From 4621f16b34900aa23dc6f2a872fbb9142f330335 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Mon, 16 Feb 2015 16:54:30 +0200 Subject: azure: add a job to download ssh host and root keys if they are made available via "custom data"; see #3986 --- nixos/modules/virtualisation/azure-image.nix | 57 +++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 9 deletions(-) (limited to 'nixos/modules/virtualisation/azure-image.nix') diff --git a/nixos/modules/virtualisation/azure-image.nix b/nixos/modules/virtualisation/azure-image.nix index ec7e8888c03..ab5a9c51fa5 100644 --- a/nixos/modules/virtualisation/azure-image.nix +++ b/nixos/modules/virtualisation/azure-image.nix @@ -24,6 +24,7 @@ in postVM = '' + echo Converting mkdir -p $out ${pkgs.vmTools.qemu}/bin/qemu-img convert -f raw -O vpc $diskImage $out/disk.vhd rm $diskImage @@ -62,30 +63,31 @@ in echo "copying everything (will take a while)..." cp -prd $storePaths /mnt/nix/store/ - # Register the paths in the Nix database. + echo Register the paths in the Nix database. printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package}/bin/nix-store --load-db + chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group "" - # Create the system profile to allow nixos-rebuild to work. + echo Create the system profile to allow nixos-rebuild to work. chroot /mnt ${config.nix.package}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} + -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group "" - # `nixos-rebuild' requires an /etc/NIXOS. + echo nixos-rebuild requires an /etc/NIXOS. mkdir -p /mnt/etc touch /mnt/etc/NIXOS - # `switch-to-configuration' requires a /bin/sh + echo switch-to-configuration requires a /bin/sh mkdir -p /mnt/bin ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - # Install a configuration.nix. + echo Install a configuration.nix. mkdir -p /mnt/etc/nixos /mnt/boot/grub cp ${./azure-config.nix} /mnt/etc/nixos/configuration.nix - # Generate the GRUB menu. + echo Generate the GRUB menu. ln -s vda /dev/sda chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot + echo Almost done umount /mnt/proc /mnt/dev /mnt/sys umount /mnt '' @@ -119,7 +121,44 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services.fetch-ssh-keys = + { description = "Fetch host keys and authorized_keys for root user"; + + wantedBy = [ "sshd.service" ]; + before = [ "sshd.service" ]; + after = [ "local-fs.target" ]; + + path = [ pkgs.coreutils ]; + script = + '' + eval "$(base64 --decode /metadata/CustomData.bin)" + if ! [ -z "$ssh_host_ecdsa_key" ]; then + echo "downloaded ssh_host_ecdsa_key" + echo "$ssh_host_ecdsa_key" > /etc/ssh/ssh_host_ecdsa_key + chmod 600 /etc/ssh/ssh_host_ecdsa_key + fi + + if ! [ -z "$ssh_host_ecdsa_key_pub" ]; then + echo "downloaded ssh_host_ecdsa_key_pub" + echo "$ssh_host_ecdsa_key_pub" > /etc/ssh/ssh_host_ecdsa_key.pub + chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub + fi + + if ! [ -z "$ssh_root_auth_key" ]; then + echo "downloaded ssh_root_auth_key" + mkdir -m 0700 -p /root/.ssh + echo "$ssh_root_auth_key" > /root/.ssh/authorized_keys + chmod 600 /root/.ssh/authorized_keys + fi + ''; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + serviceConfig.StandardError = "journal+console"; + serviceConfig.StandardOutput = "journal+console"; + }; + networking.usePredictableInterfaceNames = false; - users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile ) ]; + #users.extraUsers.root.openssh.authorizedKeys.keys = [ (builtins.readFile ) ]; + } -- cgit 1.4.1