terraform: expose --copy_host_keys

Meallia · Meallia · commit 8ee16577b1c4 · 2025-07-16T00:12:37.000+02:00
diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md
@@ -202,6 +202,7 @@ No resources.
 | Name                                                                                                                  | Description                                                                                                                                                                                                                                               | Type                                                                      | Default                                                                      | Required |
 | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | :------: |
 | <a name="input_build_on_remote"></a> [build\_on\_remote](#input_build_on_remote)                                      | Build the closure on the remote machine instead of building it locally and copying it over                                                                                                                                                                | `bool`                                                                    | `false`                                                                      |    no    |
+| <a name="input_copy_host_keys"></a> [copy\_host\_keys](#input_copy_host_keys)                                         | copy over existing /etc/ssh/ssh\_host\_* host keys to the installation                                                                                                                                                                                    | `bool`                                                                    | `false`                                                                      |    no    |
 | <a name="input_debug_logging"></a> [debug\_logging](#input_debug_logging)                                             | Enable debug logging                                                                                                                                                                                                                                      | `bool`                                                                    | `false`                                                                      |    no    |
 | <a name="input_deployment_ssh_key"></a> [deployment\_ssh\_key](#input_deployment_ssh_key)                             | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable                                             | `string`                                                                  | `null`                                                                       |    no    |
 | <a name="input_disk_encryption_key_scripts"></a> [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system                                                                                      | <pre>list(object({<br/> path = string<br/> script = string<br/> }))</pre> | `[]`                                                                         |    no    |
diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf
@@ -39,6 +39,7 @@ module "install" {
   nixos_generate_config_path  = var.nixos_generate_config_path
   nixos_facter_path           = var.nixos_facter_path
   build_on_remote             = var.build_on_remote
+  copy_host_keys              = var.copy_host_keys
   # deprecated attributes
   stop_after_disko = var.stop_after_disko
   no_reboot        = var.no_reboot
diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
@@ -149,3 +149,9 @@ variable "install_bootloader" {
   description = "Install/re-install the bootloader"
   default     = false
 }
+
+variable "copy_host_keys" {
+  type        = bool
+  description = "copy over existing /etc/ssh/ssh_host_* host keys to the installation"
+  default     = false
+}
diff --git a/terraform/install.md b/terraform/install.md
@@ -64,6 +64,7 @@ No modules.
 | Name                                                                                                                  | Description                                                                                                                                                          | Type                                                                      | Default                                                                      | Required |
 | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | :------: |
 | <a name="input_build_on_remote"></a> [build\_on\_remote](#input_build_on_remote)                                      | Build the closure on the remote machine instead of building it locally and copying it over                                                                           | `bool`                                                                    | `false`                                                                      |    no    |
+| <a name="input_copy_host_keys"></a> [copy\_host\_keys](#input_copy_host_keys)                                         | copy over existing /etc/ssh/ssh\_host\_* host keys to the installation                                                                                               | `bool`                                                                    | `false`                                                                      |    no    |
 | <a name="input_debug_logging"></a> [debug\_logging](#input_debug_logging)                                             | Enable debug logging                                                                                                                                                 | `bool`                                                                    | `false`                                                                      |    no    |
 | <a name="input_disk_encryption_key_scripts"></a> [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | <pre>list(object({<br/> path = string<br/> script = string<br/> }))</pre> | `[]`                                                                         |    no    |
 | <a name="input_extra_environment"></a> [extra\_environment](#input_extra_environment)                                 | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts  | `map(string)`                                                             | `{}`                                                                         |    no    |
diff --git a/terraform/install/main.tf b/terraform/install/main.tf
@@ -18,6 +18,7 @@ locals {
     phases                     = join(",", local.phases)
     nixos_generate_config_path = var.nixos_generate_config_path
     nixos_facter_path          = var.nixos_facter_path
+    copy_host_keys             = var.copy_host_keys
   })
 }
 
diff --git a/terraform/install/run-nixos-anywhere.sh b/terraform/install/run-nixos-anywhere.sh
@@ -44,6 +44,9 @@ if [[ ${input[target_pass]} != null ]]; then
   export SSHPASS=${input[target_pass]}
   args+=("--env-password")
 fi
+if [[ ${input[copy_host_keys]} == "true" ]]; then
+  args+=("--copy-host-keys")
+fi
 
 tmpdir=$(mktemp -d)
 cleanup() {
diff --git a/terraform/install/variables.tf b/terraform/install/variables.tf
@@ -121,3 +121,9 @@ variable "nixos_facter_path" {
   description = "Path to which to write a `facter.json` generated by `nixos-facter`. This option cannot be set at the same time as `nixos_generate_config_path`."
   default     = ""
 }
+
+variable "copy_host_keys" {
+  type        = bool
+  description = "copy over existing /etc/ssh/ssh_host_* host keys to the installation"
+  default     = false
+}

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ locals {`
`18`	`18`	`phases = join(",", local.phases)`
`19`	`19`	`nixos_generate_config_path = var.nixos_generate_config_path`
`20`	`20`	`nixos_facter_path = var.nixos_facter_path`
	`21`	`+ copy_host_keys = var.copy_host_keys`
`21`	`22`	`})`
`22`	`23`	`}`
`23`	`24`