diff options
author | Evgeny Egorochkin <phreedom@yandex.ru> | 2015-02-16 16:54:30 +0200 |
---|---|---|
committer | Evgeny Egorochkin <phreedom@yandex.ru> | 2015-02-16 16:54:30 +0200 |
commit | 4621f16b34900aa23dc6f2a872fbb9142f330335 (patch) | |
tree | 5718cbe128e4c536ef06783964b6ac64211c3ece /nixos/modules/virtualisation/azure-image.nix | |
parent | 0c4ac4b936d36eb8eb704d20efc03e651d1b3690 (diff) | |
download | nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar.gz nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar.bz2 nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar.lz nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar.xz nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.tar.zst nixpkgs-4621f16b34900aa23dc6f2a872fbb9142f330335.zip |
azure: add a job to download ssh host and root keys if they are made available via "custom data"; see #3986
Diffstat (limited to 'nixos/modules/virtualisation/azure-image.nix')
-rw-r--r-- | nixos/modules/virtualisation/azure-image.nix | 57 |
1 files changed, 48 insertions, 9 deletions
diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index ec7e8888c03..ab5a9c51fa5 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -24,6 +24,7 @@ in postVM = '' + echo Converting mkdir -p $out ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vpc $diskImage $out/disk.vhd rm $diskImage @@ -62,30 +63,31 @@ in echo "copying everything (will take a while)..." cp -prd $storePaths /mnt/nix/store/ - # Register the paths in the Nix database. + echo Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db + chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" - # Create the system profile to allow nixos-rebuild to work. + echo Create the system profile to allow nixos-rebuild to work. chroot /mnt ${config.nix.package}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} + -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group "" - # `nixos-rebuild' requires an /etc/NIXOS. + echo nixos-rebuild requires an /etc/NIXOS. mkdir -p /mnt/etc touch /mnt/etc/NIXOS - # `switch-to-configuration' requires a /bin/sh + echo switch-to-configuration requires a /bin/sh mkdir -p /mnt/bin ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - # Install a configuration.nix. + echo Install a configuration.nix. mkdir -p /mnt/etc/nixos /mnt/boot/grub cp ${./azure-config.nix} /mnt/etc/nixos/configuration.nix - # Generate the GRUB menu. + echo Generate the GRUB menu. ln -s vda /dev/sda chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot + echo Almost done umount /mnt/proc /mnt/dev /mnt/sys umount /mnt '' @@ -119,7 +121,44 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services.fetch-ssh-keys = + { description = "Fetch host keys and authorized_keys for root user"; + + wantedBy = [ "sshd.service" ]; + before = [ "sshd.service" ]; + after = [ "local-fs.target" ]; + + path = [ pkgs.coreutils ]; + script = + '' + eval "$(base64 --decode /metadata/CustomData.bin)" + if ! [ -z "$ssh_host_ecdsa_key" ]; then + echo "downloaded ssh_host_ecdsa_key" + echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ecdsa_key + chmod 600 /etc/ssh/ssh_host_ecdsa_key + fi + + if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then + echo "downloaded ssh_host_ecdsa_key_pub" + echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ecdsa_key.pub + chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + fi + + if ! [ -z "$ssh_root_auth_key" ]; then + echo "downloaded ssh_root_auth_key" + mkdir -m 0700 -p /root/.ssh + echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + fi + ''; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.StandardError = "journal+console"; + serviceConfig.StandardOutput = "journal+console"; + }; + networking.usePredictableInterfaceNames = false; - users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile <ssh-pub-key>) ]; + #users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile <ssh-pub-key>) ]; + } |