nix-community/nixos-anywhere
1
1
Fork 0
mirror of https://github.com/nix-community/nixos-anywhere.git synced 2024-09-11 16:45:28 +03:00
Code Issues Packages Projects Releases Wiki Activity
1120774e38
nixos-anywhere/terraform/nixos-rebuild/deploy.sh
zimbatm 1120774e38
nixos-rebuild: fix SSH key security race 
Make sure the ssh_key file is always 0700
2023-03-29 16:17:28 +02:00

46 lines
1.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -uex -o pipefail
if [ "$#" -ne 3 ]; then
echo "USAGE: $0 NIXOS_SYSTEM TARGET_HOST TARGET_PORT" >&2
exit 1
fi
NIXOS_SYSTEM=$1
TARGET_HOST=$2
TARGET_PORT=$3
shift 3
workDir=$(mktemp -d)
trap 'rm -rf "$workDir"' EXIT
sshOpts=(-p "${TARGET_PORT}")
sshOpts+=(-o UserKnownHostsFile=/dev/null)
sshOpts+=(-o StrictHostKeyChecking=no)
if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
sshPrivateKeyFile="$workDir/ssh_key"
trap 'rm "$sshPrivateKeyFile"' EXIT
# Create the file with 0700 - umask calculation: 777 - 700 = 077
(
umask 077
echo "$SSH_KEY" >"$sshPrivateKeyFile"
)
unset SSH_AUTH_SOCK # don't use system agent if key was supplied
sshOpts+=(-o "IdentityFile=${sshPrivateKeyFile}")
fi
try=1
until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET_HOST" "$NIXOS_SYSTEM"; do
if [[ $try -gt 10 ]]; then
echo "retries exhausted" >&2
exit 1
fi
sleep 10
try=$((try + 1))
done
# shellcheck disable=SC2029
ssh "${sshOpts[@]}" "$TARGET_HOST" "nix-env -p /nix/var/nix/profiles/system --set $(printf "%q" "$NIXOS_SYSTEM"); /nix/var/nix/profiles/system/bin/switch-to-configuration switch" || :
Reference in New Issue View Git Blame Copy Permalink