Working example of configuration with SSH and ProxyCommand #343
Description
Hello,
Today I tried to use deploy-rs, my favorite deployment tool to provision an EC2 instance. To access this instance, I must authenticate through a proxy, therefore, my .ssh/config contains something like:
Host foobar
User root
Hostname 127.0.0.1
IdentitiesOnly yes
IdentityFile ~/.ssh/id_foobar
ProxyCommand ncat --proxy-auth proxyUser:proxyPassword --proxy proxyHost:proxyPort %h %p
This allow me to connect to the box just by doing ssh foobar. This works pretty well.
However, when it comes to deploy-rs, things are a bit more complex.
Here's my deploy node configuration:
{
deploy.nodes.foobar = {
hostname = "127.0.0.1";
fastConnection = false;
profiles.system = {
remoteBuild = true;
sshUser = "root";
sshOpts = [
"-o"
"ProxyCommand=ncat --proxy-auth proxyUser:proxyPassword --proxy proxyHost:proxyPort %h %p"
"-i"
"/home/pol/.ssh/id_foobar"
];
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.foobar;
};
};
}When I execute this, I get:
❯ deploy -s .#foobar
🚀 ℹ [deploy] [INFO] Evaluating flake in .
🚀 ℹ [deploy] [INFO] The following profiles are going to be deployed:
[foobar.system]
user = "root"
ssh_user = "root"
path = "/nix/store/sbkwmlwmiql9v9nksfi8hckdic3ks7r0-activatable-nixos-system-foobar-25.11.20251012.cf3f5c4"
hostname = "127.0.0.1"
ssh_opts = ["-o", 'ProxyCommand="ncat --proxy-auth foo:bar --proxy redacted:8012 %h %p"', "-i", "/home/pol/.ssh/id_foobar"]
🚀 ℹ [deploy] [INFO] Building profile `system` for node `foobar` on remote host
🚀 ℹ [deploy] [INFO] Activating profile `system` for node `foobar`
🚀 ℹ [deploy] [INFO] Creating activation waiter
/nix/store/cl2gkgnh26mmpka81pc2g5bzjfrili92-bash-5.3p3/bin/bash: line 1: exec: ncat --proxy-auth foo:bar --proxy redacted:8012 ip 22: not found
Connection closed by UNKNOWN port 65535
🚀 ❌ [deploy] [ERROR] Activating over SSH resulted in a bad exit code: Some(255)
🚀 ℹ [deploy] [INFO] Revoking previous deploys
🚀 ❌ [deploy] [ERROR] Deployment to node foobar failed, rolled back to previous generation
/nix/store/cl2gkgnh26mmpka81pc2g5bzjfrili92-bash-5.3p3/bin/bash: line 1: exec: ncat --proxy-auth foo:bar --proxy redacted:8012 IP 22: not found
Connection closed by UNKNOWN port 65535
I tried many combinations and I couldn't find anything working yet. I have the feeling that this is related to #130
Do you have a clue to share?
Using nixos-rebuild switch --flake .#foobar --target-host foobar --build-host foobar works without any trouble. I guess this is because it's using my local SSH configuration.