diff options
| -rw-r--r-- | infra/modules/deploy.nix | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/infra/modules/deploy.nix b/infra/modules/deploy.nix new file mode 100644 index 0000000..061a33e --- /dev/null +++ b/infra/modules/deploy.nix @@ -0,0 +1,39 @@ +{ + flake.modules.nixos.deploy = + { pkgs, ... }: + let + user = "deploy"; + in + { + users.groups."${user}" = { }; + + users.users."${user}" = { + isSystemUser = true; + group = user; + shell = pkgs.bash; + hashedPassword = "!"; + }; + + security.sudo.extraRules = [ + { + users = [ user ]; + commands = [ + { + # TODO: Figure out if there is a more secure way to handle + # this. + # + # Currently, I am hoping this is not going to be as much of + # an issue since SSH only works over my tailnet. Maybe some + # restricted access control policies that only allow access + # from specific machines (such as my personal laptop and any + # CI machines) will be good enough? + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + + nix.settings.trusted-users = [ user ]; + }; +} |