Remove use of && in fetch-ssh-keys service.

Scripts are run with -e so will abort when a command fails.

1 files changed, 31 insertions, 29 deletions

diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index cdcd7e5a126c5..fcc71773deac2 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -143,42 +143,44 @@ in
           # When dealing with cryptographic keys, we want to keep things private.
           umask 077
           # Don't download the SSH key if it has already been downloaded
-          if ! [ -e /root/.ssh/authorized_keys ]; then
+          if ! [ -s /root/.ssh/authorized_keys ]; then
               echo "obtaining SSH key..."
               mkdir -m 0700 -p /root/.ssh
-              AUTH_KEYS=$(${mktemp}) && {
-                ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys
-                if [ $? -eq 0 -a -e $AUTH_KEYS ]; then
-                    KEY_PUB=$(${mktemp}) && {
-                      cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
-                      if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
-                          cat $KEY_PUB >> /root/.ssh/authorized_keys
-                          echo "new key added to authorized_keys"
-                      fi
-                      chmod 600 /root/.ssh/authorized_keys
-                      rm -f $KEY_PUB
-                    }
-                fi
-                rm -f $AUTH_KEYS
-              }
+              AUTH_KEYS=$(${mktemp})
+              ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys
+              if [ -s $AUTH_KEYS ]; then
+                  KEY_PUB=$(${mktemp})
+                  cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
+                  if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
+                      cat $KEY_PUB >> /root/.ssh/authorized_keys
+                      echo "New key added to authorized_keys."
+                  fi
+                  chmod 600 /root/.ssh/authorized_keys
+                  rm -f $KEY_PUB
+              else
+                  echo "Downloading http://metadata.google.internal/0.1/meta-data/authorized-keys failed."
+                  false
+              fi
+              rm -f $AUTH_KEYS
           fi
 
           countKeys=0
           ${flip concatMapStrings config.services.openssh.hostKeys (k :
             let kName = baseNameOf k.path; in ''
-              PRIV_KEY=$(${mktemp}) && {
-                echo "trying to obtain SSH private host key ${kName}"
-                ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
-                if [ $? -eq 0 -a -e $PRIV_KEY ]; then
-                    countKeys=$((countKeys+1))
-                    mv -f $PRIV_KEY ${k.path}
-                    echo "downloaded ${k.path}"
-                    chmod 600 ${k.path}
-                    ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
-                    chmod 644 ${k.path}.pub
-                fi
-                rm -f $PRIV_KEY
-              }
+              PRIV_KEY=$(${mktemp})
+              echo "trying to obtain SSH private host key ${kName}"
+              ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
+              if [ $? -eq 0 -a -s $PRIV_KEY ]; then
+                  countKeys=$((countKeys+1))
+                  mv -f $PRIV_KEY ${k.path}
+                  echo "Downloaded ${k.path}"
+                  chmod 600 ${k.path}
+                  ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
+                  chmod 644 ${k.path}.pub
+              else
+                  echo "Downloading http://metadata.google.internal/0.1/meta-data/attributes/${kName} failed."
+              fi
+              rm -f $PRIV_KEY
             ''
           )}