also support sudo password in terraform

Author: Mic92

docs/cli.md

@@ -21,7 +21,7 @@ Options:
 * --env-password
   set a password used by ssh-copy-id, the password should be set by
   the environment variable SSHPASS. Additionally, sudo password can be set
-  via SUDO_PASSWORD environment variable for remote sudo operations 
+  via SUDO_PASSWORD environment variable for remote sudo operations
   (only supported with sudo, not doas)
 * -s, --store-paths <disko-script> <nixos-system>
   set the store paths to the disko-script and nixos-system directly

docs/reference.md

@@ -42,7 +42,7 @@ Options:
 * --env-password
   set a password used by ssh-copy-id, the password should be set by
   the environment variable SSHPASS. Additionally, sudo password can be set
-  via SUDO_PASSWORD environment variable for remote sudo operations 
+  via SUDO_PASSWORD environment variable for remote sudo operations
   (only supported with sudo, not doas)
 * -s, --store-paths <disko-script> <nixos-system>
   set the store paths to the disko-script and nixos-system directly

terraform/all-in-one.md

@@ -28,6 +28,10 @@ module "deploy" {
   # debug_logging          = true
   # build the closure on the remote machine instead of locally
   # build_on_remote        = true
+  # Optional: SSH password for initial installation
+  # install_pass           = "your-ssh-password"
+  # Optional: Sudo password for remote operations during installation
+  # install_sudo_pass      = "your-sudo-password"
   # script is below
   extra_files_script     = "${path.module}/decrypt-ssh-secrets.sh"
   disk_encryption_key_scripts = [{
@@ -139,7 +143,7 @@ locals {
 resource "local_file" "nixos_vars" {
   content         = jsonencode(local.nixos_vars) # Converts variables to JSON
   filename        = local.nixos_vars_file        # Specifies the output file path
-  file_permission = "600"                        
+  file_permission = "600"
 
   # Automatically adds the generated file to Git
   provisioner "local-exec" {

terraform/all-in-one/main.tf

@@ -27,6 +27,8 @@ module "install" {
   target_user                 = local.install_user
   target_host                 = var.target_host
   target_port                 = local.install_port
+  target_pass                 = var.install_pass
+  target_sudo_pass            = var.install_sudo_pass
   nixos_partitioner           = module.partitioner-build.result.out
   nixos_system                = module.system-build.result.out
   ssh_private_key             = var.install_ssh_key

terraform/all-in-one/variables.tf

@@ -149,3 +149,17 @@ variable "install_bootloader" {
   description = "Install/re-install the bootloader"
   default     = false
 }
+
+variable "install_pass" {
+  type        = string
+  description = "Password used to connect to the target_host during installation"
+  default     = null
+  sensitive   = true
+}
+
+variable "install_sudo_pass" {
+  type        = string
+  description = "Sudo password for remote sudo operations during installation. Only supported with sudo, not doas."
+  default     = null
+  sensitive   = true
+}

terraform/install.md

@@ -34,6 +34,10 @@ module "install" {
   nixos_system      = module.system-build.result.out
   nixos_partitioner = module.disko.result.out
   target_host       = local.ipv4
+  # Optional: SSH password authentication
+  # target_pass       = "your-ssh-password"
+  # Optional: Sudo password for remote operations
+  # target_sudo_pass  = "your-sudo-password"
 }
 ```
 

terraform/install/main.tf

@@ -12,6 +12,7 @@ locals {
     target_host                = var.target_host
     target_port                = var.target_port
     target_pass                = var.target_pass
+    target_sudo_pass           = var.target_sudo_pass
     extra_files_script         = var.extra_files_script
     build_on_remote            = var.build_on_remote
     flake                      = var.flake

terraform/install/run-nixos-anywhere.sh

@@ -13,7 +13,14 @@ args=()
 
 if [[ ${input[debug_logging]} == "true" ]]; then
   set -x
-  declare -p input
+  # Print input variables but filter out sensitive passwords
+  for key in "${!input[@]}"; do
+    if [[ $key == *"pass"* ]]; then
+      echo "input[$key]='[FILTERED]'"
+    else
+      echo "input[$key]='${input[$key]}'"
+    fi
+  done
   args+=("--debug")
 fi
 if [[ ${input[kexec_tarball_url]} != "null" ]]; then
@@ -40,9 +47,22 @@ args+=(--phases "${input[phases]}")
 if [[ ${input[ssh_private_key]} != null ]]; then
   export SSH_PRIVATE_KEY="${input[ssh_private_key]}"
 fi
+if [[ ${input[target_pass]} != null || ${input[target_sudo_pass]} != null ]]; then
+  args+=("--env-password")
+fi
+# Temporarily disable debug output when exporting sensitive variables
+if [[ ${input[debug_logging]} == "true" ]]; then
+  set +x
+fi
 if [[ ${input[target_pass]} != null ]]; then
   export SSHPASS=${input[target_pass]}
-  args+=("--env-password")
+fi
+if [[ ${input[target_sudo_pass]} != null ]]; then
+  export SUDO_PASSWORD=${input[target_sudo_pass]}
+fi
+# Re-enable debug output if it was enabled
+if [[ ${input[debug_logging]} == "true" ]]; then
+  set -x
 fi
 
 tmpdir=$(mktemp -d)

terraform/install/variables.tf

@@ -41,6 +41,13 @@ variable "target_pass" {
   default     = null
 }
 
+variable "target_sudo_pass" {
+  type        = string
+  description = "Sudo password for remote sudo operations on target_host. Only supported with sudo, not doas."
+  default     = null
+  sensitive   = true
+}
+
 variable "ssh_private_key" {
   type        = string
   description = "Content of private key used to connect to the target_host"