diff options
author | Russell O'Connor <oconnorr@google.com> | 2015-03-23 21:45:40 +0000 |
---|---|---|
committer | Russell O'Connor <oconnorr@google.com> | 2015-05-29 19:53:57 +0000 |
commit | 4744e3541ad2308625afd1d0ac53329efd947e6a (patch) | |
tree | cf00e9ca9efa44d2d60d9850330a9210af665723 /nixos | |
parent | 1badfabc4ddb6b487005cf4a8447b5d1111cd72c (diff) | |
download | nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar.gz nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar.bz2 nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar.lz nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar.xz nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.tar.zst nixpkgs-4744e3541ad2308625afd1d0ac53329efd947e6a.zip |
[GCE] Put temp files for fetch-ssh-keys service in /run
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 25bdd9569de..cdcd7e5a126 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -137,7 +137,8 @@ in after = [ "network-online.target" "ip-up.target" ]; wants = [ "network-online.target" "ip-up.target" ]; - script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; in + script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google'"; + mktemp = "mktemp --tmpdir=/run"; in '' # When dealing with cryptographic keys, we want to keep things private. umask 077 @@ -145,10 +146,10 @@ in if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." mkdir -m 0700 -p /root/.ssh - AUTH_KEYS=$(mktemp) && { + AUTH_KEYS=$(${mktemp}) && { ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e $AUTH_KEYS ]; then - KEY_PUB=$(mktemp) && { + KEY_PUB=$(${mktemp}) && { cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then cat $KEY_PUB >> /root/.ssh/authorized_keys @@ -165,7 +166,7 @@ in countKeys=0 ${flip concatMapStrings config.services.openssh.hostKeys (k : let kName = baseNameOf k.path; in '' - PRIV_KEY=$(mktemp) && { + PRIV_KEY=$(${mktemp}) && { echo "trying to obtain SSH private host key ${kName}" ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && : if [ $? -eq 0 -a -e $PRIV_KEY ]; then |