colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a89c4f5411
nixpkgs/nixos/modules/virtualisation/ec2-data.nix
Linus Heckemann eddfcf8622 amazon-image: fetch metadata only in stage-2 
This also removes automatic enablement/mounting of instance store swap
devices and ext3 filesystems. This behaviour is strongly opinionated
and shouldn't be enabled by default.

The unionfs behaviour never took effect anyway, because the AMI
manifest path only exists for instance store-backed AMIs, which have
not been supported by nixpkgs since
84742e2293 (2019).
2022-11-23 17:19:13 +01:00

93 lines
3.3 KiB
Nix
Raw Blame History

# This module defines a systemd service that sets the SSH host key and
# authorized client key and host name of virtual machines running on
# Amazon EC2, Eucalyptus and OpenStack Compute (Nova).
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
(mkRemovedOptionModule [ "ec2" "metadata" ] "")
];
config = {
systemd.services.apply-ec2-data =
{ description = "Apply EC2 Data";
wantedBy = [ "multi-user.target" "sshd.service" ];
before = [ "sshd.service" ];
after = ["fetch-ec2-metadata.service"];
path = [ pkgs.iproute2 ];
script =
''
${optionalString (config.networking.hostName == "") ''
echo "setting host name..."
if [ -s /etc/ec2-metadata/hostname ]; then
${pkgs.nettools}/bin/hostname $(cat /etc/ec2-metadata/hostname)
fi
''}
if ! [ -e /root/.ssh/authorized_keys ]; then
echo "obtaining SSH key..."
mkdir -m 0700 -p /root/.ssh
if [ -s /etc/ec2-metadata/public-keys-0-openssh-key ]; then
cat /etc/ec2-metadata/public-keys-0-openssh-key >> /root/.ssh/authorized_keys
echo "new key added to authorized_keys"
chmod 600 /root/.ssh/authorized_keys
fi
fi
# Extract the intended SSH host key for this machine from
# the supplied user data, if available. Otherwise sshd will
# generate one normally.
userData=/etc/ec2-metadata/user-data
mkdir -m 0755 -p /etc/ssh
if [ -s "$userData" ]; then
key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' $userData)"
key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' $userData)"
if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then
(umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
fi
key="$(sed 's/|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' $userData)"
key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' $userData)"
if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then
(umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key)
echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub
fi
fi
'';
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
};
systemd.services.print-host-key =
{ description = "Print SSH Host Key";
wantedBy = [ "multi-user.target" ];
after = [ "sshd.service" ];
script =
''
# Print the host public key on the console so that the user
# can obtain it securely by parsing the output of
# ec2-get-console-output.
echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console
for i in /etc/ssh/ssh_host_*_key.pub; do
${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console
done
echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console
'';
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
};
};
}
Reference in New Issue View Git Blame Copy Permalink