(${mktemp})


     

       

       
150

       
+

       
              ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys


     

       

       
151

       
+

       
              if [ -s $AUTH_KEYS ]; then


     

       

       
152

       
+

       
                  KEY_PUB=$(${mktemp})


     

       

       
153

       
+

       
                  cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB


     

       

       
154

       
+

       
                  if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then


     

       

       
155

       
+

       
                      cat $KEY_PUB >> /root/.ssh/authorized_keys


     

       

       
156

       
+

       
                      echo "New key added to authorized_keys."


     

       

       
157

       
+

       
                  fi


     

       

       
158

       
+

       
                  chmod 600 /root/.ssh/authorized_keys


     

       

       
159

       
+

       
                  rm -f $KEY_PUB


     

       

       
160

       
+

       
              else


     

       

       
161

       
+

       
                  echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed."


     

       

       
162

       
+

       
                  false


     

       

       
163

       
+

       
              fi


     

       

       
164

       
+

       
              rm -f $AUTH_KEYS


     

       
158

       
165

       
 

       
          fi


     

       
159

       
166

       
 

       



     

       
160

       
167

       
 

       
          countKeys=0


     

       
161

       
168

       
 

       
          ${flip concatMapStrings config.services.openssh.hostKeys (k :


     

       
162

       
169

       
 

       
            let kName = baseNameOf k.path; in ''


     

       

       
170

       
+

       
              PRIV_KEY=$(${mktemp})


     

       
163

       
171

       
 

       
              echo "trying to obtain SSH private host key ${kName}"


     

       
164

       

       
-

       
              ${wget} -O /root/${kName} http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :


     

       
165

       

       
-

       
              if [ $? -eq 0 -a -e /root/${kName} ]; then


     

       

       
172

       
+

       
              ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :


     

       

       
173

       
+

       
              if [ $? -eq 0 -a -s $PRIV_KEY ]; then


     

       
166

       
174

       
 

       
                  countKeys=$((countKeys+1))


     

       
167

       

       
-

       
                  mv -f /root/${kName} ${k.path}


     

       
168

       

       
-

       
                  echo "downloaded ${k.path}"


     

       

       
175

       
+

       
                  mv -f $PRIV_KEY ${k.path}


     

       

       
176

       
+

       
                  echo "Downloaded ${k.path}"


     

       
169

       
177

       
 

       
                  chmod 600 ${k.path}


     

       
170

       
178

       
 

       
                  ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub


     

       
171

       
179

       
 

       
                  chmod 644 ${k.path}.pub


     

       

       
180

       
+

       
              else


     

       

       
181

       
+

       
                  echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed."


     

       
172

       
182

       
 

       
              fi


     

       
173

       

       
-

       
              rm -f /root/${kName}


     

       

       
183

       
+

       
              rm -f $PRIV_KEY


     

       
174

       
184

       
 

       
            ''


     

       
175

       
185

       
 

       
          )}


     

       
176

       
186