From d0ea69856a86c4851a3591948acd33effcce2611 Mon Sep 17 00:00:00 2001 From: Erik Giorgis Date: Tue, 19 Nov 2024 21:14:01 +0100 Subject: [PATCH 1/2] add var.ssh_options to pass additional SSH options to nixos-rebuild --- terraform/all-in-one.md | 51 ++++++++++++++-------------- terraform/all-in-one/main.tf | 1 + terraform/all-in-one/variables.tf | 9 +++++ terraform/nixos-rebuild.md | 17 +++++----- terraform/nixos-rebuild/deploy.sh | 18 +++++----- terraform/nixos-rebuild/main.tf | 1 + terraform/nixos-rebuild/variables.tf | 9 +++++ 7 files changed, 65 insertions(+), 41 deletions(-) diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md index 7ea600bb..2e8696f7 100644 --- a/terraform/all-in-one.md +++ b/terraform/all-in-one.md @@ -197,31 +197,32 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------------------------------------- | :------: | -| [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no | -| [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no | -| [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | 
list(object({
 path = string
 script = string
 }))
| `[]` | no | -| [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no | -| [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no | -| [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no | -| [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no | -| [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no | -| [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no | -| [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no | -| [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no | -| [nix\_options](#input_nix_options) | the options of nix | `map(string)` | `{}` | no | -| [nixos\_facter\_path](#input_nixos_facter_path) | Path to which to write a `facter.json` generated by `nixos-facter`. | `string` | `""` | no | -| [nixos\_generate\_config\_path](#input_nixos_generate_config_path) | Path to which to write a `hardware-configuration.nix` generated by `nixos-generate-config`. | `string` | `""` | no | -| [nixos\_partitioner\_attr](#input_nixos_partitioner_attr) | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. `config.system.build.diskNoDeps` is provided by the disko nixos module | `string` | n/a | yes | -| [nixos\_system\_attr](#input_nixos_system_attr) | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes | `string` | n/a | yes | -| [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no | -| [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `set(string)` | 
[
 "kexec",
 "disko",
 "install",
 "reboot"
]
| no | -| [special\_args](#input_special_args) | A map exposed as NixOS's `specialArgs` thru a file. | `any` | `{}` | no | -| [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no | -| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | -| [target\_port](#input_target_port) | SSH port used to connect to the target\_host after installing NixOS. If install\_port is not set than this port is also used before installing. | `number` | `22` | no | -| [target\_user](#input_target_user) | SSH user used to connect to the target\_host after installing NixOS. If install\_user is not set than this user is also used before installing. | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | :------: | +| [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no | +| [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no | +| [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | 
list(object({
 path = string
 script = string
 }))
| `[]` | no | +| [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no | +| [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no | +| [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no | +| [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no | +| [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no | +| [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no | +| [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no | +| [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no | +| [nix\_options](#input_nix_options) | the options of nix | `map(string)` | `{}` | no | +| [nixos\_facter\_path](#input_nixos_facter_path) | Path to which to write a `facter.json` generated by `nixos-facter`. | `string` | `""` | no | +| [nixos\_generate\_config\_path](#input_nixos_generate_config_path) | Path to which to write a `hardware-configuration.nix` generated by `nixos-generate-config`. | `string` | `""` | no | +| [nixos\_partitioner\_attr](#input_nixos_partitioner_attr) | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. `config.system.build.diskNoDeps` is provided by the disko nixos module | `string` | n/a | yes | +| [nixos\_system\_attr](#input_nixos_system_attr) | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes | `string` | n/a | yes | +| [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no | +| [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `set(string)` | 
[
 "kexec",
 "disko",
 "install",
 "reboot"
]
