nixos-anywhere: fixes relating to --build-on-remote

src/nixos-anywhere.sh

@@ -450,8 +450,10 @@ if [[ -n ${disko_script-} ]]; then
 elif [[ ${build_on_remote-n} == "y" ]]; then
   step Building disko script
   # We need to do a nix copy first because nix build doesn't have --no-check-sigs
-  nix_copy --to "ssh-ng://$ssh_connection" "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.diskoScript" \
+  # Use ssh:// here to avoid https://github.com/NixOS/nix/issues/7359
+  nix_copy --to "ssh://$ssh_connection" "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.diskoScript" \
     --derivation --no-check-sigs
+  # If we don't use ssh-ng here, we get `error: operation 'getFSAccessor' is not supported by store`
   disko_script=$(
     nix_build "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.diskoScript" \
       --eval-store auto --store "ssh-ng://$ssh_connection?ssh-key=$ssh_key_dir/nixos-anywhere"
@@ -474,8 +476,10 @@ if [[ -n ${nixos_system-} ]]; then
 elif [[ ${build_on_remote-n} == "y" ]]; then
   step Building the system closure
   # We need to do a nix copy first because nix build doesn't have --no-check-sigs
-  nix_copy --to "ssh-ng://$ssh_connection?remote-store=local?root=/mnt" "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.toplevel" \
+  # Use ssh:// here to avoid https://github.com/NixOS/nix/issues/7359
+  nix_copy --to "ssh://$ssh_connection?remote-store=local?root=/mnt" "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.toplevel" \
     --derivation --no-check-sigs
+  # If we don't use ssh-ng here, we get `error: operation 'getFSAccessor' is not supported by store`
   nixos_system=$(
     nix_build "${flake}#nixosConfigurations.\"${flakeAttr}\".config.system.build.toplevel" \
       --eval-store auto --store "ssh-ng://$ssh_connection?ssh-key=$ssh_key_dir/nixos-anywhere&remote-store=local?root=/mnt"

terraform/install/main.tf

@@ -1,5 +1,20 @@
 locals {
   disk_encryption_key_scripts = [for k in var.disk_encryption_key_scripts : "\"${k.path}\" \"${k.script}\""]
+  arguments = jsonencode({
+    ssh_private_key = var.ssh_private_key
+    stop_after_disko = var.stop_after_disko
+    debug_logging = var.debug_logging
+    kexec_tarball_url = var.kexec_tarball_url
+    nixos_partitioner = var.nixos_partitioner
+    nixos_system = var.nixos_system
+    target_user = var.target_user
+    target_host = var.target_host
+    target_port = var.target_port
+    extra_files_script = var.extra_files_script
+    no_reboot = var.no_reboot
+    build_on_remote = var.build_on_remote
+    flake = var.flake
+  })
 }
 
 resource "null_resource" "nixos-remote" {
@@ -8,6 +23,7 @@ resource "null_resource" "nixos-remote" {
   }
   provisioner "local-exec" {
     environment = merge({
+      ARGUMENTS = local.arguments
       SSH_PRIVATE_KEY = var.ssh_private_key
       SSH_PASS = var.target_pass
       stop_after_disko = var.stop_after_disko

terraform/install/run-nixos-anywhere.sh

@@ -2,28 +2,36 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
+
+declare -A input
+
+while IFS= read -r -d '' key && IFS= read -r -d '' value; do
+  input[$key]=$value
+done < <(jq -j 'to_entries[] | (.key, "\u0000", .value, "\u0000")' <<<"$ARGUMENTS")
+
 args=()
 
-if [[ ${debug_logging-} == "true" ]]; then
+if [[ ${input[debug_logging]} == "true" ]]; then
   set -x
+  declare -p input
   args+=("--debug")
 fi
-if [[ ${stop_after_disko-} == "true" ]]; then
+if [[ ${input[stop_after_disko]} == "true" ]]; then
   args+=("--stop-after-disko")
 fi
-if [[ ${kexec_tarball_url-} != "" ]]; then
-  args+=("--kexec" "${kexec_tarball_url}")
+if [[ ${input[kexec_tarball_url]} != "null" ]]; then
+  args+=("--kexec" "${input[kexec_tarball_url]}")
 fi
-if [[ ${no_reboot-} == "true" ]]; then
+if [[ ${input[no_reboot]} == "true" ]]; then
   args+=("--no-reboot")
 fi
-if [[ ${build_on_remote-} == "true" ]]; then
+if [[ ${input[build_on_remote]} == "true" ]]; then
   args+=("--build-on-remote")
 fi
-if [[ -n ${flake-} ]]; then
-  args+=("--flake" "${flake}")
+if [[ -n ${input[flake]} ]]; then
+  args+=("--flake" "${input[flake]}")
 else
-  args+=("--store-paths" "${nixos_partitioner}" "${nixos_system}")
+  args+=("--store-paths" "${input[nixos_partitioner]}" "${input[nixos_system]}")
 fi
 if [[ ${SSH_PASS} ]]; then
   args+=("--env-password")
@@ -35,25 +43,25 @@ cleanup() {
 }
 trap cleanup EXIT
 
-if [[ ${extra_files_script-} != "" ]]; then
-  if [[ ! -f ${extra_files_script} ]]; then
-    echo "extra_files_script '${extra_files_script}' does not exist"
+if [[ ${input[extra_files_script]} != "null" ]]; then
+  if [[ ! -f ${input[extra_files_script]} ]]; then
+    echo "extra_files_script '${input[extra_files_script]}' does not exist"
     exit 1
   fi
-  if [[ ! -x ${extra_files_script} ]]; then
-    echo "extra_files_script '${extra_files_script}' is not executable"
+  if [[ ! -x ${input[extra_files_script]} ]]; then
+    echo "extra_files_script '${input[extra_files_script]}' is not executable"
     exit 1
   fi
-  extra_files_script=$(realpath "${extra_files_script}")
+  extra_files_script=$(realpath "${input[extra_files_script]}")
   mkdir "${tmpdir}/extra-files"
   pushd "${tmpdir}/extra-files"
   $extra_files_script
   popd
   args+=("--extra-files" "${tmpdir}/extra-files")
 fi
 
-args+=("-p" "${target_port}")
-args+=("${target_user}@${target_host}")
+args+=("-p" "${input[target_port]}")
+args+=("${input[target_user]}@${input[target_host]}")
 
 keyIdx=0
 while [[ $# -gt 0 ]]; do
@@ -73,4 +81,4 @@ while [[ $# -gt 0 ]]; do
   keyIdx=$((keyIdx + 1))
 done
 
-nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"
+SSH_PRIVATE_KEY="${input[ssh_private_key]}" nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"