mirror of
https://github.com/nix-community/nixos-anywhere.git
synced 2024-10-05 20:27:20 +03:00
allow pipes for --disk-encryption-keys...
this allows passing multiple disk encryption keys, some of which might come in the form of unix pipes. It can be used with bash file substition facilities to pass a secret to the remote machine without writing it locally to disk. Example --disk-encryption-keys /tmp/disk-1.key <(echo "my-secret") --disk-encryption-keys /tmp/disk-2.key /tmp/static-file.key
This commit is contained in:
parent
e4f04317f7
commit
d57dc3d750
23
nixos-remote
23
nixos-remote
@ -22,9 +22,9 @@ Options:
|
||||
exit after disko formating, you can then proceed to install manually or some other way
|
||||
* --extra-files files
|
||||
files to copy into the new nixos installation
|
||||
* --disk-encryption-keys files
|
||||
files to copy into the installer environment, after kexec but before installation. Can be
|
||||
used for things like disk encryption keys
|
||||
* --disk-encryption-keys remote_path local_path
|
||||
copy the contents of the file or pipe in local_path to remote_path in the installer environment,
|
||||
after kexec but before installation. Can be repeated.
|
||||
* --debug
|
||||
enable debug output
|
||||
USAGE
|
||||
@ -39,6 +39,8 @@ kexec_url=https://github.com/nix-community/nixos-images/releases/download/nixos-
|
||||
enable_debug=""
|
||||
maybereboot="reboot"
|
||||
|
||||
declare -A disk_encryption_keys
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
-f | --flake)
|
||||
@ -71,7 +73,8 @@ while [[ $# -gt 0 ]]; do
|
||||
shift
|
||||
;;
|
||||
--disk-encryption-keys)
|
||||
disk_encryption_keys=$2
|
||||
disk_encryption_keys["$2"]="$3"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
--stop-after-disko)
|
||||
@ -210,13 +213,11 @@ SSH
|
||||
# watiting for machine to become available again
|
||||
until ssh_ -o ConnectTimeout=10 -- exit 0; do sleep 5; done
|
||||
fi
|
||||
|
||||
if [[ -n ${disk_encryption_keys:-} ]]; then
|
||||
if [[ -d "$disk_encryption_keys" ]]; then
|
||||
disk_encryption_keys="$disk_encryption_keys/"
|
||||
fi
|
||||
rsync -vrlF -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" "$disk_encryption_keys" "${ssh_connection#ssh://}:/tmp/"
|
||||
fi
|
||||
for path in "${!disk_encryption_keys[@]}"
|
||||
do
|
||||
echo "Uploading ${disk_encryption_keys[$path]} to $path"
|
||||
cat "${disk_encryption_keys[$path]}" | ssh_ "cat > $path"
|
||||
done
|
||||
|
||||
nixCopy --to "ssh://$ssh_connection" "$disko_script"
|
||||
ssh_ "$disko_script"
|
||||
|
@ -6,21 +6,24 @@
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
installer.succeed("echo super-secret > /tmp/disk-encryption-key")
|
||||
installer.succeed("echo super-secret > /tmp/disk-1.key")
|
||||
output = installer.succeed("""
|
||||
${../nixos-remote} \
|
||||
--no-ssh-copy-id \
|
||||
--debug \
|
||||
--kexec /etc/nixos-remote/kexec-installer \
|
||||
--stop-after-disko \
|
||||
--disk-encryption-keys /tmp/disk-encryption-key \
|
||||
--disk-encryption-keys /tmp/disk-1.key /tmp/disk-1.key \
|
||||
--disk-encryption-keys /tmp/disk-2.key <(echo another-secret) \
|
||||
--store-paths /etc/nixos-remote/disko /etc/nixos-remote/system-to-install \
|
||||
nixos@installed >&2
|
||||
key=$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
root@installed cat /tmp/disk-encryption-key)
|
||||
echo "encryption key: '$key'"
|
||||
echo "disk-1.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
root@installed cat /tmp/disk-1.key)'"
|
||||
echo "disk-2.key: '$(ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
|
||||
root@installed cat /tmp/disk-2.key)'"
|
||||
""")
|
||||
|
||||
assert "encryption key: 'super-secret'" in output, f"output does not contain expected values: {output}"
|
||||
assert "disk-1.key: 'super-secret'" in output, f"output does not contain expected values: {output}"
|
||||
assert "disk-2.key: 'another-secret'" in output, f"output does not contain expected values: {output}"
|
||||
'';
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user