New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
google-compute-config: Reintroduce fetch-ssh-keys #110784
Conversation
Reintroduce the `fetch-ssh-keys` service so that GCE images that work with NixOps can once again be built. Also, reformat the code a bit. The service was removed in 8857053, likely due to a comment saying it should be removed. It was still needed for images to work with NixOps, however, and probably needed to be replaced or rewritten rather than removed.
@talyz can you address the requested changes? |
9514fd8
to
5225ed4
Compare
@talyz Probably too early for this PR, but long term, It'd probably be worth a shot to switch this from yet another bash script to using afterburn, as suggested in #110784 (comment). The package has been merged in #68680, There's a |
@flokli Yes, it could be interesting when / if it gains support for managing host keys. For authorized keys, wouldn't |
Yes, |
5225ed4
to
14a0c00
Compare
Anything pending in this PR ? I'd like to use it once merged to generate some images for Google cloud. |
This looks fine from an overview, and assuming @talyz sufficiently test this on Google Cloud, this is probably fine to merge. I quickly wondered if we could add coverage for this in the google-oslogin test (and by this make it a more generic google metadata server test), but considering this is not in a module, but just in the profile directly, we can't easily add it there without pulling in other unwanted stuff. So I'd say if you want to merge this, we can, but we have no way of ensuring it keeps working as long as there is no test ;-) |
...check the script with shfmt and shellcheck + some other minor refactoring.
14a0c00
to
95f96de
Compare
@flokli Yes, I've verified that it works with NixOps. If a normal instance is set up, the service fails I expected:
This is of course not fatal, since no other units depend on the service, but the user will see a service failure at instance boot. |
@flokli Well, the script is so simple that the mock server would likely be more complex and prone to breakage, tbh. Since we're aiming for |
Yeah, agreed. I simply wanted to state we don't know it'll keep working:
Given noone pressed the big green button, I'll do it now. |
Motivation for this change
Reintroduce the
fetch-ssh-keys
service so that GCE images that work with NixOps can once again be built. Also, reformat the code a bit.The service was removed in 8857053, likely due to a comment saying it should be removed. It is however still needed for NixOps, at least until the plugin is able to handle
google-oslogin
.Things done
Built an image and deployed it with NixOps.
Tested using sandboxing (nix.useSandbox on NixOS, or option
sandbox
innix.conf
on non-NixOS linux)Built on platform(s)
Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
Tested compilation of all pkgs that depend on this change using
nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
Tested execution of all binary files (usually in
./result/bin/
)Determined the impact on package closure size (by running
nix path-info -S
before and after)Ensured that relevant documentation is up to date
Fits CONTRIBUTING.md.