deploy_nixos: add ssh_private_key. Attempt 2 (#38)

zimbatm · web-flow · commit 2976c1c6fec8 · 2020-11-22T18:21:01.000Z
Sometimes it's useful to pass the SSH key content directly.

Change the default of `ssh_agent` to only enable when `ssh_private_key`
or `ssh_private_key_file` is being passed.

Also, refactor things a little bit.
diff --git a/deploy_nixos/README.md b/deploy_nixos/README.md
@@ -99,17 +99,18 @@ see also:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| NIX\_PATH | Allow to pass custom NIX\_PATH. Ignored if `-`. | `string` | `"-"` | no |
+| NIX\_PATH | Allow to pass custom NIX\_PATH | `string` | `""` | no |
 | build\_on\_target | Avoid building on the deployer. Must be true or false. Has no effect when deploying from an incompatible system. Unlike remote builders, this does not require the deploying user to be trusted by its host. | `string` | `false` | no |
 | config | NixOS configuration to be evaluated. This argument is required unless 'nixos\_config' is given | `string` | `""` | no |
 | config\_pwd | Directory to evaluate the configuration in. This argument is required if 'config' is given | `string` | `""` | no |
 | extra\_build\_args | List of arguments to pass to the nix builder | `list(string)` | `[]` | no |
 | extra\_eval\_args | List of arguments to pass to the nix evaluation | `list(string)` | `[]` | no |
 | keys | A map of filename to content to upload as secrets in /var/keys | `map(string)` | `{}` | no |
 | nixos\_config | Path to a NixOS configuration | `string` | `""` | no |
-| ssh\_agent | Whether to use an SSH agent | `bool` | `true` | no |
-| ssh\_private\_key\_file | Path to private key used to connect to the target\_host. Ignored if `-` or empty. | `string` | `"-"` | no |
-| target\_host | DNS host to deploy to | `any` | n/a | yes |
+| ssh\_agent | Whether to use an SSH agent. True if not ssh\_private\_key is passed | `bool` | `null` | no |
+| ssh\_private\_key | Content of private key used to connect to the target\_host | `string` | `""` | no |
+| ssh\_private\_key\_file | Path to private key used to connect to the target\_host | `string` | `""` | no |
+| target\_host | DNS host to deploy to | `string` | n/a | yes |
 | target\_port | SSH port used to connect to the target\_host | `number` | `22` | no |
 | target\_system | Nix system string | `string` | `"x86_64-linux"` | no |
 | target\_user | SSH user used to connect to the target\_host | `string` | `"root"` | no |
diff --git a/deploy_nixos/main.tf b/deploy_nixos/main.tf
@@ -1,58 +1,71 @@
+variable "target_host" {
+  type        = string
+  description = "DNS host to deploy to"
+}
+
 variable "target_user" {
+  type        = string
   description = "SSH user used to connect to the target_host"
   default     = "root"
 }
 
-variable "target_host" {
-  description = "DNS host to deploy to"
-}
-
 variable "target_port" {
-  description = "SSH port used to connect to the target_host"
   type        = number
+  description = "SSH port used to connect to the target_host"
   default     = 22
 }
 
+variable "ssh_private_key" {
+  type        = string
+  description = "Content of private key used to connect to the target_host"
+  default     = ""
+}
+
 variable "ssh_private_key_file" {
-  description = "Path to private key used to connect to the target_host. Ignored if `-` or empty."
-  default     = "-"
+  type        = string
+  description = "Path to private key used to connect to the target_host"
+  default     = ""
 }
 
 variable "ssh_agent" {
-  description = "Whether to use an SSH agent"
   type        = bool
-  default     = true
+  description = "Whether to use an SSH agent. True if not ssh_private_key is passed"
+  default     = null
 }
 
 variable "NIX_PATH" {
-  description = "Allow to pass custom NIX_PATH. Ignored if `-`."
-  default     = "-"
+  type        = string
+  description = "Allow to pass custom NIX_PATH"
+  default     = ""
 }
 
 variable "nixos_config" {
+  type        = string
   description = "Path to a NixOS configuration"
   default     = ""
 }
 
 variable "config" {
+  type        = string
   description = "NixOS configuration to be evaluated. This argument is required unless 'nixos_config' is given"
   default     = ""
 }
 
 variable "config_pwd" {
+  type        = string
   description = "Directory to evaluate the configuration in. This argument is required if 'config' is given"
   default     = ""
 }
 
 variable "extra_eval_args" {
-  description = "List of arguments to pass to the nix evaluation"
   type        = list(string)
+  description = "List of arguments to pass to the nix evaluation"
   default     = []
 }
 
 variable "extra_build_args" {
-  description = "List of arguments to pass to the nix builder"
   type        = list(string)
+  description = "List of arguments to pass to the nix builder"
   default     = []
 }
 
@@ -75,9 +88,9 @@ variable "keys" {
 }
 
 variable "target_system" {
-  type = string
+  type        = string
   description = "Nix system string"
-  default = "x86_64-linux"
+  default     = "x86_64-linux"
 }
 
