Merge pull request #35 from frantisekhanzlikbl/master

Allow overriding ssh options per configuration

README.md

@@ -157,8 +157,24 @@ of the script generator).
 
 This script fetches approle credentials from Vault and then pushes those
 credentials to the servers, so that the module can authenticate to Vault.
-It guesses server hostnames from their `networking` config option. If you
-want to override some hostnames, use `hostnameOverrides` like this:
+By default, the ssh hostnames and options are guessed from their `networking`
+config option. If you want to override the options for some hostnames, use
+`getConfigurationOverrides` like this:
+
+```nix
+vault-push-approle-envs self {
+  getConfigurationOverrides = { attrName, ... }: {
+    "<attribute name in nixosConfigurations>" = {
+      # all of these are optional. override just what you need.
+      hostname = "new.host.name";
+      sshUser = "remote_ssh_user";
+      sshOpts = [ "-i" "ssh_host/key" ];
+    };
+  }.${attrName};
+}
+```
+
+Another option is the older `hostNameOverrides` for simpler, hostname-only overrides:
 
 ```nix
 vault-push-approle-envs self {

scripts/vault-push-approle-envs.nix

@@ -14,6 +14,7 @@
         config.networking.hostName
       else
         "${config.networking.hostName}.${config.networking.domain}");
+    getConfigurationOverrides = params: { };
   };
 
   type = "derivation";
@@ -27,12 +28,18 @@
       pushApproleEnv =
         { approleName, vaultAddress, environmentFile, ... }@params:
         let
-          hostname = final.getHostName params;
+          configOverrides = {
+            hostname = final.getHostName params;
+            sshUser = null;
+            sshOpts = [];
+          } // final.getConfigurationOverrides params;
+
+          host = "${if configOverrides.sshUser != null then "${configOverrides.sshUser}@" else ""}${configOverrides.hostname}";
 
           push = ''
             ${
               ./vault-get-approle-env.sh
-            } ${approleName} | ssh "${hostname}" ''${SSH_OPTS:-} "sudo mkdir -p ${
+            } ${approleName} | ssh ${lib.escapeShellArg host} ${lib.escapeShellArgs configOverrides.sshOpts} ''${SSH_OPTS:-} "sudo mkdir -p ${
               builtins.dirOf environmentFile
             }; sudo tee ${environmentFile} >/dev/null"
           '';
@@ -43,7 +50,7 @@
 
           if [[ $# -eq 0 ]] || [[ " $@ " =~ " ${approleName} " ]]; then
             # If we don't get any arguments, or the current approle name is in the arguments list, push it
-            echo "Uploading ${approleName} to ${hostname}"
+            echo "Uploading ${approleName} to ${configOverrides.hostname}"
             set -x
             ${push}
             set +x

tests/modules/vault-secrets.nix

@@ -105,8 +105,6 @@
         # Set up SSH hostkey to connect to the client
         cat ${ssh-keys.snakeOilPrivateKey} > privkey.snakeoil
         chmod 600 privkey.snakeoil
-        SSH_OPTS='-o StrictHostKeyChecking=no -i privkey.snakeoil'
-        export SSH_OPTS
 
         # Unset VAULT_ADDR and PATH to make sure those are set correctly in the scripts
         # We keep VAULT_TOKEN set because it's actually used to authenticate to vault
@@ -118,7 +116,17 @@
         ${vault-push-approles fakeFlake}/bin/vault-push-approles test
 
         # Upload approle environments to the client
-        ${vault-push-approle-envs fakeFlake}/bin/vault-push-approle-envs
+        ${vault-push-approle-envs fakeFlake {
+          getConfigurationOverrides = { attrName, ... }: {
+            client = {
+              # all of these are optional and the defaults for `hostname` and `sshUser` here would be fine.
+              # we specify them just for demonstration.
+              hostname = "client";
+              sshUser = "root";
+              sshOpts = [ "-o" "StrictHostKeyChecking=no" "-i" "privkey.snakeoil" ];
+            };
+          }.${attrName};
+        }}/bin/vault-push-approle-envs
       '';
     in ''
       start_all()