Sync

2024-11-10 20:15:47 +01:00 · 2024-11-10 20:15:47 +01:00 · cef3a949fe
commit cef3a949fe
parent c1025627ae
40 changed files with 3401 additions and 158 deletions
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.homelab.users.deploy;
+in {
+  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups.deploy = { };
+
+      # The user used to deploy rebuilds without password authentication
+      users.deploy = {
+        group = config.users.groups.deploy.name;
+        isSystemUser = true;
+        home = "/var/empty";
+        shell = pkgs.bashInteractive;
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+        ];
+      };
+    };
+
+    security.sudo.extraRules = [
+      {
+        groups = [
+          config.users.groups.deploy.name
+        ];
+        commands = [
+          {
+            command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+      {
+        groups = [
+          config.users.groups.deploy.name
+        ];
+        commands = [
+          {
+            command = "/nix/store/*/bin/switch-to-configuration";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
+}