blob: 061a33e34c19a2261c31f3f63af2ac6227e7d819 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
{
flake.modules.nixos.deploy =
{ pkgs, ... }:
let
user = "deploy";
in
{
users.groups."${user}" = { };
users.users."${user}" = {
isSystemUser = true;
group = user;
shell = pkgs.bash;
hashedPassword = "!";
};
security.sudo.extraRules = [
{
users = [ user ];
commands = [
{
# TODO: Figure out if there is a more secure way to handle
# this.
#
# Currently, I am hoping this is not going to be as much of
# an issue since SSH only works over my tailnet. Maybe some
# restricted access control policies that only allow access
# from specific machines (such as my personal laptop and any
# CI machines) will be good enough?
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
nix.settings.trusted-users = [ user ];
};
}
|
