darwin-rebuild: add --target-host and --use-remote-sudo support#1747
Draft
NoahBres wants to merge 13 commits into
Draft
darwin-rebuild: add --target-host and --use-remote-sudo support#1747NoahBres wants to merge 13 commits into
NoahBres wants to merge 13 commits into
Conversation
…enableactionimages
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…-sudo Bypasses Determinate Nix's signature enforcement by piping the closure through nix-store --import running as root, instead of going through the nix daemon which ignores --no-require-sigs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…port Piping a NAR stream and sudo password input over the same stdin is impossible. Stage to /tmp first (no sudo), then import with -t so sudo can prompt on a proper TTY. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…et-host Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…t-host Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This branch builds on top of #1631 (--target-host support by @hgl) and adds
--use-remote-sudosupport, mirroring the pattern fromnixos-rebuild.--target-hostfrom darwin-rebuild: add --target-host support #1631 as-is--use-remote-sudoflag: SSH as a normal user, wrap remote activation commands withsudo(avoids requiring root SSH login)nix copy -v --no-require-sigs --to "ssh://$targetHost"ssh -t) for the sudo case so sudo can prompt for a passwordUsage
Known issues / open questions
nix copy --no-require-sigs --to ssh://fails on remotes running Determinate Nix even when the connecting user is intrusted-users. Determinate Nix appears to enforcerequire-sigs = trueunconditionally regardless of user trust level. The workaround is to set up a signing key on the build machine and add its public key to the remote'strusted-public-keys. Investigation ongoing.ssh://protocol is used (matchingnixos-rebuild's default) rather thanssh-ng://.--use-remote-sudodoes not yet support--build-host(separate machine for building vs activation).Test plan
--target-host root@hostactivates on remote as root--target-host user@host --use-remote-sudoactivates on remote via sudo-vflag)🤖 Generated with Claude Code