49 lines
1.2 KiB
Nix
49 lines
1.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.homelab.users.deploy;
|
|
in {
|
|
options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users = {
|
|
groups.deploy = { };
|
|
|
|
# The user used to deploy rebuilds without password authentication
|
|
users.deploy = {
|
|
group = config.users.groups.deploy.name;
|
|
isSystemUser = true;
|
|
home = "/var/empty";
|
|
shell = pkgs.bashInteractive;
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
|
|
];
|
|
};
|
|
};
|
|
|
|
security.sudo.extraRules = [
|
|
{
|
|
groups = [
|
|
config.users.groups.deploy.name
|
|
];
|
|
commands = [
|
|
{
|
|
command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
{
|
|
groups = [
|
|
config.users.groups.deploy.name
|
|
];
|
|
commands = [
|
|
{
|
|
command = "/nix/store/*/bin/switch-to-configuration";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
}
|