 # --------------------------------------------------------------------------
@@ -95,16 +108,18 @@ locals {
     var.extra_build_args,
   )
   ssh_private_key_file = var.ssh_private_key_file == "" ? "-" : var.ssh_private_key_file
-  build_on_target = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target)
+  ssh_private_key      = local.ssh_private_key_file == "-" ? var.ssh_private_key : file(local.ssh_private_key_file)
+  ssh_agent            = var.ssh_agent == null ? (local.ssh_private_key != "") : var.ssh_agent
+  build_on_target      = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target)
 }
 
 # used to detect changes in the configuration
 data "external" "nixos-instantiate" {
   program = concat([
     "${path.module}/nixos-instantiate.sh",
-    var.NIX_PATH,
+    var.NIX_PATH == "" ? "-" : var.NIX_PATH,
     var.config != "" ? var.config : var.nixos_config,
-    var.config_pwd != "" ? var.config_pwd : ".",
+    var.config_pwd == "" ? "." : var.config_pwd,
     # end of positional arguments
     # start of pass-through arguments
     "--argstr", "system", var.target_system
@@ -121,26 +136,23 @@ resource "null_resource" "deploy_nixos" {
     host        = var.target_host
     port        = var.target_port
     user        = var.target_user
-    agent       = var.ssh_agent
+    agent       = local.ssh_agent
     timeout     = "100s"
-    private_key = local.ssh_private_key_file != "-" ? file(var.ssh_private_key_file) : null
+    private_key = local.ssh_private_key == "-" ? "" : local.ssh_private_key
   }
 
-  # copy the secret keys to the host
   # copy the secret keys to the host
   provisioner "file" {
     content     = jsonencode(var.keys)
     destination = "packed-keys.json"
   }
 
-  # FIXME: move this to nixos-deploy.sh
   # FIXME: move this to nixos-deploy.sh
   provisioner "file" {
     source      = "${path.module}/unpack-keys.sh"
     destination = "unpack-keys.sh"
   }
 
-  # FIXME: move this to nixos-deploy.sh
   # FIXME: move this to nixos-deploy.sh
   provisioner "file" {
     source      = "${path.module}/maybe-sudo.sh"
@@ -154,7 +166,6 @@ resource "null_resource" "deploy_nixos" {
     ]
   }
 
-  # do the actual deployment
   # do the actual deployment
   provisioner "local-exec" {
     interpreter = concat([
@@ -164,7 +175,7 @@ resource "null_resource" "deploy_nixos" {
       "${var.target_user}@${var.target_host}",
       var.target_port,
       local.build_on_target,
-      local.ssh_private_key_file,
+      local.ssh_private_key == "" ? "-" : local.ssh_private_key,
       "switch",
       ],
       local.extra_build_args
diff --git a/deploy_nixos/nixos-deploy.sh b/deploy_nixos/nixos-deploy.sh
@@ -11,7 +11,6 @@ buildArgs=(
 )
 profile=/nix/var/nix/profiles/system
 # will be set later
-controlPath=
 sshOpts=(
   -o "ControlMaster=auto"
   -o "ControlPersist=60"
@@ -32,7 +31,7 @@ outPath="$2"
 targetHost="$3"
 targetPort="$4"
 buildOnTarget="$5"
-sshPrivateKeyFile="$6"
+sshPrivateKey="$6"
 action="$7"
 shift 7
 
@@ -42,8 +41,13 @@ buildArgs+=("$@")
 
 sshOpts+=( -p "${targetPort}" )
 
-if [[ -n "${sshPrivateKeyFile}" && "${sshPrivateKeyFile}" != "-" ]]; then
-    sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
+workDir=$(mktemp -d)
+trap 'rm -rf "$workDir"' EXIT
+
+if [[ -n "${sshPrivateKey}" && "${sshPrivateKey}" != "-" ]]; then
+  sshPrivateKeyFile="$workDir/ssh_key"
+  echo "$sshPrivateKey" > "$sshPrivateKeyFile"
+  sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
 fi
 
 ### Functions ###
@@ -62,16 +66,17 @@ targetHostCmd() {
   # `ssh` did not properly maintain the array nature of the command line,
   # erroneously splitting arguments with internal spaces, even when using `--`.
   # Tested with OpenSSH_7.9p1.
+  #
+  # shellcheck disable=SC2029
   ssh "${sshOpts[@]}" "$targetHost" "./maybe-sudo.sh ${*@Q}"
 }
 
 # Setup a temporary ControlPath for this session. This speeds-up the
 # operations by not re-creating SSH sessions between each command. At the end
 # of the run, the session is forcefully terminated.
 setupControlPath() {
-  controlPath=$(mktemp)
   sshOpts+=(
-    -o "ControlPath=$controlPath"
+    -o "ControlPath=$workDir/ssh_control"
   )
   cleanupControlPath() {
     local ret=$?
@@ -80,7 +85,7 @@ setupControlPath() {
     # Close ssh multiplex-master process gracefully
     log "closing persistent ssh-connection"
     ssh "${sshOpts[@]}" -O stop "$targetHost"
-    rm -f "$controlPath"
+    rm -rf "$workDir"
     exit "$ret"
   }
   trap cleanupControlPath EXIT
diff --git a/deploy_nixos/unpack-keys.sh b/deploy_nixos/unpack-keys.sh
