diff options
author | Rob Vermaas <rob.vermaas@gmail.com> | 2015-01-14 13:19:38 +0100 |
---|---|---|
committer | Rob Vermaas <rob.vermaas@gmail.com> | 2015-01-14 13:19:38 +0100 |
commit | df7923fa822d472ca0315f586e9e332e3a676551 (patch) | |
tree | fdd8f7f8eeb28693282c24438f01b10da6484787 | |
parent | 50640b18faa427890835fa3595317546c376243d (diff) | |
parent | d1a58ef7c6873677fc95cbd46d405368e160ac2a (diff) |
Merge pull request #5515 from oconnorr/master
GCE updates to ntp server and to fetch all ssh keys
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 44 |
1 files changed, 26 insertions, 18 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 5dbb7693fa136..41c7dd62f3ede 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -120,6 +120,8 @@ in 169.254.169.254 metadata.google.internal metadata ''; + services.ntp.servers = [ "metadata.google.internal" ]; + networking.usePredictableInterfaceNames = false; systemd.services.fetch-ssh-keys = @@ -130,15 +132,15 @@ in after = [ "network-online.target" ]; wants = [ "network-online.target" ]; - path = [ pkgs.wget ]; - script = + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 6 --waitretry=10"; in '' - wget="wget --retry-connrefused -t 6 --waitretry=10" + # When dealing with cryptographic keys, we want to keep things private. + umask 077 # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -p /root/.ssh - $wget -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys + ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then @@ -146,24 +148,30 @@ in echo "new key added to authorized_keys" fi chmod 600 /root/.ssh/authorized_keys - rm -f /root/key.pub /root/authorized-keys-metadata fi + rm -f /root/key.pub /root/authorized-keys-metadata fi - echo "obtaining SSH private host key..." - $wget -O /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then - mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key - echo "downloaded ssh_host_ecdsa_key" - chmod 600 /etc/ssh/ssh_host_ecdsa_key - fi + countKeys=0 + ${flip concatMapStrings config.services.openssh.hostKeys (k : + let kName = baseNameOf k.path; in '' + echo "trying to obtain SSH private host key ${kName}" + ${wget} -O /root/${kName} http://metadata/0.1/meta-data/attributes/${kName} && : + if [ $? -eq 0 -a -e /root/${kName} ]; then + countKeys=$((countKeys+1)) + mv -f /root/${kName} ${k.path} + echo "downloaded ${k.path}" + chmod 600 ${k.path} + ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub + chmod 644 ${k.path}.pub + fi + rm -f /root/${kName} + '' + )} - echo "obtaining SSH public host key..." - $wget -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub - if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then - mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub - echo "downloaded ssh_host_ecdsa_key.pub" - chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + if [[ $countKeys -le 0 ]]; then + echo "failed to obtain any SSH private host keys." + false fi ''; serviceConfig.Type = "oneshot"; |