implicit ssh

2025-04-17 12:50:02 +02:00 · 2025-04-17 12:50:02 +02:00 · a4a2c8c4c1
commit a4a2c8c4c1
parent c649802896
7 changed files with 4 additions and 37 deletions
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@ -55,9 +55,6 @@ in
        COMPRESS_OFFLINE = true;
        LIBSASS_OUTPUT_STYLE = "compressed";
      };
-    environment = {
-      SSH_PRIVATE_KEY_FILE = config.age.secrets.panel-ssh-key.path;
-    };
    secrets = {
      SECRET_KEY = config.age.secrets.panel-secret-key.path;
    };
--- a/launch/README.md
+++ b/launch/README.md
@ -18,7 +18,6 @@ $ nix-shell
 $ eval "$(ssh-agent -s)"
 # set your ssh key, e.g.:
 $ ssh_key="$(readlink -f ~/.ssh/id_ed25519)"
-$ echo "{\"ssh_private_key_file\": \"${ssh_key}\", \"deploy_environment\": {\"SSH_AUTH_SOCK\": \"${SSH_AUTH_SOCK}\"}}" > .auto.tfvars.json
 $ rm -rf .terraform/
 $ tofu init
 ```
--- a/launch/main.tf
+++ b/launch/main.tf
@ -47,18 +47,6 @@ variable "initialUser" {
  }
 }

-variable "ssh_private_key_file" {
-  type        = string
-  description = "Path to private key used to connect to the target_host"
-  default     = ""
-}
-
-variable "deploy_environment" {
-  type        = map(string)
-  description = "Extra environment variables to be set during deployment."
-  default     = {}
-}
-
 locals {
  system = "x86_64-linux"
  pins = jsondecode(file("${path.module}/.npins.json"))
@ -107,7 +95,6 @@ resource "terraform_data" "nixos" {

  triggers_replace = [
    data.external.hash.result,
-    var.deploy_environment,
    var.domain,
    var.initialUser,
    local.system,
@ -117,9 +104,9 @@ resource "terraform_data" "nixos" {

  provisioner "local-exec" {
    working_dir = path.root
-    environment = merge(var.deploy_environment, {
+    environment = {
      NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"]),
-    })
+    }
    # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
    # TODO: build on target?
    command = <<-EOF
@ -169,7 +156,6 @@ resource "terraform_data" "nixos" {
      sshOpts=(
        -o StrictHostKeyChecking=no
        -o BatchMode=yes
-        -o "IdentityFile='${var.ssh_private_key_file}'"
      )
      outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
      NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
--- a/panel/env.nix
+++ b/panel/env.nix
@ -13,5 +13,4 @@
    pkgs.jaq # tf
    (import ../launch/tf.nix { inherit lib pkgs; })
  ];
-  SSH_PRIVATE_KEY_FILE = "";
 }
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -130,10 +130,6 @@ in
        Contents will be appended to the definitions in `settings`.
      '';
    };
-    environment = mkOption {
-      type = types.attrs;
-      default = {};
-    };
    secrets = mkOption {
      type = types.attrsOf types.path;
      default = { };
@ -212,7 +208,7 @@ in
      #       - manipulation should be straightforward in both places; e.g. dumping secrets to a directory that is not git-tracked and adding values to an attrset otherwise
      #       - error detection and correction; it should be clear where and why one messed up so it can be fixed immediately
      #     We may also want to test the development environment in CI in order to make sure that we don't break it inadvertently, because misconfiguration due to multiplpe sources of truth wastes a lot of time.
-      environment = environment // cfg.environment;
+      inherit environment;
    };

    networking.firewall.allowedTCPPorts = [
--- a/panel/src/panel/settings.py
+++ b/panel/src/panel/settings.py
@ -12,7 +12,6 @@ https://docs.djangoproject.com/en/4.2/ref/settings/

 import re
 import sys
-import subprocess
 import os
 import json
 import importlib.util
@ -249,12 +248,3 @@ bin_path=env['BIN_PATH']
 # path of the root flake to trigger nixops from, see #94.
 # to deploy this should be specified, for dev just use a relative path.
 repo_dir = env["REPO_DIR"]
-
-output = subprocess.run(["ssh-agent"], capture_output=True, text=True, env={"PATH": bin_path}).stdout
-ssh_auth_sock = re.search("(?<==)([^;]*)", output)[1]
-ENV_VARS = {
-    "ssh_private_key_file": env["SSH_PRIVATE_KEY_FILE"],
-    "deploy_environment": {
-        "SSH_AUTH_SOCK": ssh_auth_sock,
-    },
-}
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@ -145,7 +145,7 @@ class DeploymentStatus(ConfigurationForm):
        } | {
            # pass in form info to our deployment
            # FIXME: ensure sensitive info is protected
-            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in (settings.ENV_VARS | deployment_params).items()
+            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items()
        }
        logger.info("env: %s", env)
        cwd = f"{settings.repo_dir}/launch"