From 023c42a41e5a12a4e23f69982d3b269fea6426ad Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Sat, 12 Apr 2025 16:05:05 +0200 Subject: [PATCH] consolidate `deploy_nixos/main.tf` providers fixes comments `FIXME: move this to nixos-deploy.sh` --- deploy_nixos/main.tf | 37 ++------------------------------ deploy_nixos/nixos-deploy.sh | 41 +++++++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 45 deletions(-) diff --git a/deploy_nixos/main.tf b/deploy_nixos/main.tf index 862cb4f..67575bd 100644 --- a/deploy_nixos/main.tf +++ b/deploy_nixos/main.tf @@ -129,6 +129,7 @@ locals { ssh_private_key = local.ssh_private_key_file == "-" ? var.ssh_private_key : file(local.ssh_private_key_file) ssh_agent = var.ssh_agent == null ? (local.ssh_private_key != "") : var.ssh_agent build_on_target = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target) + packed_keys_json = jsonencode(var.keys) } # used to detect changes in the configuration @@ -151,41 +152,6 @@ data "external" "nixos-instantiate" { resource "null_resource" "deploy_nixos" { triggers = merge(var.triggers, local.triggers) - connection { - type = "ssh" - host = var.target_host - port = var.target_port - user = var.target_user - agent = local.ssh_agent - timeout = "100s" - private_key = local.ssh_private_key == "-" ? "" : local.ssh_private_key - } - - # copy the secret keys to the host - provisioner "file" { - content = jsonencode(var.keys) - destination = "packed-keys.json" - } - - # FIXME: move this to nixos-deploy.sh - provisioner "file" { - source = "${path.module}/unpack-keys.sh" - destination = "unpack-keys.sh" - } - - # FIXME: move this to nixos-deploy.sh - provisioner "file" { - source = "${path.module}/maybe-sudo.sh" - destination = "maybe-sudo.sh" - } - - provisioner "remote-exec" { - inline = [ - "chmod +x unpack-keys.sh maybe-sudo.sh", - "./maybe-sudo.sh ./unpack-keys.sh ./packed-keys.json", - ] - } - # do the actual deployment provisioner "local-exec" { interpreter = concat([ @@ -196,6 +162,7 @@ resource "null_resource" "deploy_nixos" { var.target_port, local.build_on_target, local.ssh_private_key == "" ? "-" : local.ssh_private_key, + local.packed_keys_json, "switch", var.delete_older_than, ], diff --git a/deploy_nixos/nixos-deploy.sh b/deploy_nixos/nixos-deploy.sh index 319651b..833b0a3 100755 --- a/deploy_nixos/nixos-deploy.sh +++ b/deploy_nixos/nixos-deploy.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # nixos-deploy deploys a nixos-instantiate-generated drvPath to a target host # -# Usage: nixos-deploy.sh [] ignoreme +# Usage: nixos-deploy.sh [] ignoreme set -euo pipefail ### Defaults ### @@ -23,6 +23,7 @@ sshOpts=( # verbose output for easier debugging -v ) +scpOpts=("${sshOpts[@]}") ### Argument parsing ### @@ -32,15 +33,17 @@ targetHost="$3" targetPort="$4" buildOnTarget="$5" sshPrivateKey="$6" -action="$7" -deleteOlderThan="$8" -shift 8 +packedKeysJson="$7" +action="$8" +deleteOlderThan="$9" +shift 9 # remove the last argument set -- "${@:1:$(($# - 1))}" buildArgs+=("$@") sshOpts+=( -p "${targetPort}" ) +scpOpts+=( -P "${targetPort}" ) workDir=$(mktemp -d) trap 'rm -rf "$workDir"' EXIT @@ -48,8 +51,10 @@ trap 'rm -rf "$workDir"' EXIT if [[ -n "${sshPrivateKey}" && "${sshPrivateKey}" != "-" ]]; then sshPrivateKeyFile="$workDir/ssh_key" echo "$sshPrivateKey" > "$sshPrivateKeyFile" - chmod 0700 "$sshPrivateKeyFile" - sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" ) + chmod 0600 "$sshPrivateKeyFile" + flag="IdentityFile=${sshPrivateKeyFile}" + sshOpts+=( -o "$flag" ) + scpOpts+=( -o "$flag" ) fi ### Functions ### @@ -62,6 +67,11 @@ copyToTarget() { NIX_SSHOPTS="${sshOpts[*]}" nix-copy-closure --to "$targetHost" "$@" } +remoteTempDir="" +makeRemoteTempDir() { + remoteTempDir=$(ssh "${sshOpts[@]}" "$targetHost" "mktemp -d") +} + # assumes that passwordless sudo is enabled on the server targetHostCmd() { # ${*@Q} escapes the arguments losslessly into space-separted quoted strings. @@ -70,16 +80,16 @@ targetHostCmd() { # Tested with OpenSSH_7.9p1. # # shellcheck disable=SC2029 - ssh "${sshOpts[@]}" "$targetHost" "./maybe-sudo.sh ${*@Q}" + ssh "${sshOpts[@]}" "$targetHost" "'$remoteTempDir/maybe-sudo.sh' ${*@Q}" } # Setup a temporary ControlPath for this session. This speeds-up the # operations by not re-creating SSH sessions between each command. At the end # of the run, the session is forcefully terminated. setupControlPath() { - sshOpts+=( - -o "ControlPath=$workDir/ssh_control" - ) + local flag="ControlPath=$workDir/ssh_control" + sshOpts+=(-o "$flag") + scpOpts+=(-o "$flag") cleanupControlPath() { local ret=$? # Avoid failing during the shutdown @@ -97,6 +107,17 @@ setupControlPath() { setupControlPath +makeRemoteTempDir +unpackKeysPath="$remoteTempDir/unpack-keys.sh" +maybeSudoPath="$remoteTempDir/maybe-sudo.sh" +packedKeysPath="$remoteTempDir/packed-keys.json" +scriptDir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +scp "${scpOpts[@]}" "$scriptDir/unpack-keys.sh" "$targetHost:$unpackKeysPath" +scp "${scpOpts[@]}" "$scriptDir/maybe-sudo.sh" "$targetHost:$maybeSudoPath" +echo "$packedKeysJson" | ssh "${sshOpts[@]}" "$targetHost" "cat > '$packedKeysPath'" +ssh "${sshOpts[@]}" "$targetHost" "chmod +x '$maybeSudoPath' '$unpackKeysPath' 1>/dev/null" +ssh "${sshOpts[@]}" "$targetHost" "'$maybeSudoPath' '$unpackKeysPath' '$packedKeysPath' 1>/dev/null" + if [[ "${buildOnTarget:-false}" == true ]]; then # Upload derivation