From 4e05173ae197fd4366969d9157d3da276af0f825 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 15 Mar 2022 14:38:05 -0500
Subject: [PATCH] rootfs: Fetch SSH known hosts file

Jenkins agents need to have a pre-built cache of SSH public keys for any
host jobs need to access.  This file is typically bind-mounted into
jobs' containers.

For the older Fedora-based agent nodes, the `ssh_known_hosts` file is
populated by Ansible.  That mechanism will not work for agent nodes
using the immutable root filesystem created by this project, so we need
an alternative.  To that end, the `fetch-ssh-knownhosts` service
downloads the keys from another machine using HTTPS when the system
boots up and then periodically while it is running.
---
 rootfs/overlay/etc/ssh/ssh_known_hosts               |  0
 .../lib/systemd/system/fetch-ssh-knownhosts.service  | 12 ++++++++++++
 .../lib/systemd/system/fetch-ssh-knownhosts.timer    | 10 ++++++++++
 rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh   |  8 ++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 rootfs/overlay/etc/ssh/ssh_known_hosts
 create mode 100644 rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
 create mode 100644 rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
 create mode 100755 rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh

diff --git a/rootfs/overlay/etc/ssh/ssh_known_hosts b/rootfs/overlay/etc/ssh/ssh_known_hosts
new file mode 100644
index 0000000..e69de29
diff --git a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
new file mode 100644
index 0000000..12f9771
--- /dev/null
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Fetch SSH known host keys
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/fetch-ssh-knownhosts.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
new file mode 100644
index 0000000..c98a30e
--- /dev/null
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Update SSH known hosts daily
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+RandomizedDelaySec=6000
+
+[Install]
+WantedBy=timers.target
diff --git a/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh b/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
new file mode 100755
index 0000000..15d711e
--- /dev/null
+++ b/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+: "${KNOWN_HOSTS_URL=https://files.pyrocufflink.blue/ssh_known_hosts}"
+
+curl -fsSL -o /run/ssh_known_hosts "${KNOWN_HOSTS_URL}" || exit $?
+if ! mountpoint -q /etc/ssh/ssh_known_hosts; then
+    mount -o bind /run/ssh_known_hosts /etc/ssh/ssh_known_hosts
+fi