From 53a73281ddd08397f1c7736a219a4b2c6cc58c98 Mon Sep 17 00:00:00 2001
From: vkcku <git@mail.vkcku.com>
Date: Mon, 1 Jun 2026 16:13:57 +0530
Subject: infra: add deploy user module

monorepo-revid: fa3771880b1af9929487c9804323389f47d33b56
---
 infra/modules/deploy.nix | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 infra/modules/deploy.nix

(limited to 'infra/modules/deploy.nix')

diff --git a/infra/modules/deploy.nix b/infra/modules/deploy.nix
new file mode 100644
index 0000000..061a33e
--- /dev/null
+++ b/infra/modules/deploy.nix
@@ -0,0 +1,39 @@
+{
+  flake.modules.nixos.deploy =
+    { pkgs, ... }:
+    let
+      user = "deploy";
+    in
+    {
+      users.groups."${user}" = { };
+
+      users.users."${user}" = {
+        isSystemUser = true;
+        group = user;
+        shell = pkgs.bash;
+        hashedPassword = "!";
+      };
+
+      security.sudo.extraRules = [
+        {
+          users = [ user ];
+          commands = [
+            {
+              # TODO: Figure out if there is a more secure way to handle
+              # this.
+              #
+              # Currently, I am hoping this is not going to be as much of
+              # an issue since SSH only works over my tailnet. Maybe some
+              # restricted access control policies that only allow access
+              # from specific machines (such as my personal laptop and any
+              # CI machines) will be good enough?
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+
+      nix.settings.trusted-users = [ user ];
+    };
+}
-- 
cgit v1.3.1