Merge pull request #444 from costowell/main

add option to set ownership of extraFiles

Author: Mic92

docs/howtos/extra-files.md

@@ -75,6 +75,14 @@ during installation.
 When the files are extracted on the remote the copied data will be owned by
 root.
 
+If you wish to change the ownership after the files are copied onto the system,
+you can use the `--chown` option.
+
+For example, if you did `--chown /home/myuser/.ssh 1000:100`, this would equate
+to running `chown -R /home/myuser/.ssh 1000:100` where the uid is 1000 and the
+gid is 100. **Only do this when you can _guarantee_ what the uid and gid will
+be.**
+
 ### Symbolic Links
 
 Do not create symbolic links to reference data to copy.

docs/reference.md

@@ -49,7 +49,10 @@ Options:
   copy over existing /etc/ssh/ssh_host_* host keys to the installation
 * --extra-files <path>
   contents of local <path> are recursively copied to the root (/) of the new NixOS installation. Existing files are overwritten
-  Copied files will be owned by root. See documentation for details.
+  Copied files will be owned by root unless specified by --chown option. See documentation for details.
+* --chown <path> <ownership>
+  change ownership of <path> recursively. Recommended to use uid:gid as opposed to username:groupname for ownership.
+  Option can be specified more than once.
 * --disk-encryption-keys <remote_path> <local_path>
   copy the contents of the file or pipe in local_path to remote_path in the installer environment,
   after kexec but before installation. Can be repeated.

src/nixos-anywhere.sh

@@ -61,6 +61,7 @@ trap 'rm -rf "$sshKeyDir"' EXIT
 mkdir -p "$sshKeyDir"
 
 declare -A diskEncryptionKeys=()
+declare -A extraFilesOwnership=()
 declare -a nixCopyOptions=()
 declare -a sshArgs=()
 
@@ -103,7 +104,10 @@ Options:
   copy over existing /etc/ssh/ssh_host_* host keys to the installation
 * --extra-files <path>
   contents of local <path> are recursively copied to the root (/) of the new NixOS installation. Existing files are overwritten
-  Copied files will be owned by root. See documentation for details.
+  Copied files will be owned by root unless specified by --chown option. See documentation for details.
+* --chown <path> <ownership>
+  change ownership of <path> recursively. Recommended to use uid:gid as opposed to username:groupname for ownership.
+  Option can be specified more than once.
 * --disk-encryption-keys <remote_path> <local_path>
   copy the contents of the file or pipe in local_path to remote_path in the installer environment,
   after kexec but before installation. Can be repeated.
@@ -267,6 +271,11 @@ parseArgs() {
       extraFiles=$2
       shift
       ;;
+    --chown)
+      extraFilesOwnership["$2"]="$3"
+      shift
+      shift
+      ;;
     --disk-encryption-keys)
       diskEncryptionKeys["$2"]="$3"
       shift
@@ -678,9 +687,15 @@ nixosInstall() {
   if [[ -n ${extraFiles} ]]; then
     step Copying extra files
     tar -C "$extraFiles" -cpf- . | runSsh "tar -C /mnt -xf- --no-same-owner"
+
     runSsh "chmod 755 /mnt" # tar also changes permissions of /mnt
   fi
 
+  if [[ ${#extraFilesOwnership[@]} -gt 0 ]]; then
+    # shellcheck disable=SC2016
+    printf "%s\n" "${!extraFilesOwnership[@]}" "${extraFilesOwnership[@]}" | pr -2t | runSsh 'while read file ownership; do chown -R "$ownership" "/mnt/$file"; done'
+  fi
+
   step Installing NixOS
   runSsh sh <<SSH
 set -eu ${enableDebug}

tests/from-nixos.nix

@@ -34,6 +34,10 @@
       start_all()
       installer.succeed("mkdir -p /tmp/extra-files/var/lib/secrets")
       installer.succeed("echo value > /tmp/extra-files/var/lib/secrets/key")
+      installer.succeed("mkdir -p /tmp/extra-files/home/user/.ssh")
+      installer.succeed("echo secretkey > /tmp/extra-files/home/user/.ssh/id_ed25519")
+      installer.succeed("echo publickey > /tmp/extra-files/home/user/.ssh/id_ed25519.pub")
+      installer.succeed("chmod 600 /tmp/extra-files/home/user/.ssh/id_ed25519")
       ssh_key_path = "/etc/ssh/ssh_host_ed25519_key.pub"
       ssh_key_output = installer.wait_until_succeeds(f"""
         ssh -i /root/.ssh/install_key -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
@@ -46,6 +50,7 @@
           --kexec /etc/nixos-anywhere/kexec-installer \
           --extra-files /tmp/extra-files \
           --store-paths /etc/nixos-anywhere/disko /etc/nixos-anywhere/system-to-install \
+          --chown /home/user 1000:100 \
           --copy-host-keys \
           root@installed >&2
       """)
@@ -62,6 +67,10 @@
       assert "value" == content, f"secret does not have expected value: {content}"
       ssh_key_content = new_machine.succeed(f"cat {ssh_key_path}").strip()
       assert ssh_key_content in ssh_key_output, "SSH host identity changed"
+      priv_key_perms = new_machine.succeed("stat -c %a /home/user/.ssh/id_ed25519").strip()
+      assert priv_key_perms == "600", f"unexpected permissions for private key: {priv_key_perms}"
+      user_dir_ownership = new_machine.succeed("stat -c %u:%g /home/user").strip()
+      assert user_dir_ownership == "1000:100", f"unexpected user home dir permissions: {user_dir_ownership}"
     '';
   }
 )