Deploy is broken when `lollypops.deployment.user` is not `root`

pinpox / lollypops

Lollypop Operations - NixOS Deployment Tool

https://pinpox.github.io/lollypops/

GNU General Public License v3.0

118 stars 17 forks source link

Deploy is broken when `lollypops.deployment.user` is not `root` #3

Closed misuzu closed 1 year ago

misuzu commented 2 years ago

Here is my lollypops configuration:

{ config, ... }: {
  imports = [
    inputs.lollypops.nixosModules.lollypops
  ];
  lollypops.deployment = {
    host = "${config.networking.hostName}.${domain}";
    user = "misuzu";
  };
}

$ nix run . -- myhost
[myhost:deploy-flake] Deploying flake to: myhost
[myhost:deploy-flake] root@myhost.mydomain: Permission denied (publickey).
[myhost:deploy-flake] rsync: connection unexpectedly closed (0 bytes received so far) [sender]
[myhost:deploy-flake] rsync error: unexplained error (code 255) at io.c(228) [sender=3.2.4]

Probably due to https://github.com/pinpox/lollypops/blob/ad2d9b9504fefbcabfe92c734d80f2f3a5e3b69e/flake.nix#L113

It also depends on rsync being in PATH on remote side. This probably should be documented.

pinpox commented 2 years ago

Thanks for reporting the issue!

Fixed by e80411, rsync documented in https://github.com/pinpox/lollypops/commit/ca443dcb39f4b2a5ba7912c4a15cff2f8e0546fc

misuzu commented 2 years ago

Deploying as non-root user is still broken actually, this commit fixes the oblivious issues when deploying, though the secrets part is still broken.

pinpox commented 2 years ago

I'll reopen this then. I currently have no system deploying as non-root and assumed just passing the user would suffice. Of course the user needs to have the correct privileges. I see in your commit, that you are using sudo and --use-remote-sudo Is that a strict requirement when using non-root users?

misuzu commented 2 years ago

I see in your commit, that you are using sudo and --use-remote-sudo Is that a strict requirement when using non-root users?

It's also possible to run sudo nixos-rebuild <....> instead, but it won't work when local evaluation is used. Either way sudo is a strict requirement or at least I don't see the other way.

pinpox commented 1 year ago

Hey @misuzu, sorry it took me a while to get back to this. I saw you have fixed this issue in your fork, is there any possiblity you could submit a PR that contributes that fix here in a way it doesn't break existing configuraitions too much? Would be really nice if you find the time, I don't have the time to fix it myself currently but would like to support this.

pinpox commented 1 year ago

This should be fixed by #14. Feel free to re-open if there is something missing