Which commands are required for remote switch?

I would like to configure my servers with the following command but with the minimal required sudo NOPASSWD config.
As in I don’t want the user to be able to run all commands without password.

nixos-rebuild switch --use-remote-sudo --build-host localhost --target-host $fqdn --flake ".#$host"

I found this two entries but I’m not quite sure how to reference these commands:

COMMAND=/run/current-system/sw/bin/nix-env -p /nix/var/nix/profiles/system --set /nix/store/zrr7k720znlz2wmm0q5a85pyppgn9bfs-nixos-system-restic-server-21.11.202202
COMMAND=/nix/store/zrr7k720znlz2wmm0q5a85pyppgn9bfs-nixos-system-restic-server-21.11.20220220.40ef692/bin/switch-to-configuration switch
1 Like

If you don’t mind actually typing out a password occasionally, you can use export NIX_SSHOPTS="-t" (ideally in a devShell so you don’t forget) to work around the bug that --use-remote-sudo doesn’t launch a proper TTY to type your password into.

If you really insist on nopasswd, the nixos-rebuild script isn’t too hard to reverse-engineer, just anything called using targetHostCmd here: https://github.com/NixOS/nixpkgs/blob/44174de622d458623d5042c756c8d7cb351d9a78/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh

You’d specify the commands in security.sudo.extraRules.*.commands. I don’t think it’s guaranteed that those commands stay stable, though, so make sure you have an escape hatch somewhere.

Or if you’d like to over-engineer, parse nixos-rebuild during the build, so your commands are always up-to-date?

1 Like

Thank The scripts looks like a good starting point.
I already have the NIX_SSHOPTS in my script which requires two password inputs per host which gets a bit annoying with the amount of servers I’m currently running.
I’m going to start small maybe I over-engineer it at a later point ;).

The pseudo-terminal thing doesn’t seem o work anymore.

Without I get:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

and with it’s:

Pseudo-terminal will not be allocated because stdin is not a terminal.

Also tried both and piping in the password into the command, i.e. pass some/password | nixos-rebuild switch --use-remote-sudo --target-host ... --flake ... to no avail.

I switched to passwordless sudo because I wasn’t able to find a solution.

This is the code snippet I found on github from @cole-h has served me well. You only need /nix/store/*/bin/switch-to-configuration, /run/current-system/sw/bin/nix-env and /run/current-system/sw/bin/nix-store for a
passwordless remote deploy, others in that snippet are just for something else I guess.

2 Likes