add var.ssh_options to pass additional SSH options to nixos-rebuild

[threddast]

This PR adds a Terraform input variable named ssh_options to nixos-rebuild (and to the rebuild part of nixos-anywhere)

The problem I'm trying to solve is being able to use gcloud compute ssh to rebuild NixOS. gcloud compute ssh is a wrapper around ssh that sets a bunch of ssh options to connect to a GCP VM, even if there is no direct connection to it.

Example usage:

module "deploy" {
  source       = "github.com/nix-community/nixos-anywhere//terraform/nixos-rebuild"
  nixos_system = module.system-build.result.out
  target_host = "target"
  ssh_options = {
    IdentityFile          = "/home/user/.ssh/google_compute_engine"
    CheckHostIP           = "no"
    HashKnownHosts        = "no"
    HostKeyAlias          = "compute.123456789"
    IdentitiesOnly        = "yes"
    StrictHostKeyChecking = "yes"
    UserKnownHostsFile    = "/home/user/.ssh/google_compute_known_hosts"
    ProxyCommand          = "/nix/store/nrzkzg0if8p9ak18070x8mj6clbcvdm7-python3-3.11.9-env/bin/python -S /nix/store/lann7mq6gpyl7q3d3hq6d93jr69pgm0v-google-cloud-sdk-475.0.0/google-cloud-sdk/lib/gcloud.py compute start-iap-tunnel test-vm %p --listen-on-stdin --project=my-project --zone=europe-west4-a --verbosity=warning"
    ProxyUseFdpass        = "no"
  }
}

I'm using a file to pass the SSH options because of this bug in Nix: NixOS/nix#5181. The content of NIX_SSHOPTS is passed to this tokenizer which splits by spaces and doesn't take quoted substrings into account.
This means that something like NIX_SSHOPTS='-o ProxyCommand="my-ssh-command foo bar"' wont't work unless the tokenizer is changed upstream.
The disadvantage of passing options as a file is that it will break the terraform module for people relying on their .ssh/config, unless they copy the ssh options from .ssh/config to the terraform module. I understand this might be too much of a downside and we might want to change the tokenizer instead.

[Mic92]

Yes. As you have rightfully said, this will be an issue for users configuring private ssh keys and jump hosts in their ssh_config.

[Mic92]

Here is a workaround for you specifically, could you not pass in -F in your case instead? terraform also allows to write files, no?

[Mic92]

Maybe we can add support for passing in an ssh config file?

[threddast]

Here is a workaround for you specifically, could you not pass in -F in your case instead? terraform also allows to write files, no?

Yes this would work too. I changed the PR so that additional options are passed as a string to NIX_SSHOPTS

Maybe we can add support for passing in an ssh config file?

I think passing flags is more flexible. As you suggested we can pass -F if a config file is needed

[Mic92]

This changes the current behavior in nixos-anywhere, if you are not using terraform.

[Mic92]

I think this one will solve your quoting issues btw: NixOS/nix#12020

[eliecharra]

I'm also interested by this change since it can also cover another usecase 👇🏻

I'm using passwordless sudo with security.pam.sshAgentAuth.enable = true; in order to avoid having NOPASSWD directives in my sudoers. This require me to add the -A flag to ssh to forward my agent.
I can use a workaround by setting a ssh config like below, but It would be simpler to just pass an additional -A flag there 😃

 Host target_host
   ForwardAgent yes