| no | +| [special\_args](#input_special_args) | A map exposed as NixOS's `specialArgs` thru a file. | `any` | `{}` | no | +| [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no | +| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | +| [target\_port](#input_target_port) | SSH port used to connect to the target\_host after installing NixOS. If install\_port is not set than this port is also used before installing. | `number` | `22` | no | +| [target\_user](#input_target_user) | SSH user used to connect to the target\_host after installing NixOS. If install\_user is not set than this user is also used before installing. | `string` | `"root"` | no | +| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command used to connect to the target_host after installing NixOS. | `map(string)` | 
{
 UserKnownHostsFile = "/dev/null"
 StrictHostKeyChecking = "no"
}
| no | ## Outputs diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf index 41ab51a2..e95c356e 100644 --- a/terraform/all-in-one/main.tf +++ b/terraform/all-in-one/main.tf @@ -55,6 +55,7 @@ module "nixos-rebuild" { target_host = var.target_host target_user = var.target_user target_port = var.target_port + ssh_options = var.ssh_options } output "result" { diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf index 8216532d..fff5d0e3 100644 --- a/terraform/all-in-one/variables.tf +++ b/terraform/all-in-one/variables.tf @@ -51,6 +51,15 @@ variable "target_port" { default = 22 } +variable "ssh_options" { + type = map(string) + description = "Additional options to pass to the SSH command used to connect to the target_host after installing NixOS." + default = { + UserKnownHostsFile = "/dev/null" + StrictHostKeyChecking = "no" + } +} + variable "instance_id" { type = string description = "The instance id of the target_host, used to track when to reinstall the machine" diff --git a/terraform/nixos-rebuild.md b/terraform/nixos-rebuild.md index 0be26bb7..88849954 100644 --- a/terraform/nixos-rebuild.md +++ b/terraform/nixos-rebuild.md @@ -50,14 +50,15 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | -------- | :------: | -| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no | -| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes | -| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no | -| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | -| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no | -| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | --------------------------------------------------------------------------------------- | :------: | +| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no | +| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes | +| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no | +| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | +| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no | +| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no | +| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command | `map(string)` | 
{
 UserKnownHostsFile = "/dev/null"
 StrictHostKeyChecking = "no"
}
| no | ## Outputs diff --git a/terraform/nixos-rebuild/deploy.sh b/terraform/nixos-rebuild/deploy.sh index 2c075039..a9ff1a64 100755 --- a/terraform/nixos-rebuild/deploy.sh +++ b/terraform/nixos-rebuild/deploy.sh @@ -14,14 +14,16 @@ TARGET_PORT=$4 IGNORE_SYSTEMD_ERRORS=$5 shift 3 -TARGET="${TARGET_USER}@${TARGET_HOST}" - workDir=$(mktemp -d) trap 'rm -rf "$workDir"' EXIT -sshOpts=(-p "${TARGET_PORT}") -sshOpts+=(-o UserKnownHostsFile=/dev/null) -sshOpts+=(-o StrictHostKeyChecking=no) +sshConfigFile="$workDir/ssh_config" +cat >"$sshConfigFile" <"$sshPrivateKeyFile" ) unset SSH_AUTH_SOCK # don't use system agent if key was supplied - sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}") + echo " IdentityFile ${sshPrivateKeyFile}" >>"$sshConfigFile" fi set -x try=1 -until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET" "$NIXOS_SYSTEM"; do +until NIX_SSHOPTS="-F $sshConfigFile" nix copy -s --experimental-features nix-command --to "ssh://$TARGET_HOST" "$NIXOS_SYSTEM"; do if [[ $try -gt 10 ]]; then echo "retries exhausted" >&2 exit 1 @@ -52,7 +54,7 @@ if [[ $TARGET_USER != "root" ]]; then fi deploy_status=0 # shellcheck disable=SC2029 -ssh "${sshOpts[@]}" "$TARGET" "$switchCommand" || deploy_status="$?" +ssh -F "$sshConfigFile" "$TARGET_HOST" "$switchCommand" || deploy_status="$?" if [[ $IGNORE_SYSTEMD_ERRORS == "true" && $deploy_status == "4" ]]; then exit 0 fi diff --git a/terraform/nixos-rebuild/main.tf b/terraform/nixos-rebuild/main.tf index ccd36da2..ee2b806c 100644 --- a/terraform/nixos-rebuild/main.tf +++ b/terraform/nixos-rebuild/main.tf @@ -5,6 +5,7 @@ resource "null_resource" "nixos-rebuild" { provisioner "local-exec" { environment = { SSH_KEY = var.ssh_private_key + SSH_OPTIONS = jsonencode(var.ssh_options) } command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user} ${var.target_host} ${var.target_port} ${var.ignore_systemd_errors}" } diff --git a/terraform/nixos-rebuild/variables.tf b/terraform/nixos-rebuild/variables.tf index e560f39a..0a9143f0 100644 --- a/terraform/nixos-rebuild/variables.tf +++ b/terraform/nixos-rebuild/variables.tf @@ -20,6 +20,15 @@ variable "target_port" { default = 22 } +variable "ssh_options" { + type = map(string) + description = "Additional options to pass to the SSH command" + default = { + UserKnownHostsFile = "/dev/null" + StrictHostKeyChecking = "no" + } +} + variable "ssh_private_key" { type = string description = "Content of private key used to connect to the target_host. If set to - no key is passed to openssh and ssh will use its own configuration" From a03c430e42c7e5113ea183b40d1415493a99833c Mon Sep 17 00:00:00 2001 From: Erik Giorgis Date: Thu, 5 Dec 2024 13:35:36 +0100 Subject: [PATCH 2/2] change ssh_options to a list of strings --- terraform/all-in-one.md | 53 ++++++++++++++-------------- terraform/nixos-rebuild.md | 18 +++++----- terraform/nixos-rebuild/deploy.sh | 17 ++++----- terraform/nixos-rebuild/main.tf | 2 +- terraform/nixos-rebuild/variables.tf | 10 +++--- 5 files changed, 49 insertions(+), 51 deletions(-) diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md index 2e8696f7..c9673d8a 100644 --- a/terraform/all-in-one.md +++ b/terraform/all-in-one.md @@ -197,32 +197,33 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | :------: | -| [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no | -| [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no | -| [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | 
list(object({
 path = string
 script = string
 }))
| `[]` | no | -| [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no | -| [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no | -| [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no | -| [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no | -| [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no | -| [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no | -| [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no | -| [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no | -| [nix\_options](#input_nix_options) | the options of nix | `map(string)` | `{}` | no | -| [nixos\_facter\_path](#input_nixos_facter_path) | Path to which to write a `facter.json` generated by `nixos-facter`. | `string` | `""` | no | -| [nixos\_generate\_config\_path](#input_nixos_generate_config_path) | Path to which to write a `hardware-configuration.nix` generated by `nixos-generate-config`. | `string` | `""` | no | -| [nixos\_partitioner\_attr](#input_nixos_partitioner_attr) | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. `config.system.build.diskNoDeps` is provided by the disko nixos module | `string` | n/a | yes | -| [nixos\_system\_attr](#input_nixos_system_attr) | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes | `string` | n/a | yes | -| [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no | -| [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `set(string)` | 
[
 "kexec",
 "disko",
 "install",
 "reboot"
]
| no | -| [special\_args](#input_special_args) | A map exposed as NixOS's `specialArgs` thru a file. | `any` | `{}` | no | -| [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no | -| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | -| [target\_port](#input_target_port) | SSH port used to connect to the target\_host after installing NixOS. If install\_port is not set than this port is also used before installing. | `number` | `22` | no | -| [target\_user](#input_target_user) | SSH user used to connect to the target\_host after installing NixOS. If install\_user is not set than this user is also used before installing. | `string` | `"root"` | no | -| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command used to connect to the target_host after installing NixOS. | `map(string)` | 
{
 UserKnownHostsFile = "/dev/null"
 StrictHostKeyChecking = "no"
}
| no | +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|:--------:| +| [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no | +| [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no | +| [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | 
list(object({
 path = string
 script = string
 }))
| `[]` | no | +| [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no | +| [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no | +| [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no | +| [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no | +| [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no | +| [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no | +| [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no | +| [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no | +| [nix\_options](#input_nix_options) | the options of nix | `map(string)` | `{}` | no | +| [nixos\_facter\_path](#input_nixos_facter_path) | Path to which to write a `facter.json` generated by `nixos-facter`. | `string` | `""` | no | +| [nixos\_generate\_config\_path](#input_nixos_generate_config_path) | Path to which to write a `hardware-configuration.nix` generated by `nixos-generate-config`. | `string` | `""` | no | +| [nixos\_partitioner\_attr](#input_nixos_partitioner_attr) | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. `config.system.build.diskNoDeps` is provided by the disko nixos module | `string` | n/a | yes | +| [nixos\_system\_attr](#input_nixos_system_attr) | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes | `string` | n/a | yes | +| [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no | +| [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `set(string)` | 
