commit 5d3012181fa9d950702896eafc25931f18568743 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos-rebuild: restore local sudo functionality (#416616)

authored by Thiago Kenji Okada and committed by GitHub 7 months ago 5d301218 63057b5e

+13 -13

4 changed files

expand all

unified split

nixos

tests

nixos-rebuild-target-host.nix

pkgs

os-specific

linux

nixos-rebuild

_nixos-rebuild

nixos-rebuild.8

nixos-rebuild.sh

+4 -4

nixos/tests/nixos-rebuild-target-host.nix

··· 57 57 users.users.alice.extraGroups = [ "wheel" ]; 58 58 users.users.bob.extraGroups = [ "wheel" ]; 59 59 60 - # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo` 60 + # Disable sudo for root to ensure sudo isn't called without `--sudo` 61 61 security.sudo.extraRules = lib.mkForce [ 62 62 { 63 63 groups = [ "wheel" ]; ··· 170 170 # Ensure sudo is disabled for root 171 171 target.fail("sudo true") 172 172 173 - # This test also ensures that sudo is not called without --use-remote-sudo 173 + # This test also ensures that sudo is not called without --sudo 174 174 with subtest("Deploy to root@target"): 175 175 deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console") 176 176 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 177 177 assert target_hostname == "config-1-deployed", f"{target_hostname=}" 178 178 179 179 with subtest("Deploy to alice@target with passwordless sudo"): 180 - deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console") 180 + deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console") 181 181 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 182 182 assert target_hostname == "config-2-deployed", f"{target_hostname=}" 183 183 184 184 with subtest("Deploy to bob@target with password based sudo"): 185 185 # TODO: investigate why --ask-sudo-password from nixos-rebuild-ng is not working here 186 - deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console') 186 + deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --sudo &>/dev/console') 187 187 target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip() 188 188 assert target_hostname == "config-3-deployed", f"{target_hostname=}" 189 189

+1 -1

pkgs/os-specific/linux/nixos-rebuild/_nixos-rebuild

··· 35 35 --profile-name -p # name 36 36 --rollback 37 37 --specialisation -c # name 38 - --use-remote-sudo 38 + --use-sudo 39 39 --no-ssh-tty 40 40 --build-host # host 41 41 --target-host # host

+2 -2

pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.8

··· 38 38 .br 39 39 .Op Fl -build-host Va host 40 40 .Op Fl -target-host Va host 41 - .Op Fl -use-remote-sudo 41 + .Op Fl -sudo 42 42 .Op Fl -no-ssh-tty 43 43 .br 44 44 .Op Fl -verbose | v ··· 404 404 is also set. This is useful when the target-host connection to cache.nixos.org 405 405 is faster than the connection between hosts. 406 406 . 407 - .It Fl -use-remote-sudo 407 + .It Fl -sudo 408 408 When set, nixos-rebuild prefixes activation commands that run on the 409 409 .Fl -target-host 410 410 system with

+6 -6

pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh

··· 32 32 imageVariant= 33 33 buildHost= 34 34 targetHost= 35 - remoteSudo= 35 + useSudo= 36 36 noSSHTTY= 37 37 verboseScript= 38 38 noFlake= ··· 170 170 targetHost="$1" 171 171 shift 1 172 172 ;; 173 - --use-remote-sudo) 174 - remoteSudo=1 173 + --sudo | --use-remote-sudo) 174 + useSudo=1 175 175 ;; 176 176 --no-ssh-tty) 177 177 noSSHTTY=1 ··· 237 237 238 238 targetHostCmd() { 239 239 local c 240 - if [[ "${useSudo:-x}" = 1 ]]; then 240 + if [[ "${withSudo:-x}" = 1 ]]; then 241 241 c=("sudo") 242 242 else 243 243 c=() ··· 256 256 t="-t" 257 257 fi 258 258 259 - if [ -n "$remoteSudo" ]; then 260 - useSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@" 259 + if [[ -n "$useSudo" ]]; then 260 + withSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@" 261 261 else 262 262 # While a tty might not be necessary, we apply it to be consistent with 263 263 # sudo usage, and an experience that is more consistent with local deployment.