Merge #78

bors[bot] · jfroche · srounce · web-flow · commit ee5c39fcb1c4 · 2023-03-29T10:13:49.000Z
78: terraform: allow nixos-rebuild to use specified private key for deployment r=Lassulus a=jfroche



Co-authored-by: Jean-François Roche &lt;jfroche@affinitic.be&gt;
Co-authored-by: Samuel Rounce &lt;srounce@users.noreply.github.com&gt;
diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf
@@ -22,7 +22,7 @@ module "install" {
   target_port            = var.target_port
   nixos_partitioner      = module.partitioner-build.result.out
   nixos_system           = module.system-build.result.out
-  ssh_private_key        = var.ssh_private_key
+  ssh_private_key        = var.install_ssh_key
   debug_logging          = var.debug_logging
   instance_id            = var.instance_id
 }
@@ -33,6 +33,7 @@ module "nixos-rebuild" {
   ]
   source = "../nixos-rebuild"
   nixos_system = module.system-build.result.out
+  ssh_private_key = var.deployment_ssh_key
   target_host = var.target_host
   target_user = var.target_user
 }
diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
@@ -51,9 +51,15 @@ variable "instance_id" {
   default     = null
 }
 
-variable "ssh_private_key" {
+variable "install_ssh_key" {
   type        = string
-  description = "Content of private key used to connect to the target_host"
+  description = "Content of private key used to connect to the target_host during initial installation"
+  default     = null
+}
+
+variable "deployment_ssh_key" {
+  type        = string
+  description = "Content of private key used to deploy to the target_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable"
   default     = null
 }
 
diff --git a/terraform/nixos-rebuild/main.tf b/terraform/nixos-rebuild/main.tf
@@ -3,6 +3,10 @@ resource "null_resource" "nixos-rebuild" {
     store_path = var.nixos_system
   }
   provisioner "local-exec" {
+    environment = {
+      SSH_KEY = var.ssh_private_key
+    }
+
     command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user}@${var.target_host} ${var.target_port}"
   }
 }
diff --git a/terraform/nixos-rebuild/variables.tf b/terraform/nixos-rebuild/variables.tf
@@ -19,3 +19,9 @@ variable "target_port" {
   description = "SSH port used to connect to the target_host"
   default     = 22
 }
+
+variable "ssh_private_key" {
+  type        = string
+  description = "Content of private key used to connect to the target_host. If set to - no key is passed to openssh and ssh will back to its own configuration"
+  default     = "-"
+}

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ module "install" {`
`22`	`22`	`target_port = var.target_port`
`23`	`23`	`nixos_partitioner = module.partitioner-build.result.out`
`24`	`24`	`nixos_system = module.system-build.result.out`
`25`		`- ssh_private_key = var.ssh_private_key`
	`25`	`+ ssh_private_key = var.install_ssh_key`
`26`	`26`	`debug_logging = var.debug_logging`
`27`	`27`	`instance_id = var.instance_id`
`28`	`28`	`}`
`@@ -33,6 +33,7 @@ module "nixos-rebuild" {`
`33`	`33`	`]`
`34`	`34`	`source = "../nixos-rebuild"`
`35`	`35`	`nixos_system = module.system-build.result.out`
	`36`	`+ ssh_private_key = var.deployment_ssh_key`
`36`	`37`	`target_host = var.target_host`
`37`	`38`	`target_user = var.target_user`
`38`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,10 @@ resource "null_resource" "nixos-rebuild" {`
`3`	`3`	`store_path = var.nixos_system`
`4`	`4`	`}`
`5`	`5`	`provisioner "local-exec" {`
	`6`	`+ environment = {`
	`7`	`+ SSH_KEY = var.ssh_private_key`
	`8`	`+ }`
	`9`	`+`
`6`	`10`	`command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user}@${var.target_host} ${var.target_port}"`
`7`	`11`	`}`
`8`	`12`	`}`