about summary refs log tree commit diff
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2021-12-29T03·17-0400
committerclbot <clbot@tvl.fyi>2021-12-29T18·49+0000
commitb8109568025b353a669f4297ec44c970073e3ff6 (patch)
tree4e9d71e468099315bf075869c26e033de077bde4
parent3681b0ce1d841e120a7af15ea998b0509669c993 (diff)
feat(wpcarro/terraform): Support SSH r/3498
Supporting SSH turned-out to be a bit of a saga... Thank you @espes and @grfn
for the pointers.

Problem: When I originally setup my Google VM, I followed this tutorial,
https://nixos.wiki/wiki/Install_NixOS_on_GCE, so I ended-up installing
`nixos-20-03`: an older version of NixOS, (the newest version in `gsutils ls -l
gs://nixos-images`). Critically, I missed this important footnote:

> NOTE: Newer images (from 20.09 on) won't be available at the bucket above, and
> will instead need to be found at
> <nixpkgs/nixos/modules/virtualisation/gce-images.nix>.

It turns out that *newer* images include this script...
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
...which reads the key, "sshKeys", from the Google metadata server and copies
the value into /root/.ssh/authorized_keys.

To make matters a bit misleading, the NixOS script expects the key to be
"sshKeys", but Google deprecated that in favor of "ssh-keys" (hence why both
versions appear in this commit).

TL;DR:
- upgrading to a newer NixOS image
- adding an empty access_config block so Google will assign my VM an external IP
- removing oslogin (not necessary to do, and I may add it back later)
- adding my public SSH key as metadata

Change-Id: If624fe77afd47b31fa7be0a1dd4a55512317eef0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4737
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
-rw-r--r--users/wpcarro/terraform/gcp.tf13
1 files changed, 8 insertions, 5 deletions
diff --git a/users/wpcarro/terraform/gcp.tf b/users/wpcarro/terraform/gcp.tf
index a902f53e7360..92af096953cb 100644
--- a/users/wpcarro/terraform/gcp.tf
+++ b/users/wpcarro/terraform/gcp.tf
@@ -23,7 +23,7 @@ resource "google_compute_instance" "default" {
 
     initialize_params {
       size  = 10
-      image = "nixos-20-03"
+      image = "projects/nixos-cloud/global/images/nixos-image-20-09-3531-3858fbc08e6-x86-64-linux"
     }
   }
 
@@ -31,13 +31,16 @@ resource "google_compute_instance" "default" {
     network    = "default"
     subnetwork = "default"
 
-    access_config {
-      public_ptr_domain_name = "wpcarro.dev"
-    }
+    access_config {}
   }
 
   metadata = {
-    enable-oslogin = "TRUE"
+    # sshKeys is deprecated, but the GCE NixOS image relies on it, so we need
+    # both values:
+    # - deprecation: https://cloud.google.com/compute/docs/metadata/default-metadata-values
+    # - NixOS bug: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash#L14
+    ssh-keys = "wpcarro:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkNQJBXekuSzZJ8+gxT+V1+eXTm3hYsfigllr/ARXkf wpcarro@gmail.com"
+    sshKeys  = "wpcarro:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkNQJBXekuSzZJ8+gxT+V1+eXTm3hYsfigllr/ARXkf wpcarro@gmail.com"
   }
 
   service_account {