deploy-rs icon indicating copy to clipboard operation
deploy-rs copied to clipboard
verified publisher icon serokell

Working example of configuration with SSH and ProxyCommand

Open drupol opened this issue 4 months ago • 1 comments

Hello,

Today I tried to use deploy-rs, my favorite deployment tool to provision an EC2 instance. To access this instance, I must authenticate through a proxy, therefore, my .ssh/config contains something like:

Host foobar
  User root
  Hostname 127.0.0.1
  IdentitiesOnly yes
  IdentityFile ~/.ssh/id_foobar
  ProxyCommand ncat --proxy-auth proxyUser:proxyPassword --proxy proxyHost:proxyPort %h %p

This allow me to connect to the box just by doing ssh foobar. This works pretty well.

However, when it comes to deploy-rs, things are a bit more complex.

Here's my deploy node configuration:

{
  deploy.nodes.foobar = {
    hostname = "127.0.0.1";
    fastConnection = false;
    profiles.system = {
      remoteBuild = true;
      sshUser = "root";
      sshOpts = [
        "-o"
        "ProxyCommand=ncat --proxy-auth proxyUser:proxyPassword --proxy proxyHost:proxyPort %h %p"
        "-i"
        "/home/pol/.ssh/id_foobar"
      ];
      path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.foobar;
    };
  };
}

When I execute this, I get:

❯ deploy -s .#foobar
🚀 ℹ [deploy] [INFO] Evaluating flake in .
🚀 ℹ [deploy] [INFO] The following profiles are going to be deployed:
[foobar.system]
user = "root"
ssh_user = "root"
path = "/nix/store/sbkwmlwmiql9v9nksfi8hckdic3ks7r0-activatable-nixos-system-foobar-25.11.20251012.cf3f5c4"
hostname = "127.0.0.1"
ssh_opts = ["-o", 'ProxyCommand="ncat --proxy-auth foo:bar --proxy redacted:8012 %h %p"', "-i", "/home/pol/.ssh/id_foobar"]

🚀 ℹ [deploy] [INFO] Building profile `system` for node `foobar` on remote host
🚀 ℹ [deploy] [INFO] Activating profile `system` for node `foobar`
🚀 ℹ [deploy] [INFO] Creating activation waiter
/nix/store/cl2gkgnh26mmpka81pc2g5bzjfrili92-bash-5.3p3/bin/bash: line 1: exec: ncat --proxy-auth foo:bar --proxy redacted:8012 ip 22: not found
Connection closed by UNKNOWN port 65535
🚀 ❌ [deploy] [ERROR] Activating over SSH resulted in a bad exit code: Some(255)
🚀 ℹ [deploy] [INFO] Revoking previous deploys
🚀 ❌ [deploy] [ERROR] Deployment to node foobar failed, rolled back to previous generation
/nix/store/cl2gkgnh26mmpka81pc2g5bzjfrili92-bash-5.3p3/bin/bash: line 1: exec: ncat --proxy-auth foo:bar --proxy redacted:8012 IP 22: not found
Connection closed by UNKNOWN port 65535

I tried many combinations and I couldn't find anything working yet. I have the feeling that this is related to https://github.com/serokell/deploy-rs/issues/130

Do you have a clue to share?

Using nixos-rebuild switch --flake .#foobar --target-host foobar --build-host foobar works without any trouble. I guess this is because it's using my local SSH configuration.

drupol avatar Oct 15 '25 17:10 drupol

As suggested on discord, a workaround is to modify the SSH configuration as such:

$ cat ~/.ssh/config
Host foobar
  User root
  Hostname IP
  IdentityFile ~/.ssh/id_foobar
  ProxyCommand ncat --proxy-auth foo:bar --proxy redacted:8012 %h %p

This solved my issue.

However, I think there's still an underlying issue in deploy-rs, I'll keep this issue open in the meantime.

drupol avatar Oct 21 '25 20:10 drupol