Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add var.ssh_options to pass additional SSH options to nixos-rebuild #427

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add var.ssh_options to pass additional SSH options to nixos-rebuild #427

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0ea698
add var.ssh_options to pass additional SSH options to nixos-rebuild
threddast Nov 19, 2024
a03c430
change ssh_options to a list of strings
threddast Dec 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 26 additions & 25 deletions terraform/all-in-one.md
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions terraform/all-in-one/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ module "nixos-rebuild" {
target_host = var.target_host
target_user = var.target_user
target_port = var.target_port
ssh_options = var.ssh_options
}

output "result" {
Expand Down
9 changes: 9 additions & 0 deletions terraform/all-in-one/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,15 @@ variable "target_port" {
default = 22
}

variable "ssh_options" {
type = map(string)
description = "Additional options to pass to the SSH command used to connect to the target_host after installing NixOS."
default = {
UserKnownHostsFile = "/dev/null"
StrictHostKeyChecking = "no"
}
}

variable "instance_id" {
type = string
description = "The instance id of the target_host, used to track when to reinstall the machine"
Expand Down
17 changes: 9 additions & 8 deletions terraform/nixos-rebuild.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,14 +50,15 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | -------- | :------: |
| <a name="input_ignore_systemd_errors"></a> [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
| <a name="input_nixos_system"></a> [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
| <a name="input_target_host"></a> [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
| <a name="input_target_port"></a> [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
| <a name="input_target_user"></a> [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
| Name | Description | Type | Default | Required |
| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | --------------------------------------------------------------------------------------- | :------: |
| <a name="input_ignore_systemd_errors"></a> [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
| <a name="input_nixos_system"></a> [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
| <a name="input_target_host"></a> [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
| <a name="input_target_port"></a> [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
| <a name="input_target_user"></a> [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
| <a name="input_ssh_options"></a> [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command | `map(string)` | <pre>{<br> UserKnownHostsFile = "/dev/null"<br> StrictHostKeyChecking = "no"<br>}</pre> | no |

## Outputs

Expand Down
18 changes: 10 additions & 8 deletions terraform/nixos-rebuild/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,16 @@ TARGET_PORT=$4
IGNORE_SYSTEMD_ERRORS=$5
shift 3

TARGET="${TARGET_USER}@${TARGET_HOST}"

workDir=$(mktemp -d)
trap 'rm -rf "$workDir"' EXIT

sshOpts=(-p "${TARGET_PORT}")
sshOpts+=(-o UserKnownHostsFile=/dev/null)
sshOpts+=(-o StrictHostKeyChecking=no)
Comment on lines -23 to -24
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the current behavior in nixos-anywhere, if you are not using terraform.

sshConfigFile="$workDir/ssh_config"
cat >"$sshConfigFile" <<EOF
Host $TARGET_HOST
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. As you have rightfully said, this will be an issue for users configuring private ssh keys and jump hosts in their ssh_config.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a workaround for you specifically, could you not pass in -F in your case instead? terraform also allows to write files, no?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can add support for passing in an ssh config file?

Copy link
Author

@threddast threddast Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a workaround for you specifically, could you not pass in -F in your case instead? terraform also allows to write files, no?

Yes this would work too. I changed the PR so that additional options are passed as a string to NIX_SSHOPTS

Maybe we can add support for passing in an ssh config file?

I think passing flags is more flexible. As you suggested we can pass -F if a config file is needed

User $TARGET_USER
Port $TARGET_PORT
$(echo "$SSH_OPTIONS" | jq -r 'to_entries[] | " \(.key) \(.value)"')
EOF

set +x
if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
Expand All @@ -32,12 +34,12 @@ if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
echo "$SSH_KEY" >"$sshPrivateKeyFile"
)
unset SSH_AUTH_SOCK # don't use system agent if key was supplied
sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}")
echo " IdentityFile ${sshPrivateKeyFile}" >>"$sshConfigFile"
fi
set -x

try=1
until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET" "$NIXOS_SYSTEM"; do
until NIX_SSHOPTS="-F $sshConfigFile" nix copy -s --experimental-features nix-command --to "ssh://$TARGET_HOST" "$NIXOS_SYSTEM"; do
if [[ $try -gt 10 ]]; then
echo "retries exhausted" >&2
exit 1
Expand All @@ -52,7 +54,7 @@ if [[ $TARGET_USER != "root" ]]; then
fi
deploy_status=0
# shellcheck disable=SC2029
ssh "${sshOpts[@]}" "$TARGET" "$switchCommand" || deploy_status="$?"
ssh -F "$sshConfigFile" "$TARGET_HOST" "$switchCommand" || deploy_status="$?"
if [[ $IGNORE_SYSTEMD_ERRORS == "true" && $deploy_status == "4" ]]; then
exit 0
fi
Expand Down
1 change: 1 addition & 0 deletions terraform/nixos-rebuild/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ resource "null_resource" "nixos-rebuild" {
provisioner "local-exec" {
environment = {
SSH_KEY = var.ssh_private_key
SSH_OPTIONS = jsonencode(var.ssh_options)
}
command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user} ${var.target_host} ${var.target_port} ${var.ignore_systemd_errors}"
}
Expand Down
9 changes: 9 additions & 0 deletions terraform/nixos-rebuild/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,15 @@ variable "target_port" {
default = 22
}

variable "ssh_options" {
type = map(string)
description = "Additional options to pass to the SSH command"
default = {
UserKnownHostsFile = "/dev/null"
StrictHostKeyChecking = "no"
}
}

variable "ssh_private_key" {
type = string
description = "Content of private key used to connect to the target_host. If set to - no key is passed to openssh and ssh will use its own configuration"
Expand Down
Loading