nixos-rebuild: merge --use-remote-sudo and --use-local-sudo to --sudo

          users.users.alice.extraGroups = [ "wheel" ];

          users.users.bob.extraGroups = [ "wheel" ];

          # Disable sudo for root to ensure sudo isn't called without `--use-remote-sudo`

          # Disable sudo for root to ensure sudo isn't called without `--sudo`

          security.sudo.extraRules = lib.mkForce [

            {

              groups = [ "wheel" ];

      # Ensure sudo is disabled for root

      target.fail("sudo true")

      # This test also ensures that sudo is not called without --use-remote-sudo

      # This test also ensures that sudo is not called without --sudo

      with subtest("Deploy to root@target"):

        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")

        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()

        assert target_hostname == "config-1-deployed", f"{target_hostname=}"

      with subtest("Deploy to alice@target with passwordless sudo"):

        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --use-remote-sudo &>/dev/console")

        deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console")

        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()

        assert target_hostname == "config-2-deployed", f"{target_hostname=}"

      with subtest("Deploy to bob@target with password based sudo"):

        # TODO: investigate why --ask-sudo-password from nixos-rebuild-ng is not working here

        deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --use-remote-sudo &>/dev/console')

        deployer.succeed(r'${lib.optionalString withNg "NIX_SSHOPTS=-t "}passh -c 3 -C -p ${nodes.target.users.users.bob.password} -P "\[sudo\] password" nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --sudo &>/dev/console')

        target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()

        assert target_hostname == "config-3-deployed", f"{target_hostname=}"

    --profile-name -p # name

    --rollback

    --specialisation -c # name

    --use-remote-sudo

    --use-sudo

    --no-ssh-tty

    --build-host # host

    --target-host # host

.br

.Op Fl -build-host Va host

.Op Fl -target-host Va host

.Op Fl -use-remote-sudo

.Op Fl -sudo

.Op Fl -no-ssh-tty

.br

.Op Fl -verbose | v

is also set. This is useful when the target-host connection to cache.nixos.org

is faster than the connection between hosts.

.

.It Fl -use-remote-sudo

.It Fl -sudo

When set, nixos-rebuild prefixes activation commands that run on the

.Fl -target-host

system with

imageVariant=

buildHost=

targetHost=

remoteSudo=

localSudo=

useSudo=

noSSHTTY=

verboseScript=

noFlake=

        targetHost="$1"

        shift 1

        ;;

      --use-remote-sudo)

        remoteSudo=1

        ;;

      --use-local-sudo)

        localSudo=1

      --sudo | --use-remote-sudo)

        useSudo=1

        ;;

      --no-ssh-tty)

        noSSHTTY=1

targetHostCmd() {

    local c

    if [[ "${useSudo:-x}" = 1 ]]; then

    if [[ "${withSudo:-x}" = 1 ]]; then

        c=("sudo")

    else

        c=()

        t="-t"

    fi

    if [[ -n "$remoteSudo" || -n "$localSudo" ]]; then

        useSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@"

    if [[ -n "$useSudo" ]]; then

        withSudo=1 SSHOPTS="$SSHOPTS $t" targetHostCmd "$@"

    else

        # While a tty might not be necessary, we apply it to be consistent with

        # sudo usage, and an experience that is more consistent with local deployment.