add -i to allow passing private key files

Mirror the `-i` option from SSH, so you can run `nixos-anywhere ~/.ssh/other_key`.

This commit also fixes an issue where the generated key-pair would stay
around when using the SSH_PRIVATE_KEY env var.

docs/reference.md

@@ -19,8 +19,10 @@ Usage: nixos-anywhere [options] ssh-host
 
 Options:
 
-* -f, --flake flake
-  set the flake to install the system from
+* -f, --flake <flake_uri>
+  set the flake to install the system from.
+* -i <identity_file>
+  selects which SSH private key file to use.
 * -L, --print-build-logs
   print full build logs
 * -s, --store-paths

src/nixos-anywhere.sh

@@ -7,8 +7,10 @@ Usage: nixos-anywhere [options] ssh-host
 
 Options:
 
-* -f, --flake flake
-  set the flake to install the system from
+* -f, --flake <flake_uri>
+  set the flake to install the system from.
+* -i <identity_file>
+  selects which SSH private key file to use.
 * -L, --print-build-logs
   print full build logs
 * -s, --store-paths
@@ -56,6 +58,7 @@ nix_options=(
   "--no-write-lock-file"
 )
 substitute_on_destination=y
+ssh_private_key_file=
 
 declare -A disk_encryption_keys
 declare -a nix_copy_options
@@ -67,6 +70,10 @@ while [[ $# -gt 0 ]]; do
     flake=$2
     shift
     ;;
+  -i)
+    ssh_private_key_file=$2
+    shift
+    ;;
   -L | --print-build-logs)
     print_build_logs=y
     ;;
@@ -198,15 +205,19 @@ else
   abort "flake must be set"
 fi
 
+# overrides -i if passed as an env var
 if [[ -n ${SSH_PRIVATE_KEY-} ]]; then
-  sshPrivateKeyFile=$(mktemp)
-  trap 'rm "$sshPrivateKeyFile"' EXIT
+  # $ssh_key_dir is getting deleted on trap EXIT
+  ssh_private_key_file="$ssh_key_dir/from-env"
   (
     umask 077
-    printf '%s\n' "$SSH_PRIVATE_KEY" >"$sshPrivateKeyFile"
+    printf '%s\n' "$SSH_PRIVATE_KEY" >"$ssh_private_key_file"
   )
+fi
+
+if [[ -n ${ssh_private_key_file-} ]]; then
   unset SSH_AUTH_SOCK # don't use system agent if key was supplied
-  ssh_copy_id_args+=(-o "IdentityFile=${sshPrivateKeyFile}")
+  ssh_copy_id_args+=(-o "IdentityFile=${ssh_private_key_file}")
   ssh_copy_id_args+=(-f)
 fi
 

tests/from-nixos-with-sudo.nix

@@ -20,6 +20,7 @@
     installer.succeed("echo super-secret > /tmp/disk-1.key")
     output = installer.succeed("""
       nixos-anywhere \
+        -i /root/.ssh/install_key \
         --debug \
         --kexec /etc/nixos-anywhere/kexec-installer \
         --stop-after-disko \
@@ -27,9 +28,9 @@
         --disk-encryption-keys /tmp/disk-2.key <(echo another-secret) \
         --store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \
         nixos@installed >&2
-      echo "disk-1.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
+      echo "disk-1.key: '$(ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
         root@installed cat /tmp/disk-1.key)'"
-      echo "disk-2.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
+      echo "disk-2.key: '$(ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
         root@installed cat /tmp/disk-2.key)'"
     """)
 

tests/from-nixos.nix

@@ -24,6 +24,7 @@
     installer.succeed("echo value > /tmp/extra-files/var/lib/secrets/key")
     installer.succeed("""
       nixos-anywhere \
+        -i /root/.ssh/install_key \
         --debug \
         --kexec /etc/nixos-anywhere/kexec-installer \
         --extra-files /tmp/extra-files \

tests/modules/installer.nix

@@ -9,7 +9,7 @@ let
 in
 {
   system.activationScripts.rsa-key = ''
-    ${pkgs.coreutils}/bin/install -D -m600 ${./ssh-keys/ssh} /root/.ssh/id_rsa
+    ${pkgs.coreutils}/bin/install -D -m600 ${./ssh-keys/ssh} /root/.ssh/install_key
   '';
 
   environment.systemPackages = [ inputs.nixos-anywhere ];