commit d0be6dcd70b4251c9dff5343a7c0c37bb73d03a4 · pyrox.dev/nixpkgs

+36

nixos/modules/virtualisation/fetch-instance-ssh-keys.bash

···

       1
       +
       #!/usr/bin/env bash

     

       2
       +
       

     

       3
       +
       set -euo pipefail

     

       4
       +
       

     

       5
       +
       WGET() {

     

       6
       +
           wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"

     

       7
       +
       }

     

       8
       +
       

     

       9
       +
       # When dealing with cryptographic keys, we want to keep things private.

     

       10
       +
       umask 077

     

       11
       +
       mkdir -p /root/.ssh

     

       12
       +
       

     

       13
       +
       echo "Fetching authorized keys..."

     

       14
       +
       WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys

     

       15
       +
       

     

       16
       +
       # Read keys one by one, split in case Google decided

     

       17
       +
       # to append metadata (it does sometimes) and add to

     

       18
       +
       # authorized_keys if not already present.

     

       19
       +
       touch /root/.ssh/authorized_keys

     

       20
       +
       while IFS='' read -r line || [[ -n "$line" ]]; do

     

       21
       +
           keyLine=$(echo -n "$line" | cut -d ':' -f2)

     

       22
       +
           IFS=' ' read -r -a array <<<"$keyLine"

     

       23
       +
           if [[ ${#array[@]} -ge 3 ]]; then

     

       24
       +
               echo "${array[@]:0:3}" >>/tmp/new_keys

     

       25
       +
               echo "Added ${array[*]:2} to authorized_keys"

     

       26
       +
           fi

     

       27
       +
       done </tmp/auth_keys

     

       28
       +
       mv /tmp/new_keys /root/.ssh/authorized_keys

     

       29
       +
       chmod 600 /root/.ssh/authorized_keys

     

       30
       +
       

     

       31
       +
       echo "Fetching host keys..."

     

       32
       +
       WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key

     

       33
       +
       WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub

     

       34
       +
       mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/

     

       35
       +
       chmod 600 /etc/ssh/ssh_host_ed25519_key

     

       36
       +
       chmod 644 /etc/ssh/ssh_host_ed25519_key.pub

+25

nixos/modules/virtualisation/google-compute-config.nix

···

       69
        
         # GC has 1460 MTU

     

       70
        
         networking.interfaces.eth0.mtu = 1460;

     

       71
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       72
        
         systemd.services.google-instance-setup = {

     

       73
        
           description = "Google Compute Engine Instance Setup";

     

       74
        
           after = [ "network-online.target" "network.target" "rsyslog.service" ];

···

       69
        
         # GC has 1460 MTU

     

       70
        
         networking.interfaces.eth0.mtu = 1460;

     

       71
        
       

     

       72
       +
         # Used by NixOps

     

       73
       +
         systemd.services.fetch-instance-ssh-keys = {

     

       74
       +
           description = "Fetch host keys and authorized_keys for root user";

     

       75
       +
       

     

       76
       +
           wantedBy = [ "sshd.service" ];

     

       77
       +
           before = [ "sshd.service" ];

     

       78
       +
           after = [ "network-online.target" ];

     

       79
       +
           wants = [ "network-online.target" ];

     

       80
       +
           path = [ pkgs.wget ];

     

       81
       +
       

     

       82
       +
           serviceConfig = {

     

       83
       +
             Type = "oneshot";

     

       84
       +
             ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } ''

     

       85
       +
               cp ${./fetch-instance-ssh-keys.bash} $out

     

       86
       +
               chmod +x $out

     

       87
       +
               ${pkgs.shfmt}/bin/shfmt -i 4 -d $out

     

       88
       +
               ${pkgs.shellcheck}/bin/shellcheck $out

     

       89
       +
               patchShebangs $out

     

       90
       +
             '';

     

       91
       +
             PrivateTmp = true;

     

       92
       +
             StandardError = "journal+console";

     

       93
       +
             StandardOutput = "journal+console";

     

       94
       +
           };

     

       95
       +
         };

     

       96
       +
       

     

       97
        
         systemd.services.google-instance-setup = {

     

       98
        
           description = "Google Compute Engine Instance Setup";

     

       99
        
           after = [ "network-online.target" "network.target" "rsyslog.service" ];