mirror of
https://github.com/nix-community/nixos-anywhere.git
synced 2024-10-05 20:27:20 +03:00
add -i to allow passing private key files
Mirror the `-i` option from SSH, so you can run `nixos-anywhere ~/.ssh/other_key`. This commit also fixes an issue where the generated key-pair would stay around when using the SSH_PRIVATE_KEY env var.
This commit is contained in:
parent
fae3915b12
commit
8428ae7c52
@ -19,8 +19,10 @@ Usage: nixos-anywhere [options] ssh-host
|
||||
|
||||
Options:
|
||||
|
||||
* -f, --flake flake
|
||||
set the flake to install the system from
|
||||
* -f, --flake <flake_uri>
|
||||
set the flake to install the system from.
|
||||
* -i <identity_file>
|
||||
selects which SSH private key file to use.
|
||||
* -L, --print-build-logs
|
||||
print full build logs
|
||||
* -s, --store-paths
|
||||
|
@ -7,8 +7,10 @@ Usage: nixos-anywhere [options] ssh-host
|
||||
|
||||
Options:
|
||||
|
||||
* -f, --flake flake
|
||||
set the flake to install the system from
|
||||
* -f, --flake <flake_uri>
|
||||
set the flake to install the system from.
|
||||
* -i <identity_file>
|
||||
selects which SSH private key file to use.
|
||||
* -L, --print-build-logs
|
||||
print full build logs
|
||||
* -s, --store-paths
|
||||
@ -56,6 +58,7 @@ nix_options=(
|
||||
"--no-write-lock-file"
|
||||
)
|
||||
substitute_on_destination=y
|
||||
ssh_private_key_file=
|
||||
|
||||
declare -A disk_encryption_keys
|
||||
declare -a nix_copy_options
|
||||
@ -67,6 +70,10 @@ while [[ $# -gt 0 ]]; do
|
||||
flake=$2
|
||||
shift
|
||||
;;
|
||||
-i)
|
||||
ssh_private_key_file=$2
|
||||
shift
|
||||
;;
|
||||
-L | --print-build-logs)
|
||||
print_build_logs=y
|
||||
;;
|
||||
@ -198,15 +205,19 @@ else
|
||||
abort "flake must be set"
|
||||
fi
|
||||
|
||||
# overrides -i if passed as an env var
|
||||
if [[ -n ${SSH_PRIVATE_KEY-} ]]; then
|
||||
sshPrivateKeyFile=$(mktemp)
|
||||
trap 'rm "$sshPrivateKeyFile"' EXIT
|
||||
# $ssh_key_dir is getting deleted on trap EXIT
|
||||
ssh_private_key_file="$ssh_key_dir/from-env"
|
||||
(
|
||||
umask 077
|
||||
printf '%s\n' "$SSH_PRIVATE_KEY" >"$sshPrivateKeyFile"
|
||||
printf '%s\n' "$SSH_PRIVATE_KEY" >"$ssh_private_key_file"
|
||||
)
|
||||
fi
|
||||
|
||||
if [[ -n ${ssh_private_key_file-} ]]; then
|
||||
unset SSH_AUTH_SOCK # don't use system agent if key was supplied
|
||||
ssh_copy_id_args+=(-o "IdentityFile=${sshPrivateKeyFile}")
|
||||
ssh_copy_id_args+=(-o "IdentityFile=${ssh_private_key_file}")
|
||||
ssh_copy_id_args+=(-f)
|
||||
fi
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
||||
installer.succeed("echo super-secret > /tmp/disk-1.key")
|
||||
output = installer.succeed("""
|
||||
nixos-anywhere \
|
||||
-i /root/.ssh/install_key \
|
||||
--debug \
|
||||
--kexec /etc/nixos-anywhere/kexec-installer \
|
||||
--stop-after-disko \
|
||||
@ -27,9 +28,9 @@
|
||||
--disk-encryption-keys /tmp/disk-2.key <(echo another-secret) \
|
||||
--store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \
|
||||
nixos@installed >&2
|
||||
echo "disk-1.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
echo "disk-1.key: '$(ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
root@installed cat /tmp/disk-1.key)'"
|
||||
echo "disk-2.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
echo "disk-2.key: '$(ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
root@installed cat /tmp/disk-2.key)'"
|
||||
""")
|
||||
|
||||
|
@ -24,6 +24,7 @@
|
||||
installer.succeed("echo value > /tmp/extra-files/var/lib/secrets/key")
|
||||
installer.succeed("""
|
||||
nixos-anywhere \
|
||||
-i /root/.ssh/install_key \
|
||||
--debug \
|
||||
--kexec /etc/nixos-anywhere/kexec-installer \
|
||||
--extra-files /tmp/extra-files \
|
||||
|
@ -9,7 +9,7 @@ let
|
||||
in
|
||||
{
|
||||
system.activationScripts.rsa-key = ''
|
||||
${pkgs.coreutils}/bin/install -D -m600 ${./ssh-keys/ssh} /root/.ssh/id_rsa
|
||||
${pkgs.coreutils}/bin/install -D -m600 ${./ssh-keys/ssh} /root/.ssh/install_key
|
||||
'';
|
||||
|
||||
environment.systemPackages = [ inputs.nixos-anywhere ];
|
||||
|
Loading…
Reference in New Issue
Block a user