62 lines
1.5 KiB
Nix
62 lines
1.5 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
options = {
|
|
seed-ssh = {
|
|
enable = lib.mkEnableOption "SSH key injection from seed ISO";
|
|
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "user to install authorized_keys for";
|
|
};
|
|
|
|
label = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "SEEDCONFIG";
|
|
description = "volume label of the seed ISO";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.seed-ssh.enable {
|
|
systemd.services.seed-ssh = {
|
|
description = "Install SSH authorized_keys from seed ISO";
|
|
after = [ "local-fs.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart =
|
|
let
|
|
cfg = config.seed-ssh;
|
|
inherit (cfg) user;
|
|
inherit (config.users.users.${user}) home;
|
|
in
|
|
pkgs.writeShellScript "seed-ssh" ''
|
|
DEVICE="/dev/disk/by-label/${cfg.label}"
|
|
if [ ! -e "$DEVICE" ]; then
|
|
echo "seed ISO not found, skipping"
|
|
exit 0
|
|
fi
|
|
|
|
MOUNT=$(mktemp -d)
|
|
mount -o ro "$DEVICE" "$MOUNT"
|
|
|
|
mkdir -p "${home}/.ssh"
|
|
cp "$MOUNT/authorized_keys" "${home}/.ssh/authorized_keys"
|
|
chmod 700 "${home}/.ssh"
|
|
chmod 600 "${home}/.ssh/authorized_keys"
|
|
chown -R ${user}:${user} "${home}/.ssh"
|
|
|
|
umount "$MOUNT"
|
|
rmdir "$MOUNT"
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|