From 6703ffd69b1e682ddf20ea71fe231022eae1b812 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20G=C3=BCttler?= Date: Tue, 2 Jun 2026 13:19:16 +0200 Subject: [PATCH] fix: use explicit ssh wrapper for dagger commands --- scripts/setup_dagger_remote.sh | 49 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/scripts/setup_dagger_remote.sh b/scripts/setup_dagger_remote.sh index d246ae1..09ce479 100755 --- a/scripts/setup_dagger_remote.sh +++ b/scripts/setup_dagger_remote.sh @@ -1,20 +1,11 @@ #!/usr/bin/env bash -# Establishes a secure tunnel to a remote Dagger Engine via SSH using SOPS secrets. set -euo pipefail -# 0. Check for old environment variables -if [ -n "${DAGGER_STUNNEL_URL:-}" ] || [ -n "${DAGGER_CA_CERT:-}" ]; then - echo "ERROR: Old environment variables (DAGGER_STUNNEL_URL or DAGGER_CA_CERT) are present." - echo "Only SOPS_AGE_KEY should be set in Codeberg secrets." - exit 1 -fi - if [ -z "${SOPS_AGE_KEY:-}" ]; then echo "Error: SOPS_AGE_KEY must be set." exit 1 fi -# 1. Decrypt secrets using SOPS echo "Decrypting secrets with SOPS..." export SOPS_AGE_KEY="$SOPS_AGE_KEY" SECRETS_JSON=$(mktemp) @@ -25,13 +16,12 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON" DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON") DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON") -# 2. Setup SSH key +# Setup SSH mkdir -p ~/.ssh chmod 700 ~/.ssh echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key chmod 600 ~/.ssh/dagger_key -# 3. Configure SSH for Dagger cat << SSHEOF > ~/.ssh/config.dagger Host dagger-engine HostName $DAGGER_ENGINE_HOST @@ -39,27 +29,36 @@ Host dagger-engine IdentityFile ~/.ssh/dagger_key StrictHostKeyChecking no UserKnownHostsFile /dev/null - ControlMaster auto - ControlPath ~/.ssh/dagger-%r@%h:%p - ControlPersist 10m SSHEOF if ! grep -q "Include ~/.ssh/config.dagger" ~/.ssh/config 2>/dev/null; then echo "Include ~/.ssh/config.dagger" >> ~/.ssh/config fi -# 4. Export environment -# We use _EXPERIMENTAL_DAGGER_RUNNER_HOST for Dagger v0.20.x SSH redirection -export _EXPERIMENTAL_DAGGER_RUNNER_HOST="ssh://dagger-engine" +# The docker exec wrapper approach on the server expects we run 'dagger' command there. +# We can use a trick: set _EXPERIMENTAL_DAGGER_RUNNER_HOST to a script that runs ssh. +# But simpler: write a local wrapper script that runs ssh ... dagger. -if [ -n "${GITHUB_ENV:-}" ]; then - echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger-engine" >> "$GITHUB_ENV" -fi +cat << 'WRAPPER' > /usr/local/bin/dagger-remote +#!/bin/bash +ssh -F ~/.ssh/config.dagger dagger-engine dagger "$@" +WRAPPER +chmod +x /usr/local/bin/dagger-remote -# 5. Verify connection -echo "Verifying Dagger connection to $DAGGER_ENGINE_HOST..." -if ! timeout 30 dagger query '{ version }' >/dev/null 2>&1; then - echo "Error: Dagger engine is unreachable via SSH at $DAGGER_ENGINE_HOST" +# Verify +echo "Verifying connection via dagger-remote wrapper..." +if ! dagger-remote query '{ version }' >/dev/null 2>&1; then + echo "Error: Dagger engine unreachable via dagger-remote wrapper" exit 1 fi -echo "Dagger connection verified." + +# To make 'task' and other steps work, we alias dagger to dagger-remote +# Or we use _EXPERIMENTAL_DAGGER_RUNNER_HOST=ssh://dagger-engine if it worked. +# Since it hung, let's try the alias approach by putting it in PATH. +mkdir -p ~/bin +ln -sf /usr/local/bin/dagger-remote ~/bin/dagger +if [ -n "${GITHUB_PATH:-}" ]; then + echo "$HOME/bin" >> "$GITHUB_PATH" +fi + +echo "Dagger remote configured via SSH wrapper."