mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-04 11:16:02 +02:00
Add small script to fetch SSH keys from the EC2 metadata service
This is meant to be used in the Hetzner cloud sandbox project, so SSH keys can be injected when a new VM is created from e.g. a CI pipeline, so that the CI pipeline can SSH to the newly created VM. The EC2 metadata service is used over the Hetzner metadata service, as it is supported by more providers (including Hetzner).
This commit is contained in:
parent
e5529102bc
commit
645b1a003c
|
@ -51,7 +51,7 @@ This will take some time after which a new snapshot will have been created on th
|
|||
|
||||
For the sandbox project please run
|
||||
|
||||
packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_sandbox_infrastructure_api_key --format env | sed 's/_sandbox_infrastructure//') packer/archlinux.pkr.hcl
|
||||
packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_sandbox_infrastructure_api_key --format env | sed 's/_sandbox_infrastructure//') -var install_ec2_public_keys_service=true packer/archlinux.pkr.hcl
|
||||
|
||||
#### Note about terraform
|
||||
|
||||
|
|
|
@ -18,6 +18,11 @@ variable "hetzner_cloud_api_key" {
|
|||
sensitive = true
|
||||
}
|
||||
|
||||
variable "install_ec2_public_keys_service" {
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
# https://www.packer.io/docs/templates/hcl_templates/blocks/source
|
||||
source "hcloud" "rescue" {
|
||||
image = "ubuntu-22.04"
|
||||
|
@ -40,6 +45,11 @@ build {
|
|||
host_alias = "packer-base-image"
|
||||
inventory_directory = "."
|
||||
playbook_file = "playbooks/tasks/install_arch.yml"
|
||||
use_proxy = false
|
||||
extra_arguments = [
|
||||
"--extra-vars", jsonencode({
|
||||
install_ec2_public_keys_service : var.install_ec2_public_keys_service
|
||||
})
|
||||
]
|
||||
use_proxy = false
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
import os
|
||||
from pathlib import Path
|
||||
|
||||
import requests
|
||||
|
||||
data = requests.get("http://169.254.169.254/2009-04-04/meta-data/public-keys")
|
||||
data.raise_for_status()
|
||||
|
||||
path = Path("/root/.ssh/authorized_keys")
|
||||
path.parent.mkdir(mode=0o700, exist_ok=True)
|
||||
os.chmod(path.parent, 0o700)
|
||||
|
||||
with open(path, "w") as file:
|
||||
for key in data.json():
|
||||
file.write(f"{key}\n")
|
||||
os.chmod(path, 0o600)
|
|
@ -0,0 +1,13 @@
|
|||
[Unit]
|
||||
Description=Fetch SSH public keys from the metadata service
|
||||
Before=sshd.service
|
||||
After=systemd-networkd-wait-online.service
|
||||
ConditionFirstBoot=yes
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ec2-public-keys
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -171,6 +171,13 @@
|
|||
- name: Setup pacman-init.service on first boot
|
||||
copy: src=pacman-init.service dest=/mnt/etc/systemd/system/ owner=root group=root mode=0644
|
||||
|
||||
- name: Setup ec2-public-keys on first boot
|
||||
copy: src={{ item.src }} dest=/mnt/{{ item.dest }} owner=root group=root mode={{ item.mode }}
|
||||
loop:
|
||||
- {src: ec2-public-keys, dest: /usr/local/bin/, mode: 755}
|
||||
- {src: ec2-public-keys.service, dest: /etc/systemd/system/, mode: 644}
|
||||
when: install_ec2_public_keys_service | default(false)
|
||||
|
||||
- name: Remove generated keyring in the installation process
|
||||
file: path=/mnt/etc/pacman.d/gnupg state=absent
|
||||
|
||||
|
@ -178,7 +185,7 @@
|
|||
file: path=/mnt/etc/machine-id state=absent
|
||||
|
||||
- name: Enable services inside chroot
|
||||
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init
|
||||
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved fstrim.timer pacman-init {{ 'ec2-public-keys' if install_ec2_public_keys_service | default(false) }}
|
||||
register: chroot_systemd_services
|
||||
changed_when: "chroot_systemd_services.rc == 0"
|
||||
|
||||
|
@ -187,6 +194,7 @@
|
|||
name: root_ssh
|
||||
vars:
|
||||
root_ssh_directory: /tmp/root.x86_64/mnt/root/.ssh
|
||||
when: not install_ec2_public_keys_service | default(false)
|
||||
|
||||
- name: Configure sshd
|
||||
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
|
||||
|
|
Loading…
Reference in New Issue