host/local: Upload keys with sudo as well

2022-06-10 11:29:25 -07:00 · 2022-06-10 11:29:25 -07:00 · dd3f4b252c
commit dd3f4b252c
parent d7aa4ab864
4 changed files with 18 additions and 4 deletions
--- a/integration-tests/apply-local/default.nix
+++ b/integration-tests/apply-local/default.nix
@ -4,6 +4,13 @@ let
  tools = pkgs.callPackage ../tools.nix {
    targets = [];
    prebuiltTarget = "deployer";
+    extraDeployerConfig = {
+      users.users.colmena = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+      };
+      security.sudo.wheelNeedsPassword = false;
+    };
  };
 in tools.makeTest {
  name = "colmena-apply-local";
@ -11,7 +18,8 @@ in tools.makeTest {
  bundle = ./.;

  testScript = ''
-    deployer.succeed("cd /tmp/bundle && ${tools.colmenaExec} apply-local")
+    deployer.succeed("cd /tmp/bundle && sudo -u colmena ${tools.colmenaExec} apply-local --sudo")
    deployer.succeed("grep SUCCESS /etc/deployment")
+    deployer.succeed("grep SECRET /run/keys/key-text")
  '';
 }
--- a/integration-tests/apply-local/hive.nix
+++ b/integration-tests/apply-local/hive.nix
@ -19,5 +19,8 @@ in {
    };

    environment.etc."deployment".text = "SUCCESS";
+
+    # /run/keys/key-text
+    deployment.keys."key-text".text = "SECRET";
  };
 }
--- a/integration-tests/tools.nix
+++ b/integration-tests/tools.nix
@ -10,6 +10,7 @@
 { insideVm ? false
 , deployers ? [ "deployer" ]           # Nodes configured as deployers (with Colmena and pre-built system closure)
 , targets ? [ "alpha" "beta" "gamma" ] # Nodes configured as targets (minimal config)
+, extraDeployerConfig ? {}             # Extra config on the deployer
 , prebuiltTarget ? "alpha"             # Target node to prebuild system closure for, or null

 , pkgs ? if insideVm then import <nixpkgs> {} else throw "Must specify pkgs"
@ -38,6 +39,10 @@ let
    # so it can build system profiles for the targets without
    # network access.
    deployerConfig = { lib, config, ... }: {
+      imports = [
+        extraDeployerConfig
+      ];
+
      nix.nixPath = [
        "nixpkgs=${pkgs.path}"
      ];
--- a/src/nix/host/local.rs
+++ b/src/nix/host/local.rs
@ -143,9 +143,7 @@ impl Local {
        let path = key.path();
        let key_script = format!("'{}'", key_uploader::generate_script(key, path, require_ownership));

-        let mut command = Command::new("sh");
-
-        command.args(&["-c", &key_script]);
+        let mut command = self.make_privileged_command(&["sh", "-c", &key_script]);
        command.stdin(Stdio::piped());
        command.stderr(Stdio::piped());
        command.stdout(Stdio::piped());