infra: add deploy user module

monorepo-revid: fa3771880b1af9929487c9804323389f47d33b56

1 files changed, 39 insertions, 0 deletions

diff --git a/infra/modules/deploy.nix b/infra/modules/deploy.nix
new file mode 100644
index 0000000..061a33e
--- /dev/null
+++ b/infra/modules/deploy.nix
@@ -0,0 +1,39 @@
+{
+  flake.modules.nixos.deploy =
+    { pkgs, ... }:
+    let
+      user = "deploy";
+    in
+    {
+      users.groups."${user}" = { };
+
+      users.users."${user}" = {
+        isSystemUser = true;
+        group = user;
+        shell = pkgs.bash;
+        hashedPassword = "!";
+      };
+
+      security.sudo.extraRules = [
+        {
+          users = [ user ];
+          commands = [
+            {
+              # TODO: Figure out if there is a more secure way to handle
+              # this.
+              #
+              # Currently, I am hoping this is not going to be as much of
+              # an issue since SSH only works over my tailnet. Maybe some
+              # restricted access control policies that only allow access
+              # from specific machines (such as my personal laptop and any
+              # CI machines) will be good enough?
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+
+      nix.settings.trusted-users = [ user ];
+    };
+}