Use mktemp to create temporary files to hold ssh host keys and authorized keys when downloading them from the metadata server.

nixos/modules/virtualisation/google-compute-image.nix

@@ -143,34 +143,41 @@ in
           umask 077
           # Don't download the SSH key if it has already been downloaded
           if ! [ -e /root/.ssh/authorized_keys ]; then
-                echo "obtaining SSH key..."
+              echo "obtaining SSH key..."
-                mkdir -m 0700 -p /root/.ssh
+              mkdir -m 0700 -p /root/.ssh
-                ${wget} -O /root/authorized-keys-metadata http://metadata.google.internal/0.1/meta-data/authorized-keys
+              AUTH_KEYS=$(mktemp) && {
-                if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then
+                ${wget} -O $AUTH_KEYS http://metadata.google.internal/0.1/meta-data/authorized-keys
-                    cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub
+                if [ $? -eq 0 -a -e $AUTH_KEYS ]; then
-                    if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then
+                    KEY_PUB=$(mktemp) && {
-                        cat /root/key.pub >> /root/.ssh/authorized_keys
+                      cat $AUTH_KEYS | cut -d: -f2- > $KEY_PUB
-                        echo "new key added to authorized_keys"
+                      if ! grep -q -f $KEY_PUB /root/.ssh/authorized_keys; then
-                    fi
+                          cat $KEY_PUB >> /root/.ssh/authorized_keys
-                    chmod 600 /root/.ssh/authorized_keys
+                          echo "new key added to authorized_keys"
+                      fi
+                      chmod 600 /root/.ssh/authorized_keys
+                      rm -f $KEY_PUB
+                    }
                 fi
-                rm -f /root/key.pub /root/authorized-keys-metadata
+                rm -f $AUTH_KEYS
+              }
           fi
 
           countKeys=0
           ${flip concatMapStrings config.services.openssh.hostKeys (k :
             let kName = baseNameOf k.path; in ''
-              echo "trying to obtain SSH private host key ${kName}"
+              PRIV_KEY=$(mktemp) && {
-              ${wget} -O /root/${kName} http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
+                echo "trying to obtain SSH private host key ${kName}"
-              if [ $? -eq 0 -a -e /root/${kName} ]; then
+                ${wget} -O $PRIV_KEY http://metadata.google.internal/0.1/meta-data/attributes/${kName} && :
-                  countKeys=$((countKeys+1))
+                if [ $? -eq 0 -a -e $PRIV_KEY ]; then
-                  mv -f /root/${kName} ${k.path}
+                    countKeys=$((countKeys+1))
-                  echo "downloaded ${k.path}"
+                    mv -f $PRIV_KEY ${k.path}
-                  chmod 600 ${k.path}
+                    echo "downloaded ${k.path}"
-                  ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
+                    chmod 600 ${k.path}
-                  chmod 644 ${k.path}.pub
+                    ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
-              fi
+                    chmod 644 ${k.path}.pub
-              rm -f /root/${kName}
+                fi
+                rm -f $PRIV_KEY
+              }
             ''
           )}