search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.15k stars 14.18k forks source link

`nixos-rebuild –use-remote-sudo` prompts me for a password 3 times #355746

Open muradbu opened 1 day ago

muradbu commented 1 day ago

Describe the bug

While trying to build and switch a flake-based config from my Mac on a remote machine, every time I do so I get prompted for a password 3 times, with the message Shared connection to nixos closed. for the first 2, before it finally finalizes the rebuild.

Steps To Reproduce

Steps to reproduce the behavior:

  1. On macOS run nix run nixpkgs#nixos-rebuild -- --fast --target-host murad@nixos --build-host murad@nixos --flake ./nix#nixos --use-remote-sudo switch
  2. Fill in the password once
  3. Fill in the password again
  4. Fill in the password one last time

Expected behavior

The password should only be asked for once.

Screenshots

Additional context

Here's the relevant build output:

$ nix run nixpkgs#nixos-rebuild -- --fast --target-host murad@nixos --build-host murad@nixos --flake ./nix#nixos --use-remote-sudo switch
building the system configuration...
warning: The interpretation of store paths arguments ending in `.drv` recently changed. If this command is now failing try again with '/nix/store/naqjgfjgaf02fadqx648ylnw1mhqv9w3-nixos-system-nixos-24.05.20240531.63dacb4.drv^*'
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
[sudo] password for murad:
Shared connection to nixos closed.
[sudo] password for murad:
Shared connection to nixos closed.
[sudo] password for murad:
activating the configuration...
setting up /etc...
reloading user units for murad...
restarting sysinit-reactivation.target

My sudo auth is good for 30 mins after a successful invocation:

{
  security.sudo.extraConfig = ''
    Defaults          timestamp_timeout=30
  ''
}

Notify maintainers

Metadata

 - system: `"aarch64-darwin"`
 - host os: `Darwin 24.0.0, macOS 15.0`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.24.10`
 - channels(root): `""`
 - nixpkgs: `/Users/murad/.nix-defexpr/channels/nixpkgs`

Remote machine:

 - system: `"aarch64-linux"`
 - host os: `Linux 6.6.54, NixOS, 24.05 (Uakari), 24.05.20240531.63dacb4`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos-24.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

fin444 commented 1 day ago

I believe the reason for this is that nixos-rebuild uses 3 separate SSH sessions. When building on remote root with password auth, it also requires 3 password entries.

muradbu commented 19 hours ago

I believe the reason for this is that nixos-rebuild uses 3 separate SSH sessions. When building on remote root with password auth, it also requires 3 password entries.

This was also confirmed in Discourse. It seemed unlikely to me that this was intended design so I assumed it must be a bug.

Is it possible to have nixos-rebuild source the password from a secrets manager, similar to Ansible? Or is there a community project that focuses on remote deployments?