also support sudo password in terraform

Mic92 · Mic92 · commit 34e4dd751c46 · 2025-06-10T15:12:41.000+02:00
diff --git a/docs/cli.md b/docs/cli.md
@@ -21,7 +21,7 @@ Options:
 * --env-password
   set a password used by ssh-copy-id, the password should be set by
   the environment variable SSHPASS. Additionally, sudo password can be set
-  via SUDO_PASSWORD environment variable for remote sudo operations 
+  via SUDO_PASSWORD environment variable for remote sudo operations
   (only supported with sudo, not doas)
 * -s, --store-paths <disko-script> <nixos-system>
   set the store paths to the disko-script and nixos-system directly
diff --git a/docs/reference.md b/docs/reference.md
@@ -42,7 +42,7 @@ Options:
 * --env-password
   set a password used by ssh-copy-id, the password should be set by
   the environment variable SSHPASS. Additionally, sudo password can be set
-  via SUDO_PASSWORD environment variable for remote sudo operations 
+  via SUDO_PASSWORD environment variable for remote sudo operations
   (only supported with sudo, not doas)
 * -s, --store-paths <disko-script> <nixos-system>
   set the store paths to the disko-script and nixos-system directly
diff --git a/src/nixos-anywhere.sh b/src/nixos-anywhere.sh
@@ -430,28 +430,15 @@ runSsh() {
 
 # Helper function to authenticate sudo with password if needed
 maybeSudo() {
-  # Early return if no command provided and no sudo password
-  if [[ $# -eq 0 && -z ${SUDO_PASSWORD} ]]; then
-    return
-  fi
-
-  # Use 'true' as default command if none provided but we have sudo password
-  local cmd=("${@:-true}")
-
   if [[ -n ${SUDO_PASSWORD} ]] && [[ ${maybeSudoCommand} == "sudo" ]]; then
     # If debug is enabled and we have a sudo password, warn about potential issues
-
     # Use sudo with password authentication - pipe password to all sudo commands
     printf "printf %%s %q | sudo -S " "$SUDO_PASSWORD"
-    printf '%q ' "${cmd[@]}"
+    # Restore debug state if it was enabled
   elif [[ -n ${maybeSudoCommand} ]]; then
     printf '%s ' "${maybeSudoCommand}"
-    printf '%q ' "${cmd[@]}"
-  else
-    # No sudo command needed (e.g., already root after kexec)
-    printf '%q ' "${cmd[@]}"
   fi
-  echo
+  # No output if no sudo needed (e.g., already root after kexec)
 }
 
 # Test and cache sudo password if needed
@@ -547,7 +534,7 @@ buildStoreUrl() {
       # Use password authentication for nix-daemon
       remoteProgram="sh -c $(urlEncode "$(printf %s "$(printf '%q' "$SUDO_PASSWORD")" | sudo -S nix-daemon)")"
     else
-      remoteProgram="${maybeSudoCommand},nix-daemon"
+      remoteProgram="${maybeSudoCommand} nix-daemon"
     fi
 
     if [[ $storeUrl == *"?"* ]]; then
@@ -752,7 +739,7 @@ generateHardwareConfig() {
     fi
 
     step "Generating hardware-configuration.nix using nixos-facter"
-    runSshNoTty -o ConnectTimeout=10 "$(maybeSudo nixos-facter)" >"$hardwareConfigPath"
+    runSshNoTty -o ConnectTimeout=10 "$(maybeSudo)nixos-facter" >"$hardwareConfigPath"
     ;;
   nixos-generate-config)
     step "Generating hardware-configuration.nix using nixos-generate-config"
@@ -806,10 +793,10 @@ runKexec() {
   local remoteCommandTemplate
   remoteCommandTemplate="
 set -eu ${enableDebug}
-$(maybeSudo rm -rf /root/kexec)
-$(maybeSudo mkdir -p /root/kexec)
+$(maybeSudo)rm -rf /root/kexec
+$(maybeSudo)mkdir -p /root/kexec
 %TAR_COMMAND%
-$(maybeSudo TMPDIR=/root/kexec setsid --wait /root/kexec/kexec/run --kexec-extra-flags "$kexecExtraFlags")
+$(maybeSudo)TMPDIR=/root/kexec setsid --wait /root/kexec/kexec/run${kexecExtraFlags:+ --kexec-extra-flags \"$kexecExtraFlags\"}
 "
 
