I would like to configure my servers with the following command but with the minimal required sudo NOPASSWD config.
As in I don’t want the user to be able to run all commands without password.
If you don’t mind actually typing out a password occasionally, you can use export NIX_SSHOPTS="-t" (ideally in a devShell so you don’t forget) to work around the bug that --use-remote-sudo doesn’t launch a proper TTY to type your password into.
You’d specify the commands in security.sudo.extraRules.*.commands. I don’t think it’s guaranteed that those commands stay stable, though, so make sure you have an escape hatch somewhere.
Or if you’d like to over-engineer, parse nixos-rebuild during the build, so your commands are always up-to-date?
Thank The scripts looks like a good starting point.
I already have the NIX_SSHOPTS in my script which requires two password inputs per host which gets a bit annoying with the amount of servers I’m currently running.
I’m going to start small maybe I over-engineer it at a later point ;).
The pseudo-terminal thing doesn’t seem o work anymore.
Without I get:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
and with it’s:
Pseudo-terminal will not be allocated because stdin is not a terminal.
Also tried both and piping in the password into the command, i.e. pass some/password | nixos-rebuild switch --use-remote-sudo --target-host ... --flake ... to no avail.
This is the code snippet I found on github from @cole-h has served me well. You only need /nix/store/*/bin/switch-to-configuration, /run/current-system/sw/bin/nix-env and /run/current-system/sw/bin/nix-store for a
passwordless remote deploy, others in that snippet are just for something else I guess.
nixos-rebuild {switch,boot,test,dry-activate} runs the system activation inside systemd-run now, creating an ephemeral systemd service and protecting the system switch against issues like network disconnections during remote (e.g. SSH) sessions. This has the side effect of running the switch in an isolated environment, that could possible break post-switch scripts that depends on things like environment variables being set. If you want to opt-out from this behavior for now, you may set the NIXOS_SWITCH_USE_DIRTY_ENV environment variable before running nixos-rebuild. However, keep in mind that this option will be removed in the future.
I think you can update your sudo rules accordingly.
The env variable got rid of one of the two prompts but still one is left.
However I noticed that updating the configuration is much faster with the variable set.
Especially on the Raspberry Pis the new way seems to cause a huge slowdown.
Dec 04 18:18:09 management sshd[8496]: Accepted publickey for andreas from 10.7.89.154 port 54686 ssh2: RSA SHA256:D2Jc2osM2Jjbs57u1lmfortpiNfTH6tRgSUfJm4cQlA
Dec 04 18:18:09 management sshd[8496]: pam_unix(sshd:session): session opened for user andreas(uid=1000) by (uid=0)
Dec 04 18:18:09 management systemd-logind[781]: New session 18 of user andreas.
Dec 04 18:18:09 management systemd[1]: Started Session 18 of User andreas.
Dec 04 18:18:09 management nix-daemon[867]: accepted connection from pid 8499, user andreas (trusted)
Dec 04 18:18:46 management sudo[8503]: andreas : TTY=pts/1 ; PWD=/home/andreas ; USER=root ; COMMAND=/run/current-system/sw/bin/nix-env -p /nix/var/nix/profiles/system --set /nix/store/dp2nan84f65nlb1048grgwv6gf9b865m-nixos-system-management-23.11.20231202.933d7dc
Dec 04 18:18:46 management sudo[8503]: pam_unix(sudo:session): session opened for user root(uid=0) by andreas(uid=1000)
Dec 04 18:18:46 management sudo[8503]: pam_unix(sudo:session): session closed for user root
Dec 04 18:21:25 management sshd[8510]: Accepted publickey for andreas from 10.7.89.154 port 56198 ssh2: RSA SHA256:D2Jc2osM2Jjbs57u1lmfortpiNfTH6tRgSUfJm4cQlA
Dec 04 18:21:25 management sshd[8510]: pam_unix(sshd:session): session opened for user andreas(uid=1000) by (uid=0)
Dec 04 18:21:25 management systemd-logind[781]: New session 19 of user andreas.
Dec 04 18:21:25 management systemd[1]: Started Session 19 of User andreas.
Dec 04 18:21:41 management sudo[8597]: andreas : TTY=pts/2 ; PWD=/home/andreas ; USER=root ; COMMAND=/etc/profiles/per-user/andreas/bin/btm
Dec 04 18:21:41 management sudo[8597]: pam_unix(sudo:session): session opened for user root(uid=0) by andreas(uid=1000)
Dec 04 18:21:48 management sudo[8597]: pam_unix(sudo:session): session closed for user root
Dec 04 18:22:47 management sshd[8512]: Received disconnect from 10.7.89.154 port 56198:11: disconnected by user
Dec 04 18:22:47 management sshd[8512]: Disconnected from user andreas 10.7.89.154 port 56198
Dec 04 18:22:47 management sshd[8510]: pam_unix(sshd:session): session closed for user andreas
Dec 04 18:22:47 management systemd[1]: session-19.scope: Deactivated successfully.
Dec 04 18:22:47 management systemd-logind[781]: Session 19 logged out. Waiting for processes to exit.
Dec 04 18:22:47 management systemd-logind[781]: Removed session 19.
Dec 04 18:23:46 management sudo[8509]: pam_unix(sudo:auth): conversation failed
Dec 04 18:23:46 management sudo[8509]: pam_unix(sudo:auth): auth could not identify password for [andreas]