terraform/install: fix build_on_remote = false

Due to the Terraform variables being passed to `run-nixos-anywhere.sh` via environment variables, these environment variables wound up getting passed to `nixos-anywhere`. `nixos-anywhere` would then read the value `false` which would break everything as it expects the variable to be unset or set to `y`, leading to `disko_script` not being set.
nix-community · Sep 16, 2024 · 0216410 · 0216410
1 parent 1283995
commit 0216410
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 32 deletions.
diff --git a/terraform/install/main.tf b/terraform/install/main.tf
@@ -1,5 +1,21 @@
 locals {
   disk_encryption_key_scripts = [for k in var.disk_encryption_key_scripts : "\"${k.path}\" \"${k.script}\""]
+  arguments = jsonencode({
+    ssh_private_key = var.ssh_private_key
+    stop_after_disko = var.stop_after_disko
+    debug_logging = var.debug_logging
+    kexec_tarball_url = var.kexec_tarball_url
+    nixos_partitioner = var.nixos_partitioner
+    nixos_system = var.nixos_system
+    target_user = var.target_user
+    target_host = var.target_host
+    target_port = var.target_port
+    target_pass = var.target_pass
+    extra_files_script = var.extra_files_script
+    no_reboot = var.no_reboot
+    build_on_remote = var.build_on_remote
+    flake = var.flake
+  })
 }
 
 resource "null_resource" "nixos-remote" {
@@ -8,20 +24,7 @@ resource "null_resource" "nixos-remote" {
   }
   provisioner "local-exec" {
     environment = merge({
-      SSH_PRIVATE_KEY = var.ssh_private_key
-      SSHPASS = var.target_pass
-      stop_after_disko = var.stop_after_disko
-      debug_logging = var.debug_logging
-      kexec_tarball_url = var.kexec_tarball_url
-      nixos_partitioner = var.nixos_partitioner
-      nixos_system = var.nixos_system
-      target_user = var.target_user
-      target_host = var.target_host
-      target_port = var.target_port
-      extra_files_script = var.extra_files_script
-      no_reboot = var.no_reboot
-      build_on_remote = var.build_on_remote
-      flake = var.flake
+      ARGUMENTS = local.arguments
     }, var.extra_environment)
     command = "${path.module}/run-nixos-anywhere.sh ${join(" ", local.disk_encryption_key_scripts)}"
     quiet   = var.debug_logging

diff --git a/terraform/install/run-nixos-anywhere.sh b/terraform/install/run-nixos-anywhere.sh
@@ -2,28 +2,36 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
+
+declare -A input
+
+while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+  input[$key]=$value
+done < <(jq -j 'to_entries[] | (.key, "\u0000", .value, "\u0000")' <<<"${ARGUMENTS}")
+
 args=()
 
-if [[ ${debug_logging-} == "true" ]]; then
+if [[ ${input[debug_logging]} == "true" ]]; then
   set -x
+  declare -p input
   args+=("--debug")
 fi
-if [[ ${stop_after_disko-} == "true" ]]; then
+if [[ ${input[stop_after_disko]} == "true" ]]; then
   args+=("--stop-after-disko")
 fi
-if [[ ${kexec_tarball_url-} != "" ]]; then
-  args+=("--kexec" "${kexec_tarball_url}")
+if [[ ${input[kexec_tarball_url]} != "null" ]]; then
+  args+=("--kexec" "${input[kexec_tarball_url]}")
 fi
-if [[ ${no_reboot-} == "true" ]]; then
+if [[ ${input[no_reboot]} == "true" ]]; then
   args+=("--no-reboot")
 fi
-if [[ ${build_on_remote-} == "true" ]]; then
+if [[ ${input[build_on_remote]} == "true" ]]; then
   args+=("--build-on-remote")
 fi
-if [[ -n ${flake-} ]]; then
-  args+=("--flake" "${flake}")
+if [[ -n ${input[flake]} ]]; then
+  args+=("--flake" "${input[flake]}")
 else
-  args+=("--store-paths" "${nixos_partitioner}" "${nixos_system}")
+  args+=("--store-paths" "${input[nixos_partitioner]}" "${input[nixos_system]}")
 fi
 if [[ -n ${SSHPASS-} ]]; then
   args+=("--env-password")
@@ -35,25 +43,25 @@ cleanup() {
 }
 trap cleanup EXIT
 
-if [[ ${extra_files_script-} != "" ]]; then
-  if [[ ! -f ${extra_files_script} ]]; then
-    echo "extra_files_script '${extra_files_script}' does not exist"
+if [[ ${input[extra_files_script]} != "null" ]]; then
+  if [[ ! -f ${input[extra_files_script]} ]]; then
+    echo "extra_files_script '${input[extra_files_script]}' does not exist"
     exit 1
   fi
-  if [[ ! -x ${extra_files_script} ]]; then
-    echo "extra_files_script '${extra_files_script}' is not executable"
+  if [[ ! -x ${input[extra_files_script]} ]]; then
+    echo "extra_files_script '${input[extra_files_script]}' is not executable"
     exit 1
   fi
-  extra_files_script=$(realpath "${extra_files_script}")
+  extra_files_script=$(realpath "${input[extra_files_script]}")
   mkdir "${tmpdir}/extra-files"
   pushd "${tmpdir}/extra-files"
   $extra_files_script
   popd
   args+=("--extra-files" "${tmpdir}/extra-files")
 fi
 
-args+=("-p" "${target_port}")
-args+=("${target_user}@${target_host}")
+args+=("-p" "${input[target_port]}")
+args+=("${input[target_user]}@${input[target_host]}")
 
 keyIdx=0
 while [[ $# -gt 0 ]]; do
@@ -73,4 +81,4 @@ while [[ $# -gt 0 ]]; do
   keyIdx=$((keyIdx + 1))
 done
 
-nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"
+SSHPASS=${input[target_pass]} SSH_PRIVATE_KEY="${input[ssh_private_key]}" nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"