Nixos-rebuild on remote --target-host prompting for sudo password three times

dc-bond · October 23, 2024, 10:43am

I’m using this command to do a nixos-rebuild switch on a remote host named aspen:

nixos-rebuild \
  --flake .#aspen \
  --target-host aspen \
  --use-remote-sudo \
  --verbose \
  switch

…where aspen is saved in my local ssh config like this:

programs.ssh = {
    enable = true;
    matchBlocks = {
      "aspen" = {
        hostname = "192.168.1.199";
        user = "chris";
        port = 22;

This all works fine, except during the build process over ssh I get prompted to enter the chris user’s password on three separate times, like this:

$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo nix-env -p /nix/var/nix/profiles/system --set /nix/store/s6mx4335dh4gbfzi4fgkywcg6kn4mxhi-nixos-system-aspen-24.05.20240930.1719f27
[sudo] password for chris:
Shared connection to 192.168.1.254 closed.
$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait true
[sudo] password for chris:
Shared connection to 192.168.1.254 closed.
Using systemd-run to switch configuration.
$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait /nix/store/s6mx4335dh4gbfzi4fgkywcg6kn4mxhi-nixos-system-aspen-24.05.20240930.1719f27/bin/switch-to-configuration switch
[sudo] password for chris:
activating the configuration...

Is there a way I can automate this command even more to provide it with the sudo password so I don’t need to type it three times in a row? Preferably using pass? I’ve tried prefixing pass users/chris/passwd | to the command but I get this error:

Pseudo-terminal will not be allocated because stdin is not a terminal.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required