Revert "deploy_nixos: add ssh_private_key (#37)"

This reverts commit 5761c05.

This was not ready

Author: zimbatm

deploy_nixos/README.md

@@ -108,7 +108,6 @@ see also:
 | keys | A map of filename to content to upload as secrets in /var/keys | `map(string)` | `{}` | no |
 | nixos\_config | Path to a NixOS configuration | `string` | `""` | no |
 | ssh\_agent | Whether to use an SSH agent | `bool` | `true` | no |
-| ssh\_private\_key | Content of private key used to connect to the target\_host. Ignored if empty. | `string` | `""` | no |
 | ssh\_private\_key\_file | Path to private key used to connect to the target\_host. Ignored if `-` or empty. | `string` | `"-"` | no |
 | target\_host | DNS host to deploy to | `any` | n/a | yes |
 | target\_port | SSH port used to connect to the target\_host | `number` | `22` | no |

deploy_nixos/main.tf

@@ -13,11 +13,6 @@ variable "target_port" {
   default     = 22
 }
 
-variable "ssh_private_key" {
-  description = "Content of private key used to connect to the target_host. Ignored if empty."
-  default     = ""
-}
-
 variable "ssh_private_key_file" {
   description = "Path to private key used to connect to the target_host. Ignored if `-` or empty."
   default     = "-"
@@ -100,7 +95,6 @@ locals {
     var.extra_build_args,
   )
   ssh_private_key_file = var.ssh_private_key_file == "" ? "-" : var.ssh_private_key_file
-  ssh_private_key = local.ssh_private_key_file == "-" ? null : file(local.ssh_private_key_file)
   build_on_target = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target)
 }
 
@@ -129,7 +123,7 @@ resource "null_resource" "deploy_nixos" {
     user        = var.target_user
     agent       = var.ssh_agent
     timeout     = "100s"
-    private_key = local.ssh_private_key
+    private_key = local.ssh_private_key_file != "-" ? file(var.ssh_private_key_file) : null
   }
 
   # copy the secret keys to the host
@@ -170,7 +164,7 @@ resource "null_resource" "deploy_nixos" {
       "${var.target_user}@${var.target_host}",
       var.target_port,
       local.build_on_target,
-      local.ssh_private_key,
+      local.ssh_private_key_file,
       "switch",
       ],
       local.extra_build_args

deploy_nixos/nixos-deploy.sh

@@ -11,6 +11,7 @@ buildArgs=(
 )
 profile=/nix/var/nix/profiles/system
 # will be set later
+controlPath=
 sshOpts=(
   -o "ControlMaster=auto"
   -o "ControlPersist=60"
@@ -31,7 +32,7 @@ outPath="$2"
 targetHost="$3"
 targetPort="$4"
 buildOnTarget="$5"
-sshPrivateKey="$6"
+sshPrivateKeyFile="$6"
 action="$7"
 shift 7
 
@@ -41,13 +42,8 @@ buildArgs+=("$@")
 
 sshOpts+=( -p "${targetPort}" )
 
-workDir=$(mktemp -d)
-trap 'rm -rf "$workDir"' EXIT
-
-if [[ -n "${sshPrivateKey}" ]]; then
-  sshPrivateKeyFile="$workDir/ssh_key"
-  echo "$sshPrivateKey" > "$sshPrivateKeyFile"
-  sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
+if [[ -n "${sshPrivateKeyFile}" && "${sshPrivateKeyFile}" != "-" ]]; then
+    sshOpts+=( -o "IdentityFile=${sshPrivateKeyFile}" )
 fi
 
 ### Functions ###
@@ -66,17 +62,16 @@ targetHostCmd() {
   # `ssh` did not properly maintain the array nature of the command line,
   # erroneously splitting arguments with internal spaces, even when using `--`.
   # Tested with OpenSSH_7.9p1.
-  #
-  # shellcheck disable=SC2029
   ssh "${sshOpts[@]}" "$targetHost" "./maybe-sudo.sh ${*@Q}"
 }
 
 # Setup a temporary ControlPath for this session. This speeds-up the
 # operations by not re-creating SSH sessions between each command. At the end
 # of the run, the session is forcefully terminated.
 setupControlPath() {
+  controlPath=$(mktemp)
   sshOpts+=(
-    -o "ControlPath=$workDir/ssh_control"
+    -o "ControlPath=$controlPath"
   )
   cleanupControlPath() {
     local ret=$?
@@ -85,7 +80,7 @@ setupControlPath() {
     # Close ssh multiplex-master process gracefully
     log "closing persistent ssh-connection"
     ssh "${sshOpts[@]}" -O stop "$targetHost"
-    rm -rf "$workDir"
+    rm -f "$controlPath"
     exit "$ret"
   }
   trap cleanupControlPath EXIT