diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md
index bac0ac3a..7020c456 100644
--- a/terraform/all-in-one.md
+++ b/terraform/all-in-one.md
@@ -204,6 +204,7 @@ No resources.
| [build\_on\_remote](#input_build_on_remote) | Build the closure on the remote machine instead of building it locally and copying it over | `bool` | `false` | no |
| [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no |
| [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no |
+| [deployment\_ssh\_options](#input_deployment_ssh_options) | Additional SSH options to use during deploy | `list(string)` | `[]` | no |
| [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | list(object({
path = string
script = string
})) | `[]` | no |
| [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no |
| [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no |
@@ -211,6 +212,7 @@ No resources.
| [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
| [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no |
| [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no |
+| [install\_ssh\_options](#input_install_ssh_options) | Additional SSH options to use during installation | `list(string)` | `[]` | no |
| [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no |
| [instance\_id](#input_instance_id) | The instance id of the target\_host, used to track when to reinstall the machine | `string` | `null` | no |
| [kexec\_tarball\_url](#input_kexec_tarball_url) | NixOS kexec installer tarball url | `string` | `null` | no |
diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf
index fd4ec71d..1e6d0fb9 100644
--- a/terraform/all-in-one/main.tf
+++ b/terraform/all-in-one/main.tf
@@ -39,6 +39,7 @@ module "install" {
nixos_generate_config_path = var.nixos_generate_config_path
nixos_facter_path = var.nixos_facter_path
build_on_remote = var.build_on_remote
+ ssh_options = var.install_ssh_options
# deprecated attributes
stop_after_disko = var.stop_after_disko
no_reboot = var.no_reboot
@@ -59,6 +60,7 @@ module "nixos-rebuild" {
target_user = var.target_user
target_port = var.target_port
install_bootloader = var.install_bootloader
+ ssh_options = var.deployment_ssh_options
}
output "result" {
diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
index 4cc33757..a15cc3cf 100644
--- a/terraform/all-in-one/variables.tf
+++ b/terraform/all-in-one/variables.tf
@@ -149,3 +149,15 @@ variable "install_bootloader" {
description = "Install/re-install the bootloader"
default = false
}
+
+variable "install_ssh_options" {
+ type = list(string)
+ description = "Additional SSH options to use during installation"
+ default = []
+}
+
+variable "deployment_ssh_options" {
+ type = list(string)
+ description = "Additional SSH options to use during deploy"
+ default = []
+}
diff --git a/terraform/install.md b/terraform/install.md
index 7494c2ce..d7d60b23 100644
--- a/terraform/install.md
+++ b/terraform/install.md
@@ -77,6 +77,7 @@ No modules.
| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | `""` | no |
| [no\_reboot](#input_no_reboot) | DEPRECATED: Use `phases` instead. Do not reboot after installation | `bool` | `false` | no |
| [phases](#input_phases) | Phases to run. See `nixos-anywhere --help` for more information | `list(string)` | [
"kexec",
"disko",
"install",
"reboot"
]
| no |
+| [ssh\_options](#input_ssh_options) | Additional SSH options to use during installation | `list(string)` | `[]` | no |
| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host | `string` | `""` | no |
| [stop\_after\_disko](#input_stop_after_disko) | DEPRECATED: Use `phases` instead. Exit after disko formatting | `bool` | `false` | no |
| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
diff --git a/terraform/install/main.tf b/terraform/install/main.tf
index 175da60a..145d9c3b 100644
--- a/terraform/install/main.tf
+++ b/terraform/install/main.tf
@@ -27,7 +27,8 @@ resource "null_resource" "nixos-remote" {
}
provisioner "local-exec" {
environment = merge({
- ARGUMENTS = local.arguments
+ ARGUMENTS = local.arguments
+ SSH_OPTIONS = jsonencode(var.ssh_options)
}, var.extra_environment)
command = "${path.module}/run-nixos-anywhere.sh ${join(" ", local.disk_encryption_key_scripts)}"
quiet = var.debug_logging
diff --git a/terraform/install/run-nixos-anywhere.sh b/terraform/install/run-nixos-anywhere.sh
index 1d259a1e..83db6f89 100755
--- a/terraform/install/run-nixos-anywhere.sh
+++ b/terraform/install/run-nixos-anywhere.sh
@@ -89,4 +89,8 @@ while [[ $# -gt 0 ]]; do
keyIdx=$((keyIdx + 1))
done
+while IFS= read -r -d '' value; do
+ args+=("--ssh-option" "$value")
+done < <(jq -j 'to_entries[] | (.value, "\u0000")' <<<"${SSH_OPTIONS}")
+
nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"
diff --git a/terraform/install/variables.tf b/terraform/install/variables.tf
index 7caec0f8..85c8c94d 100644
--- a/terraform/install/variables.tf
+++ b/terraform/install/variables.tf
@@ -121,3 +121,9 @@ variable "nixos_facter_path" {
description = "Path to which to write a `facter.json` generated by `nixos-facter`. This option cannot be set at the same time as `nixos_generate_config_path`."
