I’m using this command to do a nixos-rebuild switch on a remote host named aspen:
nixos-rebuild \
--flake .#aspen \
--target-host aspen \
--use-remote-sudo \
--verbose \
switch
…where aspen is saved in my local ssh config like this:
programs.ssh = {
enable = true;
matchBlocks = {
"aspen" = {
hostname = "192.168.1.199";
user = "chris";
port = 22;
This all works fine, except during the build process over ssh I get prompted to enter the chris user’s password on three separate times, like this:
$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo nix-env -p /nix/var/nix/profiles/system --set /nix/store/s6mx4335dh4gbfzi4fgkywcg6kn4mxhi-nixos-system-aspen-24.05.20240930.1719f27
[sudo] password for chris:
Shared connection to 192.168.1.254 closed.
$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait true
[sudo] password for chris:
Shared connection to 192.168.1.254 closed.
Using systemd-run to switch configuration.
$ ssh -o ControlMaster=auto -o ControlPath=/tmp/nixos-rebuild.y5oBzZ/ssh-%n -o ControlPersist=60 -t aspen sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait /nix/store/s6mx4335dh4gbfzi4fgkywcg6kn4mxhi-nixos-system-aspen-24.05.20240930.1719f27/bin/switch-to-configuration switch
[sudo] password for chris:
activating the configuration...
Is there a way I can automate this command even more to provide it with the sudo password so I don’t need to type it three times in a row? Preferably using pass? I’ve tried prefixing pass users/chris/passwd |
to the command but I get this error:
Pseudo-terminal will not be allocated because stdin is not a terminal.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required