pyrox.dev / nixpkgs
lol
fork atom

nixos-rebuild: merge --use-remote-sudo and --use-local-sudo to --sudo

Follow the usage of nixos-rebuild-ng.

zimbatm 46cd14bf 7d8a9fa0

options
unified split
Changed files
+13 -17
nixos
tests
nixos-rebuild-target-host.nix
pkgs
os-specific
linux
nixos-rebuild
_nixos-rebuild
nixos-rebuild.8
nixos-rebuild.sh
+4 -4
nixos/tests/nixos-rebuild-target-host.nix 
···

       
57

       
57

       
 

       
          users.users.alice.extraGroups = [ "wheel" ];


     

       
58

       
58

       
 

       
          users.users.bob.extraGroups = [ "wheel" ];


     

       
59

       
59

       
 

       



     

       
60

       

       
-

       
          # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo`


     

       

       
60

       
+

       
          # Disable sudo for root to ensure sudo isn't called without `--sudo`


     

       
61

       
61

       
 

       
          security.sudo.extraRules = lib.mkForce [


     

       
62

       
62

       
 

       
            {


     

       
63

       
63

       
 

       
              groups = [ "wheel" ];


     
···

       
170

       
170

       
 

       
      # Ensure sudo is disabled for root


     

       
171

       
171

       
 

       
      target.fail("sudo true")


     

       
172

       
172

       
 

       



     

       
173

       

       
-

       
      # This test also ensures that sudo is not called without --use-remote-sudo


     

       

       
173

       
+

       
      # This test also ensures that sudo is not called without --sudo


     

       
174

       
174

       
 

       
      with subtest("Deploy to root@target"):


     

       
175

       
175

       
 

       
        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")


     

       
176

       
176

       
 

       
        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()


     

       
177

       
177

       
 

       
        assert target_hostname == "config-1-deployed", f"{target_hostname=}"


     

       
178

       
178

       
 

       



     

       
179

       
179

       
 

       
      with subtest("Deploy to alice@target with passwordless sudo"):


     

       
180

       

       
-

       
        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console")


     

       

       
180

       
+

       
        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console")


     

       
181

       
181

       
 

       
        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()


     

       
182

       
182

       
 

       
        assert target_hostname == "config-2-deployed", f"{target_hostname=}"


     

       
183

       
183

       
 

       



     

       
184

       
184

       
 

       
      with subtest("Deploy to bob@target with password based sudo"):


     

       
185

       
185

       
 

       
        # TODO: investigate why --ask-sudo-password from nixos-rebuild-ng is not working here


     

       
186

       

       
-

       
        deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console')


     

       

       
186

       
+

       
        deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --sudo &>/dev/console')


     

       
187

       
187

       
 

       
        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()


     

       
188

       
188

       
 

       
        assert target_hostname == "config-3-deployed", f"{target_hostname=}"


     

       
189

       
189
+1 -1
pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild 
···

       
35

       
35

       
 

       
    --profile-name -p # name


     

       
36

       
36

       
 

       
    --rollback


     

       
37

       
37

       
 

       
    --specialisation -c # name


     

       
38

       

       
-

       
    --use-remote-sudo


     

       

       
38

       
+

       
    --use-sudo


     

       
39

       
39

       
 

       
    --no-ssh-tty


     

       
40

       
40

       
 

       
    --build-host # host


     

       
41

       
41

       
 

       
    --target-host # host
+2 -2
pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8 
···

       
38

       
38

       
 

       
.br


     

       
39

       
39

       
 

       
.Op Fl -build-host Va host


     

       
40

       
40

       
 

       
.Op Fl -target-host Va host


     

       
41

       

       
-

       
.Op Fl -use-remote-sudo


     

       

       
41

       
+

       
.Op Fl -sudo


     

       
42

       
42

       
 

       
.Op Fl -no-ssh-tty


     

       
43

       
43

       
 

       
.br


     

       
44

       
44

       
 

       
.Op Fl -verbose | v


     
···

       
404

       
404

       
 

       
is also set. This is useful when the target-host connection to cache.nixos.org


     

       
405

       
405

       
 

       
is faster than the connection between hosts.


     

       
406

       
406

       
 

       
.


     

       
407

       

       
-

       
.It Fl -use-remote-sudo


     

       

       
407

       
+

       
.It Fl -sudo


     

       
408

       
408

       
 

       
When set, nixos-rebuild prefixes activation commands that run on the


     

       
409

       
409

       
 

       
.Fl -target-host


     

       
410

       
410

       
 

       
system with
+6 -10
pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh 
···

       
32

       
32

       
 

       
imageVariant=


     

       
33

       
33

       
 

       
buildHost=


     

       
34

       
34

       
 

       
targetHost=


     

       
35

       

       
-

       
remoteSudo=


     

       
36

       

       
-

       
localSudo=


     

       

       
35

       
+

       
useSudo=


     

       
37

       
36

       
 

       
noSSHTTY=


     

       
38

       
37

       
 

       
verboseScript=


     

       
39

       
38

       
 

       
noFlake=


     
···

       
171

       
170

       
 

       
        targetHost="$1"


     

       
172

       
171

       
 

       
        shift 1


     

       
173

       
172

       
 

       
        ;;


     

       
174

       

       
-

       
      --use-remote-sudo)


     

       
175

       

       
-

       
        remoteSudo=1


     

       
176

       

       
-

       
        ;;


     

       
177

       

       
-

       
      --use-local-sudo)


     

       
178

       

       
-

       
        localSudo=1


     

       

       
173

       
+

       
      --sudo | --use-remote-sudo)


     

       

       
174

       
+

       
        useSudo=1


     

       
179

       
175

       
 

       
        ;;


     

       
180

       
176

       
 

       
      --no-ssh-tty)


     

       
181

       
177

       
 

       
        noSSHTTY=1


     
···

       
241

       
237

       
 

       



     

       
242

       
238

       
 

       
targetHostCmd() {


     

       
243

       
239

       
 

       
    local c


     

       
244

       

       
-

       
    if [[ "${useSudo:-x}" = 1 ]]; then


     

       

       
240

       
+

       
    if [[ "${withSudo:-x}" = 1 ]]; then


     

       
245

       
241

       
 

       
        c=("sudo")


     

       
246

       
242

       
 

       
    else


     

       
247

       
243

       
 

       
        c=()


     
···

       
260

       
256

       
 

       
        t="-t"


     

       
261

       
257

       
 

       
    fi


     

       
262

       
258

       
 

       



     

       
263

       

       
-

       
    if [[ -n "$remoteSudo" || -n "$localSudo" ]]; then


     

       
264

       

       
-

       
        useSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@"


     

       

       
259

       
+

       
    if [[ -n "$useSudo" ]]; then


     

       

       
260

       
+

       
        withSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@"


     

       
265

       
261

       
 

       
    else


     

       
266

       
262

       
 

       
        # While a tty might not be necessary, we apply it to be consistent with


     

       
267

       
263

       
 

       
        # sudo usage, and an experience that is more consistent with local deployment.