default = ""
}
+
+variable "ssh_options" {
+ type = list(string)
+ description = "Additional SSH options to use during installation"
+ default = []
+}
diff --git a/terraform/nixos-rebuild.md b/terraform/nixos-rebuild.md
index 9676bd94..01b5a28e 100644
--- a/terraform/nixos-rebuild.md
+++ b/terraform/nixos-rebuild.md
@@ -50,15 +50,16 @@ No modules.
## Inputs
-| Name | Description | Type | Default | Required |
-| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | -------- | :------: |
-| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
-| [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
-| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
-| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
-| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
-| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
-| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
+| Name | Description | Type | Default | Required |
+| -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | -------- | :------: |
+| [ignore\_systemd\_errors](#input_ignore_systemd_errors) | Ignore systemd errors happening during deploy | `bool` | `false` | no |
+| [install\_bootloader](#input_install_bootloader) | Install/re-install the bootloader | `bool` | `false` | no |
+| [nixos\_system](#input_nixos_system) | The nixos system to deploy | `string` | n/a | yes |
+| [ssh\_options](#input_ssh_options) | Additional SSH options to use during deploy | `list(string)` | `[]` | no |
+| [ssh\_private\_key](#input_ssh_private_key) | Content of private key used to connect to the target\_host. If set to - no key is passed to openssh and ssh will use its own configuration | `string` | `"-"` | no |
+| [target\_host](#input_target_host) | DNS host to deploy to | `string` | n/a | yes |
+| [target\_port](#input_target_port) | SSH port used to connect to the target\_host | `number` | `22` | no |
+| [target\_user](#input_target_user) | User to deploy as | `string` | `"root"` | no |
## Outputs
diff --git a/terraform/nixos-rebuild/deploy.sh b/terraform/nixos-rebuild/deploy.sh
index 61da6e1c..b73be836 100755
--- a/terraform/nixos-rebuild/deploy.sh
+++ b/terraform/nixos-rebuild/deploy.sh
@@ -38,6 +38,10 @@ if [[ -n ${SSH_KEY+x} && ${SSH_KEY} != "-" ]]; then
fi
set -x
+while IFS= read -r -d '' value; do
+ sshOpts+=(-o "$value")
+done < <(jq -j 'to_entries[] | (.value, "\u0000")' <<<"${SSH_OPTIONS}")
+
try=1
until NIX_SSHOPTS="${sshOpts[*]}" nix copy -s --experimental-features nix-command --to "ssh://$TARGET" "$NIXOS_SYSTEM"; do
if [[ $try -gt 10 ]]; then
diff --git a/terraform/nixos-rebuild/main.tf b/terraform/nixos-rebuild/main.tf
index 84461c80..92c7b937 100644
--- a/terraform/nixos-rebuild/main.tf
+++ b/terraform/nixos-rebuild/main.tf
@@ -4,7 +4,8 @@ resource "null_resource" "nixos-rebuild" {
}
provisioner "local-exec" {
environment = {
- SSH_KEY = var.ssh_private_key
+ SSH_KEY = var.ssh_private_key
+ SSH_OPTIONS = jsonencode(var.ssh_options)
}
command = "${path.module}/deploy.sh ${var.nixos_system} ${var.target_user} ${var.target_host} ${var.target_port} ${var.ignore_systemd_errors} ${var.install_bootloader}"
}
diff --git a/terraform/nixos-rebuild/variables.tf b/terraform/nixos-rebuild/variables.tf
index 0c112a5f..b161f9ff 100644
--- a/terraform/nixos-rebuild/variables.tf
+++ b/terraform/nixos-rebuild/variables.tf
@@ -37,3 +37,9 @@ variable "install_bootloader" {
description = "Install/re-install the bootloader"
default = false
}
+
+variable "ssh_options" {
+ type = list(string)
+ description = "Additional SSH options to use during deploy"
+ default = []
+}