infra/codestorage/hg-ssh
2015-10-15
Parent:2f4a2a20ad6d
infra/codestorage/hg-ssh/pullkeys.sh
Pull hostkeys when pulling SSH keys. Rather than relying on Kubernetes secrets and baking public keys right in, which was bound to get fraught, we now have some graceful degradation. It defaults to automatically-generated random keys, but will try to download some keys from Google Cloud Storage for the host. If it can find some, it'll try to use those, instead.
| paddy@1 | 1 #!/bin/bash |
| paddy@1 | 2 DOMAIN=${DOMAIN:-code.secondbit.org} |
| paddy@1 | 3 SSH_KEYS_BUCKET=${SSH_KEYS_BUCKET:-sshkeys.$DOMAIN} |
| paddy@6 | 4 SSH_HOST_KEYS_BUCKET=${SSH_HOST_KEYS_BUCKET:-hostkeys.$DOMAIN} |
| paddy@1 | 5 |
| paddy@1 | 6 mkdir -p /tmp/sshkeys |
| paddy@6 | 7 mkdir -p /tmp/hostkeys |
| paddy@1 | 8 |
| paddy@1 | 9 echo "Cleaning up..." |
| paddy@1 | 10 rm -rf /tmp/sshkeys/* |
| paddy@6 | 11 rm -rf /tmp/hostkeys/* |
| paddy@1 | 12 |
| paddy@1 | 13 echo "Downloading keys from gs://${SSH_KEYS_BUCKET}/" |
| paddy@1 | 14 |
| paddy@1 | 15 output=$(gsutil cp -R gs://$SSH_KEYS_BUCKET/\* /tmp/sshkeys/ 2>&1) |
| paddy@1 | 16 echo $output |
| paddy@1 | 17 |
| paddy@1 | 18 keys=$(find /tmp/sshkeys -name '*.pub') |
| paddy@1 | 19 |
| paddy@1 | 20 for key in $keys |
| paddy@1 | 21 do |
| paddy@1 | 22 dir=$(dirname $key) |
| paddy@1 | 23 stripped=${dir#.} |
| paddy@1 | 24 stripped=${stripped#/tmp/sshkeys} |
| paddy@1 | 25 target=${key#/tmp/sshkeys} |
| paddy@1 | 26 target=${target%.pub} |
| paddy@1 | 27 target=${target#/} |
| paddy@1 | 28 IFS='-' read -ra USERSPEC <<< $target |
| paddy@1 | 29 if [ -d "/home${USERSPEC[0]}" ] |
| paddy@1 | 30 then |
| paddy@1 | 31 echo "User ${USERSPEC[0]} already exists, skipping." |
| paddy@1 | 32 else |
| paddy@1 | 33 echo "Creating user ${USERSPEC[0]} with ID ${USERSPEC[1]}." |
| paddy@1 | 34 /bin/bash /usr/local/bin/helpers/create_user.sh "${USERSPEC[0]}" "${USERSPEC[1]}" |
| paddy@1 | 35 cat $key > /home/${USERSPEC[0]}/.ssh/authorized_keys |
| paddy@1 | 36 fi |
| paddy@1 | 37 done |
| paddy@1 | 38 |
| paddy@6 | 39 echo "Downloading host keys from gs://${SSH_HOST_KEYS_BUCKET}/" |
| paddy@6 | 40 |
| paddy@6 | 41 output=$(gsutil cp -R gs://$SSH_HOST_KEYS_BUCKET/\* /tmp/hostkeys/ 2>&1) |
| paddy@6 | 42 echo $output |
| paddy@6 | 43 |
| paddy@6 | 44 keys=/tmp/hostkeys/* |
| paddy@6 | 45 |
| paddy@6 | 46 for key in $keys |
| paddy@6 | 47 do |
| paddy@6 | 48 if [[ $key != *".pub" ]] |
| paddy@6 | 49 then |
| paddy@6 | 50 chmod 0700 $key |
| paddy@6 | 51 fi |
| paddy@6 | 52 target="/etc/ssh/${key##*/}" |
| paddy@6 | 53 echo "Moving $key to $target" |
| paddy@6 | 54 rm $target |
| paddy@6 | 55 mv $key $target |
| paddy@6 | 56 done |
| paddy@6 | 57 |
| paddy@1 | 58 echo "Cleaning up..." |
| paddy@1 | 59 rm -rf /tmp/sshkeys/* |
| paddy@6 | 60 rm -rf /tmp/hostkeys/* |
| paddy@1 | 61 |
| paddy@1 | 62 echo "SSH key pull complete." |