diff --git a/README.md b/README.md index 03e2968..3243a39 100644 --- a/README.md +++ b/README.md @@ -157,8 +157,24 @@ of the script generator). This script fetches approle credentials from Vault and then pushes those credentials to the servers, so that the module can authenticate to Vault. -It guesses server hostnames from their `networking` config option. If you -want to override some hostnames, use `hostnameOverrides` like this: +By default, the ssh hostnames and options are guessed from their `networking` +config option. If you want to override the options for some hostnames, use +`getConfigurationOverrides` like this: + +```nix +vault-push-approle-envs self { + getConfigurationOverrides = { attrName, ... }: { + "" = { + # all of these are optional. override just what you need. + hostname = "new.host.name"; + sshUser = "remote_ssh_user"; + sshOpts = [ "-i" "ssh_host/key" ]; + }; + }.${attrName}; +} +``` + +Another option is the older `hostNameOverrides` for simpler, hostname-only overrides: ```nix vault-push-approle-envs self { diff --git a/scripts/vault-push-approle-envs.nix b/scripts/vault-push-approle-envs.nix index 88bad5f..f606f86 100644 --- a/scripts/vault-push-approle-envs.nix +++ b/scripts/vault-push-approle-envs.nix @@ -14,6 +14,7 @@ config.networking.hostName else "${config.networking.hostName}.${config.networking.domain}"); + getConfigurationOverrides = params: { }; }; type = "derivation"; @@ -27,12 +28,18 @@ pushApproleEnv = { approleName, vaultAddress, environmentFile, ... }@params: let - hostname = final.getHostName params; + configOverrides = { + hostname = final.getHostName params; + sshUser = null; + sshOpts = []; + } // final.getConfigurationOverrides params; + + host = "${if configOverrides.sshUser != null then "${configOverrides.sshUser}@" else ""}${configOverrides.hostname}"; push = '' ${ ./vault-get-approle-env.sh - } ${approleName} | ssh "${hostname}" ''${SSH_OPTS:-} "sudo mkdir -p ${ + } ${approleName} | ssh ${lib.escapeShellArg host} ${lib.escapeShellArgs configOverrides.sshOpts} ''${SSH_OPTS:-} "sudo mkdir -p ${ builtins.dirOf environmentFile }; sudo tee ${environmentFile} >/dev/null" ''; @@ -43,7 +50,7 @@ if [[ $# -eq 0 ]] || [[ " $@ " =~ " ${approleName} " ]]; then # If we don't get any arguments, or the current approle name is in the arguments list, push it - echo "Uploading ${approleName} to ${hostname}" + echo "Uploading ${approleName} to ${configOverrides.hostname}" set -x ${push} set +x diff --git a/tests/modules/vault-secrets.nix b/tests/modules/vault-secrets.nix index eac0273..0adeb83 100644 --- a/tests/modules/vault-secrets.nix +++ b/tests/modules/vault-secrets.nix @@ -105,8 +105,6 @@ # Set up SSH hostkey to connect to the client cat ${ssh-keys.snakeOilPrivateKey} > privkey.snakeoil chmod 600 privkey.snakeoil - SSH_OPTS='-o StrictHostKeyChecking=no -i privkey.snakeoil' - export SSH_OPTS # Unset VAULT_ADDR and PATH to make sure those are set correctly in the scripts # We keep VAULT_TOKEN set because it's actually used to authenticate to vault @@ -118,7 +116,17 @@ ${vault-push-approles fakeFlake}/bin/vault-push-approles test # Upload approle environments to the client - ${vault-push-approle-envs fakeFlake}/bin/vault-push-approle-envs + ${vault-push-approle-envs fakeFlake { + getConfigurationOverrides = { attrName, ... }: { + client = { + # all of these are optional and the defaults for `hostname` and `sshUser` here would be fine. + # we specify them just for demonstration. + hostname = "client"; + sshUser = "root"; + sshOpts = [ "-o" "StrictHostKeyChecking=no" "-i" "privkey.snakeoil" ]; + }; + }.${attrName}; + }}/bin/vault-push-approle-envs ''; in '' start_all()