Google Compute Image: fetch host keys if possible

1 files changed, 18 insertions, 2 deletions

diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index de5e3f5ced4..215ae146898 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -121,8 +121,8 @@ in
 
   networking.usePredictableInterfaceNames = false;
 
-  systemd.services.fetch-root-authorized-keys =
-    { description = "Fetch authorized_keys for root user";
+  systemd.services.fetch-ssh-keys =
+    { description = "Fetch host keys and authorized_keys for root user";
 
       wantedBy = [ "multi-user.target" ];
       before = [ "sshd.service" ];
@@ -146,6 +146,22 @@ in
                     rm -f /root/key.pub /root/authorized-keys-metadata
                 fi
           fi
+
+          echo "obtaining SSH private host key..."
+          curl -o /root/ssh_host_ecdsa_key http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key
+          if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then
+              mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key
+              echo "downloaded ssh_host_ecdsa_key"
+              chmod 600 /etc/ssh/ssh_host_ecdsa_key
+          fi
+
+          echo "obtaining SSH public host key..."
+          curl -o /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub
+          if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then
+              mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
+              echo "downloaded ssh_host_ecdsa_key.pub"
+              chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub
+          fi
         '';
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = true;