   # Define upload commands
@@ -870,7 +857,7 @@ runDisko() {
   local diskoScript=$1
   for path in "${!diskEncryptionKeys[@]}"; do
     step "Uploading ${diskEncryptionKeys[$path]} to $path"
-    runSsh "$(maybeSudo sh) -c $(printf '%q' "umask 077; mkdir -p $(dirname "$path"); cat > $path")" <"${diskEncryptionKeys[$path]}"
+    runSsh "$(maybeSudo)sh -c $(printf '%q' "umask 077; mkdir -p $(dirname "$path"); cat > $path")" <"${diskEncryptionKeys[$path]}"
   done
   if [[ -n ${diskoScript} ]]; then
     nixCopy --to "ssh-ng://$sshConnection" "$diskoScript"
@@ -887,7 +874,7 @@ runDisko() {
   fi
 
   step Formatting hard drive with disko
-  runSsh "$(maybeSudo "$diskoScript")"
+  runSsh "$(maybeSudo)$diskoScript"
 }
 
 nixosInstall() {
@@ -912,12 +899,12 @@ nixosInstall() {
     step Copying extra files
     tar -C "$extraFiles" -cpf- . | runSsh "${maybeSudoCommand} tar -C /mnt -xf- --no-same-owner"
 
-    runSsh "$(maybeSudo chmod 755 /mnt)" # tar also changes permissions of /mnt
+    runSsh "$(maybeSudo)chmod 755 /mnt" # tar also changes permissions of /mnt
   fi
 
   if [[ ${#extraFilesOwnership[@]} -gt 0 ]]; then
-    # shellcheck disable=SC2016
-    printf "%s\n" "${!extraFilesOwnership[@]}" "${extraFilesOwnership[@]}" | pr -2t | runSsh 'while read file ownership; do '"$(maybeSudo chown -R \$ownership \"/mnt/\$file\")"'; done'
+    # shellcheck disable=SC2016,SC2086
+    printf "%s\n" "${!extraFilesOwnership[@]}" "${extraFilesOwnership[@]}" | pr -2t | runSsh "while read file ownership; do $(maybeSudo)chown -R \$ownership /mnt/\$file; done"
   fi
 
   step Installing NixOS
@@ -929,27 +916,27 @@ export PATH="\$PATH:/run/current-system/sw/bin"
 
 if [ ! -d "/mnt/tmp" ]; then
   # needed for installation if initrd-secrets are used
-  $(maybeSudo mkdir -p /mnt/tmp)
-  $(maybeSudo chmod 777 /mnt/tmp)
+  $(maybeSudo)mkdir -p /mnt/tmp
+  $(maybeSudo)chmod 777 /mnt/tmp
 fi
 
 if [ ${copyHostKeys-n} = "y" ]; then
   # NB we copy host keys that are in turn copied by kexec installer.
-  $(maybeSudo mkdir -m 755 -p /mnt/etc/ssh)
+  $(maybeSudo)mkdir -m 755 -p /mnt/etc/ssh
   for p in /etc/ssh/ssh_host_*; do
     # Skip if the source file does not exist (i.e. glob did not match any files)
     # or the destination already exists (e.g. copied with --extra-files).
     if [ ! -e "\$p" ] || [ -e "/mnt/\$p" ]; then
       continue
     fi
-    $(maybeSudo cp -a '$p' '/mnt/$p')
+    $(maybeSudo)cp -a "\$p" "/mnt/\$p"
   done
 fi
 # https://stackoverflow.com/a/13864829
 if [ ! -z ${NIXOS_NO_CHECK+0} ]; then
   export NIXOS_NO_CHECK
 fi
-$(maybeSudo nixos-install --no-root-passwd --no-channel-copy --system "$nixosSystem")
+$(maybeSudo)nixos-install --no-root-passwd --no-channel-copy --system "$nixosSystem"
 SSH
 
 }
@@ -959,11 +946,11 @@ nixosReboot() {
   runSsh sh <<SSH
   if command -v zpool >/dev/null && [ "\$(zpool list)" != "no pools available" ]; then
     # we always want to export the zfs pools so people can boot from it without force import
-    $(maybeSudo umount -Rv /mnt/)
-    $(maybeSudo swapoff -a)
-    $(maybeSudo zpool export -a || true)
+    $(maybeSudo)umount -Rv /mnt/
+    $(maybeSudo)swapoff -a
+    $(maybeSudo)zpool export -a || true
   fi
-  $(maybeSudo nohup sh -c 'sleep 6 && reboot') >/dev/null &
+  $(maybeSudo)nohup sh -c 'sleep 6 && reboot' >/dev/null &
 SSH
 
   step Waiting for the machine to become unreachable due to reboot
diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md
@@ -28,6 +28,10 @@ module "deploy" {
   # debug_logging          = true
   # build the closure on the remote machine instead of locally
   # build_on_remote        = true
+  # Optional: SSH password for initial installation
+  # install_pass           = "your-ssh-password"
+  # Optional: Sudo password for remote operations during installation
+  # install_sudo_pass      = "your-sudo-password"
   # script is below
   extra_files_script     = "${path.module}/decrypt-ssh-secrets.sh"
   disk_encryption_key_scripts = [{
@@ -139,7 +143,7 @@ locals {
 resource "local_file" "nixos_vars" {
   content         = jsonencode(local.nixos_vars) # Converts variables to JSON
   filename        = local.nixos_vars_file        # Specifies the output file path
-  file_permission = "600"                        
+  file_permission = "600"
 
