azure: add a job to download ssh host and root keys if they are made available via "custom data"; see #3986

1 files changed, 48 insertions, 9 deletions

diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix
index ec7e8888c03..ab5a9c51fa5 100644
--- a/nixos/modules/virtualisation/azure-image.nix
+++ b/nixos/modules/virtualisation/azure-image.nix
@@ -24,6 +24,7 @@ in
 
           postVM =
             ''
+              echo Converting
               mkdir -p $out
               ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vpc $diskImage $out/disk.vhd
               rm $diskImage
@@ -62,30 +63,31 @@ in
           echo "copying everything (will take a while)..."
           cp -prd $storePaths /mnt/nix/store/
 
-          # Register the paths in the Nix database.
+          echo Register the paths in the Nix database.
           printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-              chroot /mnt ${config.nix.package}/bin/nix-store --load-db
+              chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
 
-          # Create the system profile to allow nixos-rebuild to work.
+          echo Create the system profile to allow nixos-rebuild to work.
           chroot /mnt ${config.nix.package}/bin/nix-env \
-              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
+              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group ""
 
-          # `nixos-rebuild' requires an /etc/NIXOS.
+          echo nixos-rebuild requires an /etc/NIXOS.
           mkdir -p /mnt/etc
           touch /mnt/etc/NIXOS
 
-          # `switch-to-configuration' requires a /bin/sh
+          echo switch-to-configuration requires a /bin/sh
           mkdir -p /mnt/bin
           ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
 
-          # Install a configuration.nix.
+          echo Install a configuration.nix.
           mkdir -p /mnt/etc/nixos /mnt/boot/grub
           cp ${./azure-config.nix} /mnt/etc/nixos/configuration.nix
 
-          # Generate the GRUB menu.
+          echo Generate the GRUB menu.
           ln -s vda /dev/sda
           chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
 
+          echo Almost done
           umount /mnt/proc /mnt/dev /mnt/sys
           umount /mnt
         ''
@@ -119,7 +121,44 @@ in
   # Always include cryptsetup so that NixOps can use it.
   environment.systemPackages = [ pkgs.cryptsetup ];
 
+  systemd.services.fetch-ssh-keys =
+    { description = "Fetch host keys and authorized_keys for root user";
+
+      wantedBy = [ "sshd.service" ];
+      before = [ "sshd.service" ];
+      after = [ "local-fs.target" ];
+
+      path  = [ pkgs.coreutils ];
+      script =
+        ''
+          eval "$(base64 --decode /metadata/CustomData.bin)"
+          if ! [ -z "$ssh_host_ecdsa_key" ]; then
+            echo "downloaded ssh_host_ecdsa_key"
+            echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ecdsa_key
+            chmod 600 /etc/ssh/ssh_host_ecdsa_key
+          fi
+
+          if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then
+            echo "downloaded ssh_host_ecdsa_key_pub"
+            echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ecdsa_key.pub
+            chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub
+          fi
+
+          if ! [ -z "$ssh_root_auth_key" ]; then
+            echo "downloaded ssh_root_auth_key"
+            mkdir -m 0700 -p /root/.ssh
+            echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys
+            chmod 600 /root/.ssh/authorized_keys
+          fi
+        '';
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = true;
+      serviceConfig.StandardError = "journal+console";
+      serviceConfig.StandardOutput = "journal+console";
+     };
+
   networking.usePredictableInterfaceNames = false;
 
-  users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile <ssh-pub-key>) ];
+  #users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile <ssh-pub-key>) ];
+
 }