From 2508b6ed9aab7ad57a35ddcca8257923a9cc2420 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 9 May 2020 01:10:20 +0100 Subject: [PATCH] ops/nixos: add deployer user --- ops/nixos/lib/common.nix | 18 ++++++++++++++++++ ops/secrets/deployer_ed25519.pub | 1 + 2 files changed, 19 insertions(+) create mode 100644 ops/secrets/deployer_ed25519.pub diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index adb751964b..2ca2c020d0 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -35,7 +35,25 @@ in extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.lukegb; }; + deployer = { + isSystemUser = true; + uid = 1001; + hashedPassword = "NP"; + openssh.authorizedKeys.keyFiles = [ + ../../secrets/deployer_ed25519.pub + ]; + }; }; + security.sudo.extraRules = [{ + users = [ "deployer" ]; + commands = [{ + command = "${rebuilder}/bin/rebuilder"; + options = [ "NOPASSWD" ]; + }]; + }]; + security.sudo.extraConfig = '' + Defaults:deployer !requiretty + ''; programs.mtr.enable = true; services.openssh.enable = true; diff --git a/ops/secrets/deployer_ed25519.pub b/ops/secrets/deployer_ed25519.pub new file mode 100644 index 0000000000..21a40fbe7e --- /dev/null +++ b/ops/secrets/deployer_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz3ZptYA9SjCtZEQwF8/ACCO0W3Edh9asAmNGE2U4bQ lukegb@porcorosso