deploy_nixos: add ssh_private_key (#37)

Sometimes it's useful to pass the SSH key content directly.

Author: zimbatm

deploy_nixos/README.md

@@ -108,6 +108,7 @@ see also:
 | keys | A map of filename to content to upload as secrets in /var/keys | `map(string)` | `{}` | no |
 | nixos\_config | Path to a NixOS configuration | `string` | `""` | no |
 | ssh\_agent | Whether to use an SSH agent | `bool` | `true` | no |
+| ssh\_private\_key | Content of private key used to connect to the target\_host. Ignored if empty. | `string` | `""` | no |
 | ssh\_private\_key\_file | Path to private key used to connect to the target\_host. Ignored if `-` or empty. | `string` | `"-"` | no |
 | target\_host | DNS host to deploy to | `any` | n/a | yes |
 | target\_port | SSH port used to connect to the target\_host | `number` | `22` | no |

deploy_nixos/main.tf

@@ -13,6 +13,11 @@ variable "target_port" {
   default     = 22
 }
 
+variable "ssh_private_key" {
+  description = "Content of private key used to connect to the target_host. Ignored if empty."
+  default     = ""
+}
+
 variable "ssh_private_key_file" {
   description = "Path to private key used to connect to the target_host. Ignored if `-` or empty."
   default     = "-"
@@ -95,6 +100,7 @@ locals {
     var.extra_build_args,
   )
   ssh_private_key_file = var.ssh_private_key_file == "" ? "-" : var.ssh_private_key_file
+  ssh_private_key = local.ssh_private_key_file == "-" ? null : file(local.ssh_private_key_file)
   build_on_target = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target)
 }
 
@@ -123,7 +129,7 @@ resource "null_resource" "deploy_nixos" {
     user        = var.target_user
     agent       = var.ssh_agent
     timeout     = "100s"
-    private_key = local.ssh_private_key_file != "-" ? file(var.ssh_private_key_file) : null
+    private_key = local.ssh_private_key
   }
 
   # copy the secret keys to the host
@@ -164,7 +170,7 @@ resource "null_resource" "deploy_nixos" {
       "${var.target_user}@${var.target_host}",
       var.target_port,
       local.build_on_target,
-      local.ssh_private_key_file,
+      local.ssh_private_key,
       "switch",
       ],
       local.extra_build_args

deploy_nixos/nixos-deploy.sh

@@ -11,7 +11,6 @@ buildArgs=(
 )
 profile=/nix/var/nix/profiles/system
 # will be set later
-controlPath=
 sshOpts=(
   -o "ControlMaster=auto"
   -o "ControlPersist=60"
@@ -32,7 +31,7 @@ outPath="$2"
 targetHost="$3"
 targetPort="$4"
 buildOnTarget="$5"
-sshPrivateKeyFile="$6"
+sshPrivateKey="$6"
 action="$7"
 shift 7
 
@@ -42,8 +41,13 @@ buildArgs+=("$@")
 
 sshOpts+=( -p "${targetPort}" )
 
-if [[ -n "${sshPrivateKeyFile}" && "${sshPrivateKeyFile}" != "-" ]]; then
-    sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
+workDir=$(mktemp -d)
+trap 'rm -rf "$workDir"' EXIT
+
+if [[ -n "${sshPrivateKey}" ]]; then
+  sshPrivateKeyFile="$workDir/ssh_key"
+  echo "$sshPrivateKey" > "$sshPrivateKeyFile"
+  sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
 fi
 
 ### Functions ###
@@ -62,16 +66,17 @@ targetHostCmd() {
   # `ssh` did not properly maintain the array nature of the command line,
   # erroneously splitting arguments with internal spaces, even when using `--`.
   # Tested with OpenSSH_7.9p1.
+  #
+  # shellcheck disable=SC2029
   ssh "${sshOpts[@]}" "$targetHost" "./maybe-sudo.sh ${*@Q}"
 }
 
 # Setup a temporary ControlPath for this session. This speeds-up the
 # operations by not re-creating SSH sessions between each command. At the end
 # of the run, the session is forcefully terminated.
 setupControlPath() {
-  controlPath=$(mktemp)
   sshOpts+=(
-    -o "ControlPath=$controlPath"
+    -o "ControlPath=$workDir/ssh_control"
   )
   cleanupControlPath() {
     local ret=$?
@@ -80,7 +85,7 @@ setupControlPath() {
     # Close ssh multiplex-master process gracefully
     log "closing persistent ssh-connection"
     ssh "${sshOpts[@]}" -O stop "$targetHost"
-    rm -f "$controlPath"
+    rm -rf "$workDir"
     exit "$ret"
   }
   trap cleanupControlPath EXIT