talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos-rebuild: merge --use-remote-sudo and --use-local-sudo to --sudo

Browse Source 
Follow the usage of nixos-rebuild-ng.
This commit is contained in:
zimbatm 2025-06-14 13:20:55 +02:00
parent 7d8a9fa0e1
commit 46cd14bf24
4 changed files with 13 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/tests/nixos-rebuild-target-host.nix
View File

@ -57,7 +57,7 @@
users.users.alice.extraGroups = [ "wheel" ]; users.users.alice.extraGroups = [ "wheel" ];
users.users.bob.extraGroups = [ "wheel" ]; users.users.bob.extraGroups = [ "wheel" ];
# Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo` # Disable sudo for root to ensure sudo isn't called without `--sudo`
security.sudo.extraRules = lib.mkForce [ security.sudo.extraRules = lib.mkForce [
{ {
groups = [ "wheel" ]; groups = [ "wheel" ];
@ -170,20 +170,20 @@
# Ensure sudo is disabled for root # Ensure sudo is disabled for root
target.fail("sudo true") target.fail("sudo true")
# This test also ensures that sudo is not called without --use-remote-sudo # This test also ensures that sudo is not called without --sudo
with subtest("Deploy to root@target"): with subtest("Deploy to root@target"):
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console") deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-1-deployed", f"{target_hostname=}" assert target_hostname == "config-1-deployed", f"{target_hostname=}"
with subtest("Deploy to alice@target with passwordless sudo"): with subtest("Deploy to alice@target with passwordless sudo"):
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console") deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console")
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-2-deployed", f"{target_hostname=}" assert target_hostname == "config-2-deployed", f"{target_hostname=}"
with subtest("Deploy to bob@target with password based sudo"): with subtest("Deploy to bob@target with password based sudo"):
# TODO: investigate why --ask-sudo-password from nixos-rebuild-ng is not working here # TODO: investigate why --ask-sudo-password from nixos-rebuild-ng is not working here
deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console') deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --sudo &>/dev/console')
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
assert target_hostname == "config-3-deployed", f"{target_hostname=}" assert target_hostname == "config-3-deployed", f"{target_hostname=}"

2
pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild
View File

@ -35,7 +35,7 @@ _nixos-rebuild() {
--profile-name -p # name --profile-name -p # name
--rollback --rollback
--specialisation -c # name --specialisation -c # name
--use-remote-sudo --use-sudo
--no-ssh-tty --no-ssh-tty
--build-host # host --build-host # host
--target-host # host --target-host # host

4
pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8
View File

@ -38,7 +38,7 @@
.br .br
.Op Fl -build-host Va host .Op Fl -build-host Va host
.Op Fl -target-host Va host .Op Fl -target-host Va host
.Op Fl -use-remote-sudo .Op Fl -sudo
.Op Fl -no-ssh-tty .Op Fl -no-ssh-tty
.br .br
.Op Fl -verbose | v .Op Fl -verbose | v
@ -404,7 +404,7 @@ or
is also set. This is useful when the target-host connection to cache.nixos.org is also set. This is useful when the target-host connection to cache.nixos.org
is faster than the connection between hosts. is faster than the connection between hosts.
. .
.It Fl -use-remote-sudo .It Fl -sudo
When set, nixos-rebuild prefixes activation commands that run on the When set, nixos-rebuild prefixes activation commands that run on the
.Fl -target-host .Fl -target-host
system with system with

16
pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh
View File

@ -32,8 +32,7 @@ specialisation=
imageVariant= imageVariant=
buildHost= buildHost=
targetHost= targetHost=
remoteSudo= useSudo=
localSudo=
noSSHTTY= noSSHTTY=
verboseScript= verboseScript=
noFlake= noFlake=
@ -171,11 +170,8 @@ while [ "$#" -gt 0 ]; do
targetHost="$1" targetHost="$1"
shift 1 shift 1
;; ;;
--use-remote-sudo) --sudo | --use-remote-sudo)
remoteSudo=1 useSudo=1
;;
--use-local-sudo)
localSudo=1
;; ;;
--no-ssh-tty) --no-ssh-tty)
noSSHTTY=1 noSSHTTY=1
@ -241,7 +237,7 @@ buildHostCmd() {
targetHostCmd() { targetHostCmd() {
local c local c
if [[ "${useSudo:-x}" = 1 ]]; then if [[ "${withSudo:-x}" = 1 ]]; then
c=("sudo") c=("sudo")
else else
c=() c=()
@ -260,8 +256,8 @@ targetHostSudoCmd() {
t="-t" t="-t"
fi fi
if [[ -n "$remoteSudo" || -n "$localSudo" ]]; then if [[ -n "$useSudo" ]]; then
useSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@" withSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@"
else else
# While a tty might not be necessary, we apply it to be consistent with # While a tty might not be necessary, we apply it to be consistent with
# sudo usage, and an experience that is more consistent with local deployment. # sudo usage, and an experience that is more consistent with local deployment.