still debugging blogbox

2026-05-30 09:38:41 +02:00 · 2026-05-30 09:38:41 +02:00 · c41de5cd46
commit c41de5cd46
parent 2ac05607a2
2 changed files with 221 additions and 16 deletions
--- a/nixos/modules/services/oci-authorized-keys.nix
+++ b/nixos/modules/services/oci-authorized-keys.nix
@ -4,25 +4,54 @@ let
  home = config.users.users.${cfg.user}.home;
  sshDir = "${home}/.ssh";
  authorizedKeysFile = "${sshDir}/authorized_keys";
+  staticAuthorizedKeys = config.users.users.${cfg.user}.openssh.authorizedKeys.keys or [ ];
+  staticAuthorizedKeysText =
+    (lib.concatStringsSep "\n" staticAuthorizedKeys)
+    + lib.optionalString (staticAuthorizedKeys != [ ]) "\n";
+  staticAuthorizedKeysFile = pkgs.writeText "static-authorized-keys-${cfg.user}" staticAuthorizedKeysText;

  fetchOciAuthorizedKeys = pkgs.writeShellApplication {
    name = "fetch-oci-authorized-keys";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.curl
+      pkgs.gnugrep
    ];
    text = ''
      install -d -m 0700 -o ${lib.escapeShellArg cfg.user} -g ${lib.escapeShellArg cfg.group} ${lib.escapeShellArg sshDir}

-      if [ -s ${lib.escapeShellArg authorizedKeysFile} ]; then
-        echo "OCI authorized_keys already present for ${cfg.user}"
-        exit 0
+      if [ ! -e ${lib.escapeShellArg authorizedKeysFile} ]; then
+        install -m 0600 -o ${lib.escapeShellArg cfg.user} -g ${lib.escapeShellArg cfg.group} /dev/null ${lib.escapeShellArg authorizedKeysFile}
      fi

+      chown ${lib.escapeShellArg "${cfg.user}:${cfg.group}"} ${lib.escapeShellArg authorizedKeysFile}
+      chmod 0600 ${lib.escapeShellArg authorizedKeysFile}
+
+      append_keys() {
+        while IFS= read -r key; do
+          [ -n "$key" ] || continue
+          grep -qxF -- "$key" ${lib.escapeShellArg authorizedKeysFile} || printf '%s\n' "$key" >> ${lib.escapeShellArg authorizedKeysFile}
+        done < "$1"
+      }
+
+      append_keys ${lib.escapeShellArg staticAuthorizedKeysFile}
+
+      metadata_keys="$(mktemp)"
+      trap 'rm -f "$metadata_keys"' EXIT
+
      curl --fail --silent --show-error --location \
+        --connect-timeout 3 \
+        --max-time 10 \
+        --retry 3 \
+        --retry-delay 2 \
        --header ${lib.escapeShellArg "Authorization: Bearer Oracle"} \
-        --output ${lib.escapeShellArg authorizedKeysFile} \
-        ${lib.escapeShellArg cfg.metadataUrl}
+        --output "$metadata_keys" \
+        ${lib.escapeShellArg cfg.metadataUrl} || {
+          echo "Unable to fetch OCI authorized_keys for ${cfg.user}; leaving existing keys unchanged"
+          exit 0
+        }
+
+      append_keys "$metadata_keys"

      chown ${lib.escapeShellArg "${cfg.user}:${cfg.group}"} ${lib.escapeShellArg authorizedKeysFile}
      chmod 0600 ${lib.escapeShellArg authorizedKeysFile}
@ -55,8 +84,7 @@ in
  config = lib.mkIf cfg.enable {
    systemd.services.fetch-oci-authorized-keys = {
      description = "Fetch OCI metadata authorized_keys for ${cfg.user}";
-      wantedBy = [ "sshd.service" ];
-      before = [ "sshd.service" ];
+      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      serviceConfig = {
@ -64,6 +92,7 @@ in
        RemainAfterExit = true;
        StandardError = "journal+console";
        StandardOutput = "journal+console";
+        TimeoutStartSec = "30s";
      };
      script = lib.getExe fetchOciAuthorizedKeys;
    };