<aminechikhaoui>
hm that seems to handle authorized keys only ?
<aminechikhaoui>
not host keys
<aminechikhaoui>
also I think the previous fetch-ssh-keys service expected a certain format in the metadata service
<adisbladis>
Ahh! I get what you mean now.
<aminechikhaoui>
but maybe if oslogin handles host keys as well it can be used somehow
tewfik has joined #nixops
<adisbladis>
I haven't touched oslogin since I made that module so my memory is rusty
<adisbladis>
But I don't recall seeing any host key handling
<aminechikhaoui>
I see, maybe we just need to revive that service then. I don't remember why it had a "TODO remove" which confused the contributor to remove it
<aminechikhaoui>
or maybe we should use the same module used by ec2 if it's generic enough
<tewfik>
do we need to enable "enable-oslogin" while creating the GCE machine?
<aminechikhaoui>
I think that'd be nice to have by default in the image if it enables adhoc addition of ssh keys using the vm metadata
<tewfik>
actually like you said Amine we probably need nixops to manage its own ssh keys
<adisbladis>
I think the removal was probably the right thing to do, and we should probably move the host key functionality to nixops-gce.
<adisbladis>
Unless it's standardised somehow, but I think they're just some nixos specific metadata attributes?
<adisbladis>
aminechikhaoui: It does enable exactly that :)
<aminechikhaoui>
adisbladis I don't see how we can make it in nixops-gce as this happens early on in the boot process and that's used for the first ssh connection
<adisbladis>
Darn it :/
<adisbladis>
aminechikhaoui: I don't know what the right call is
<adisbladis>
aminechikhaoui: I guess reviving the host key portions of fetch-ssh-keys is OK
<adisbladis>
The alternative I think is to let the remote generate it's own host key and then add the appropriate hooks for a plugin to upload a new key before the deploy steps start happening
<adisbladis>
I think the latter is much cleaner if possible
<aminechikhaoui>
adisbladis how would the upload happen exactly ?
cole-h has joined #nixops
<adisbladis>
Over SSH (using the host-generated key)
<cole-h>
adisbladis++ Thanks for merging my PR :D
<{^_^}>
adisbladis's karma got increased to 101
<cole-h>
Only thing I'm missing to be able to just plainly fetchTarball the nixops package is your custom nixpkgs PR <3
<aminechikhaoui>
adisbladis but to use ssh you need to trust the host key first, so unless we disable host verification for the upload it won't work right ?
<aminechikhaoui>
or not disable just trust whatever the first host key is
<adisbladis>
aminechikhaoui: Yes, which we do for the none backend for example
<adisbladis>
Or not really disabling, but using TOFU
<aminechikhaoui>
the none backend is already trusted I would assume as you generally would have ssh access prior to using nixops
<adisbladis>
aminechikhaoui: Maybe fetch-ssh-keys is not so bad after all ^_^
<aminechikhaoui>
adisbladis yeah not too bad, just would be nice if it's the same module for both Google/EC2
<aminechikhaoui>
not sure how easy, the metadata service is a bit different in both
* aminechikhaoui
thinks there should be a cloud standard :p
<adisbladis>
aminechikhaoui: Then how do you get vendor lockin?