   # Automatically adds the generated file to Git
   provisioner "local-exec" {
diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf
@@ -27,6 +27,8 @@ module "install" {
   target_user                 = local.install_user
   target_host                 = var.target_host
   target_port                 = local.install_port
+  target_pass                 = var.install_pass
+  target_sudo_pass            = var.install_sudo_pass
   nixos_partitioner           = module.partitioner-build.result.out
   nixos_system                = module.system-build.result.out
   ssh_private_key             = var.install_ssh_key
diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
@@ -149,3 +149,17 @@ variable "install_bootloader" {
   description = "Install/re-install the bootloader"
   default     = false
 }
+
+variable "install_pass" {
+  type        = string
+  description = "Password used to connect to the target_host during installation"
+  default     = null
+  sensitive   = true
+}
+
+variable "install_sudo_pass" {
+  type        = string
+  description = "Sudo password for remote sudo operations during installation. Only supported with sudo, not doas."
+  default     = null
+  sensitive   = true
+}
diff --git a/terraform/install.md b/terraform/install.md
@@ -34,6 +34,10 @@ module "install" {
   nixos_system      = module.system-build.result.out
   nixos_partitioner = module.disko.result.out
   target_host       = local.ipv4
+  # Optional: SSH password authentication
+  # target_pass       = "your-ssh-password"
+  # Optional: Sudo password for remote operations
+  # target_sudo_pass  = "your-sudo-password"
 }
 ```
 
diff --git a/terraform/install/main.tf b/terraform/install/main.tf
@@ -12,6 +12,7 @@ locals {
     target_host                = var.target_host
     target_port                = var.target_port
     target_pass                = var.target_pass
+    target_sudo_pass           = var.target_sudo_pass
     extra_files_script         = var.extra_files_script
     build_on_remote            = var.build_on_remote
     flake                      = var.flake
diff --git a/terraform/install/run-nixos-anywhere.sh b/terraform/install/run-nixos-anywhere.sh
@@ -13,7 +13,14 @@ args=()
 
 if [[ ${input[debug_logging]} == "true" ]]; then
   set -x
-  declare -p input
+  # Print input variables but filter out sensitive passwords
+  for key in "${!input[@]}"; do
+    if [[ $key == *"pass"* ]]; then
+      echo "input[$key]='[FILTERED]'"
+    else
+      echo "input[$key]='${input[$key]}'"
+    fi
+  done
   args+=("--debug")
 fi
 if [[ ${input[kexec_tarball_url]} != "null" ]]; then
@@ -40,9 +47,22 @@ args+=(--phases "${input[phases]}")
 if [[ ${input[ssh_private_key]} != null ]]; then
   export SSH_PRIVATE_KEY="${input[ssh_private_key]}"
 fi
+if [[ ${input[target_pass]} != null || ${input[target_sudo_pass]} != null ]]; then
+  args+=("--env-password")
+fi
+# Temporarily disable debug output when exporting sensitive variables
+if [[ ${input[debug_logging]} == "true" ]]; then
+  set +x
+fi
 if [[ ${input[target_pass]} != null ]]; then
   export SSHPASS=${input[target_pass]}
-  args+=("--env-password")
+fi
+if [[ ${input[target_sudo_pass]} != null ]]; then
+  export SUDO_PASSWORD=${input[target_sudo_pass]}
+fi
+# Re-enable debug output if it was enabled
+if [[ ${input[debug_logging]} == "true" ]]; then
+  set -x
 fi
 
 tmpdir=$(mktemp -d)
diff --git a/terraform/install/variables.tf b/terraform/install/variables.tf
@@ -41,6 +41,13 @@ variable "target_pass" {
   default     = null
 }
 
+variable "target_sudo_pass" {
+  type        = string
+  description = "Sudo password for remote sudo operations on target_host. Only supported with sudo, not doas."
+  default     = null
+  sensitive   = true
+}
+
 variable "ssh_private_key" {
   type        = string
   description = "Content of private key used to connect to the target_host"
