From d1b16d64028bf14a1b1b32a86799e5b9fdc3cac8 Mon Sep 17 00:00:00 2001 From: diamondburned Date: Sun, 20 Nov 2022 00:34:35 -0800 Subject: [PATCH] Pass SSH private key using env var This hides the private key in the Terraform output. I'm not sure if this is enough to make the entire output public, but it's a step. --- deploy_nixos/main.tf | 6 ++++-- deploy_nixos/nixos-deploy.sh | 11 ++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/deploy_nixos/main.tf b/deploy_nixos/main.tf index 862cb4f..ae5c113 100644 --- a/deploy_nixos/main.tf +++ b/deploy_nixos/main.tf @@ -194,14 +194,16 @@ resource "null_resource" "deploy_nixos" { data.external.nixos-instantiate.result["out_path"], "${var.target_user}@${var.target_host}", var.target_port, - local.build_on_target, - local.ssh_private_key == "" ? "-" : local.ssh_private_key, "switch", var.delete_older_than, ], local.extra_build_args ) command = "ignoreme" + environment = { + BUILD_ON_TARGET = local.build_on_target + SSH_PRIVATE_KEY = local.ssh_private_key == "" ? "-" : local.ssh_private_key + } } } diff --git a/deploy_nixos/nixos-deploy.sh b/deploy_nixos/nixos-deploy.sh index 319651b..89454c5 100755 --- a/deploy_nixos/nixos-deploy.sh +++ b/deploy_nixos/nixos-deploy.sh @@ -24,17 +24,18 @@ sshOpts=( -v ) +buildOnTarget="${BUILD_ON_TARGET:-}" +sshPrivateKey="${SSH_PRIVATE_KEY:--}" + ### Argument parsing ### drvPath="$1" outPath="$2" targetHost="$3" targetPort="$4" -buildOnTarget="$5" -sshPrivateKey="$6" -action="$7" -deleteOlderThan="$8" -shift 8 +action="$5" +deleteOlderThan="$6" +shift 6 # remove the last argument set -- "${@:1:$(($# - 1))}"