[
 "kexec",
 "disko",
 "install",
 "reboot"
]
| no | +| [special\_args](#input_special_args) | A map exposed as NixOS's `specialArgs` thru a file. | `any` | `{}` | no | +| [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no | +| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | +| [target\_port](#input_target_port) | SSH port used to connect to the target\_host after installing NixOS. If install\_port is not set than this port is also used before installing. | `number` | `22` | no | +| [target\_user](#input_target_user) | SSH user used to connect to the target\_host after installing NixOS. If install\_user is not set than this user is also used before installing. | `string` | `"root"` | no | +| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command used to connect to the target_host after installing NixOS. | `list(string)` | 
[
 "-o UserKnownHostsFile=/dev/null"
 "-o StrictHostKeyChecking=no"
]
| no | +| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command | `list(string)` | 
[
 "-o UserKnownHostsFile=/dev/null",
 "-o StrictHostKeyChecking=no"
]
| no | ## Outputs diff --git a/terraform/nixos-rebuild.md b/terraform/nixos-rebuild.md index 88849954..2987e647 100644 --- a/terraform/nixos-rebuild.md +++ b/terraform/nixos-rebuild.md @@ -50,15 +50,15 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | --------------------------------------------------------------------------------------- | :------: | -| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no | -| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes | -| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no | -| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | -| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no | -| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no | -| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command | `map(string)` | 
{
 UserKnownHostsFile = "/dev/null"
 StrictHostKeyChecking = "no"
}
| no | +| Name | Description | Type | Default | Required | +|----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------|:--------:| +| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no | +| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes | +| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no | +| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes | +| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no | +| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no | +| [ssh\_options](#input_ssh_options) | Additional options to pass to the SSH command | `list(string)` | 
[
 "-o UserKnownHostsFile=/dev/null"
 "-o StrictHostKeyChecking=no"
]
| no | ## Outputs diff --git a/terraform/nixos-rebuild/deploy.sh b/terraform/nixos-rebuild/deploy.sh index a9ff1a64..69d78ab1 100755 --- a/terraform/nixos-rebuild/deploy.sh +++ b/terraform/nixos-rebuild/deploy.sh @@ -14,16 +14,13 @@ TARGET_PORT=$4 IGNORE_SYSTEMD_ERRORS=$5 shift 3 +TARGET="${TARGET_USER}@${TARGET_HOST}" + workDir=$(mktemp -d) trap 'rm -rf "$workDir"' EXIT -sshConfigFile="$workDir/ssh_config" -cat >"$sshConfigFile" <"$sshPrivateKeyFile" ) unset SSH_AUTH_SOCK # don't use system agent if key was supplied - echo " IdentityFile ${sshPrivateKeyFile}" >>"$sshConfigFile" + sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}") fi set -x try=1 -until NIX_SSHOPTS="-F $sshConfigFile" nix copy -s --experimental-features nix-command --to "ssh://$TARGET_HOST" "$NIXOS_SYSTEM"; do +until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET" "$NIXOS_SYSTEM"; do if [[ $try -gt 10 ]]; then echo "retries exhausted" >&2 exit 1 @@ -54,7 +51,7 @@ if [[ $TARGET_USER != "root" ]]; then fi deploy_status=0 # shellcheck disable=SC2029 -ssh -F "$sshConfigFile" "$TARGET_HOST" "$switchCommand" || deploy_status="$?" +ssh "${sshOpts[@]}" "$TARGET" "$switchCommand" || deploy_status="$?" if [[ $IGNORE_SYSTEMD_ERRORS == "true" && $deploy_status == "4" ]]; then exit 0 fi diff --git a/terraform/nixos-rebuild/main.tf b/terraform/nixos-rebuild/main.tf index ee2b806c..0b12b3ca 100644 --- a/terraform/nixos-rebuild/main.tf +++ b/terraform/nixos-rebuild/main.tf @@ -5,7 +5,7 @@ resource "null_resource" "nixos-rebuild" { provisioner "local-exec" { environment = { SSH_KEY = var.ssh_private_key - SSH_OPTIONS = jsonencode(var.ssh_options) + SSH_OPTIONS = join(" ", var.ssh_options) } command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user} ${var.target_host} ${var.target_port} ${var.ignore_systemd_errors}" } diff --git a/terraform/nixos-rebuild/variables.tf b/terraform/nixos-rebuild/variables.tf index 0a9143f0..10c93c47 100644 --- a/terraform/nixos-rebuild/variables.tf +++ b/terraform/nixos-rebuild/variables.tf @@ -21,12 +21,12 @@ variable "target_port" { } variable "ssh_options" { - type = map(string) + type = list(string) description = "Additional options to pass to the SSH command" - default = { - UserKnownHostsFile = "/dev/null" - StrictHostKeyChecking = "no" - } + default = [ + "-o UserKnownHostsFile=/dev/null", + "-o StrictHostKeyChecking=no" + ] } variable "ssh_private_key" {