Skip to content

Commit a24b6fe

Browse files
MealliaMeallia
committed
terraform: Add support for additional SSH options during installation and deployment
1 parent d00d5b7 commit a24b6fe

File tree

11 files changed

+51
-11
lines changed

11 files changed

+51
-11
lines changed

terraform/all-in-one.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -204,13 +204,15 @@ No resources.
204204
| <a name="input_build_on_remote"></a> [build\_on\_remote](#input_build_on_remote) | Build the closure on the remote machine instead of building it locally and copying it over | `bool` | `false` | no |
205205
| <a name="input_debug_logging"></a> [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no |
206206
| <a name="input_deployment_ssh_key"></a> [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no |
207+
| <a name="input_deployment_ssh_options"></a> [deployment\_ssh\_options](#input_deployment_ssh_options) | Additional SSH options to use during deploy | `list(string)` | `[]` | no |
207208
| <a name="input_disk_encryption_key_scripts"></a> [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | <pre>list(object({<br/> path = string<br/> script = string<br/> }))</pre> | `[]` | no |
208209
| <a name="input_extra_environment"></a> [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no |
209210
| <a name="input_extra_files_script"></a> [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no |
210211
| <a name="input_file"></a> [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no |
211212
| <a name="input_install_bootloader"></a> [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
212213
| <a name="input_install_port"></a> [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no |
213214
| <a name="input_install_ssh_key"></a> [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no |
215+
| <a name="input_install_ssh_options"></a> [install\_ssh\_options](#input_install_ssh_options) | Additional SSH options to use during installation | `list(string)` | `[]` | no |
214216
| <a name="input_install_user"></a> [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no |
215217
| <a name="input_instance_id"></a> [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no |
216218
| <a name="input_kexec_tarball_url"></a> [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no |

terraform/all-in-one/main.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ module "install" {
3939
nixos_generate_config_path = var.nixos_generate_config_path
4040
nixos_facter_path = var.nixos_facter_path
4141
build_on_remote = var.build_on_remote
42+
ssh_options = var.install_ssh_options
4243
# deprecated attributes
4344
stop_after_disko = var.stop_after_disko
4445
no_reboot = var.no_reboot
@@ -59,6 +60,7 @@ module "nixos-rebuild" {
5960
target_user = var.target_user
6061
target_port = var.target_port
6162
install_bootloader = var.install_bootloader
63+
ssh_options = var.deployment_ssh_options
6264
}
6365

6466
output "result" {

terraform/all-in-one/variables.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,3 +149,15 @@ variable "install_bootloader" {
149149
description = "Install/re-install the bootloader"
150150
default = false
151151
}
152+
153+
variable "install_ssh_options" {
154+
type = list(string)
155+
description = "Additional SSH options to use during installation"
156+
default = []
157+
}
158+
159+
variable "deployment_ssh_options" {
160+
type = list(string)
161+
description = "Additional SSH options to use during deploy"
162+
default = []
163+
}

terraform/install.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ No modules.
7777
| <a name="input_nixos_system"></a> [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | `""` | no |
7878
| <a name="input_no_reboot"></a> [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no |
7979
| <a name="input_phases"></a> [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `list(string)` | <pre>[<br/> "kexec",<br/> "disko",<br/> "install",<br/> "reboot"<br/>]</pre> | no |
80+
| <a name="input_ssh_options"></a> [ssh\_options](#input_ssh_options) | Additional SSH options to use during installation | `list(string)` | `[]` | no |
8081
| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host | `string` | `""` | no |
8182
| <a name="input_stop_after_disko"></a> [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no |
8283
| <a name="input_target_host"></a> [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |

terraform/install/main.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,8 @@ resource "null_resource" "nixos-remote" {
2727
}
2828
provisioner "local-exec" {
2929
environment = merge({
30-
ARGUMENTS = local.arguments
30+
ARGUMENTS = local.arguments
31+
SSH_OPTIONS = jsonencode(var.ssh_options)
3132
}, var.extra_environment)
3233
command = "${path.module}/run-nixos-anywhere.sh ${join(" ", local.disk_encryption_key_scripts)}"
3334
quiet = var.debug_logging

terraform/install/run-nixos-anywhere.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,4 +89,8 @@ while [[ $# -gt 0 ]]; do
8989
keyIdx=$((keyIdx + 1))
9090
done
9191

92+
while IFS= read -r -d '' value; do
93+
args+=("--ssh-option" "$value")
94+
done < <(jq -j 'to_entries[] | (.value, "\u0000")' <<<"${SSH_OPTIONS}")
95+
9296
nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"

terraform/install/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,3 +121,9 @@ variable "nixos_facter_path" {
121121
description = "Path to which to write a `facter.json` generated by `nixos-facter`. This option cannot be set at the same time as `nixos_generate_config_path`."
122122
default = ""
123123
}
124+
125+
variable "ssh_options" {
126+
type = list(string)
127+
description = "Additional SSH options to use during installation"
128+
default = []
129+
}

terraform/nixos-rebuild.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -50,15 +50,16 @@ No modules.
5050

5151
## Inputs
5252

53-
| Name | Description | Type | Default | Required |
54-
| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | -------- | :------: |
55-
| <a name="input_ignore_systemd_errors"></a> [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
56-
| <a name="input_install_bootloader"></a> [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
57-
| <a name="input_nixos_system"></a> [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
58-
| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
59-
| <a name="input_target_host"></a> [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
60-
| <a name="input_target_port"></a> [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
61-
| <a name="input_target_user"></a> [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
53+
| Name | Description | Type | Default | Required |
54+
| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | -------- | :------: |
55+
| <a name="input_ignore_systemd_errors"></a> [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
56+
| <a name="input_install_bootloader"></a> [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
57+
| <a name="input_nixos_system"></a> [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
58+
| <a name="input_ssh_options"></a> [ssh\_options](#input_ssh_options) | Additional SSH options to use during deploy | `list(string)` | `[]` | no |
59+
| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
60+
| <a name="input_target_host"></a> [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
61+
| <a name="input_target_port"></a> [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
62+
| <a name="input_target_user"></a> [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
6263

6364
## Outputs
6465

terraform/nixos-rebuild/deploy.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,10 @@ if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
3838
fi
3939
set -x
4040

41+
while IFS= read -r -d '' value; do
42+
sshOpts+=(-o "$value")
43+
done < <(jq -j 'to_entries[] | (.value, "\u0000")' <<<"${SSH_OPTIONS}")
44+
4145
try=1
4246
until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET" "$NIXOS_SYSTEM"; do
4347
if [[ $try -gt 10 ]]; then

terraform/nixos-rebuild/main.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,8 @@ resource "null_resource" "nixos-rebuild" {
44
}
55
provisioner "local-exec" {
66
environment = {
7-
SSH_KEY = var.ssh_private_key
7+
SSH_KEY = var.ssh_private_key
8+
SSH_OPTIONS = jsonencode(var.ssh_options)
89
}
910
command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user} ${var.target_host} ${var.target_port} ${var.ignore_systemd_errors} ${var.install_bootloader}"
1011
}

0 commit comments

Comments
 (0)