Which commands are required for remote switch?

Nebucatnetzer · February 28, 2022, 3:38pm

I would like to configure my servers with the following command but with the minimal required sudo NOPASSWD config.
As in I don’t want the user to be able to run all commands without password.

nixos-rebuild switch --use-remote-sudo --build-host localhost --target-host $fqdn --flake ".#$host"

I found this two entries but I’m not quite sure how to reference these commands:

COMMAND=/run/current-system/sw/bin/nix-env -p /nix/var/nix/profiles/system --set /nix/store/zrr7k720znlz2wmm0q5a85pyppgn9bfs-nixos-system-restic-server-21.11.202202
COMMAND=/nix/store/zrr7k720znlz2wmm0q5a85pyppgn9bfs-nixos-system-restic-server-21.11.20220220.40ef692/bin/switch-to-configuration switch

TLATER · February 28, 2022, 4:34pm

If you don’t mind actually typing out a password occasionally, you can use export NIX_SSHOPTS="-t" (ideally in a devShell so you don’t forget) to work around the bug that --use-remote-sudo doesn’t launch a proper TTY to type your password into.

If you really insist on nopasswd, the nixos-rebuild script isn’t too hard to reverse-engineer, just anything called using targetHostCmd here: https://github.com/NixOS/nixpkgs/blob/44174de622d458623d5042c756c8d7cb351d9a78/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh

You’d specify the commands in security.sudo.extraRules.*.commands. I don’t think it’s guaranteed that those commands stay stable, though, so make sure you have an escape hatch somewhere.

Or if you’d like to over-engineer, parse nixos-rebuild during the build, so your commands are always up-to-date?

Nebucatnetzer · February 28, 2022, 8:49pm

Thank The scripts looks like a good starting point.
I already have the NIX_SSHOPTS in my script which requires two password inputs per host which gets a bit annoying with the amount of servers I’m currently running.
I’m going to start small maybe I over-engineer it at a later point ;).

con-f-use · March 22, 2023, 6:29pm

The pseudo-terminal thing doesn’t seem o work anymore.

Without I get:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

and with it’s:

Pseudo-terminal will not be allocated because stdin is not a terminal.

Also tried both and piping in the password into the command, i.e. pass some/password | nixos-rebuild switch --use-remote-sudo --target-host ... --flake ... to no avail.

Nebucatnetzer · March 23, 2023, 8:48am

I switched to passwordless sudo because I wasn’t able to find a solution.

snow40479 · March 23, 2023, 1:05pm

github.com

cole-h/nixos-config/blob/f31f40f8d97800ee2438be8ebe47aa5bb7ecff03/modules/config/deploy.nix

{ pkgs, ... }:
{
  users.groups.deploy = { };
  users.users.deploy = {
    isSystemUser = true;
    group = "deploy";
    shell = pkgs.bash;

    openssh.authorizedKeys.keys = [
      ''no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMcTaqUZSwv6YW8lx/JhsAZTdNSSC2fR8Pgk8woeFKh vin@scadrial''
      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMcTaqUZSwv6YW8lx/JhsAZTdNSSC2fR8Pgk8woeFKh vin@scadrial"
    ];
  };

  security.sudo.extraRules = [
    {
      groups = [ "deploy" ];
      commands = [
        {
          command = "/nix/store/*/bin/switch-to-configuration";

This file has been truncated. show original

This is the code snippet I found on github from @cole-h has served me well. You only need /nix/store/*/bin/switch-to-configuration, /run/current-system/sw/bin/nix-env and /run/current-system/sw/bin/nix-store for a
passwordless remote deploy, others in that snippet are just for something else I guess.