From 1803025193e83c190e6034190203a34fa0ab4b26 Mon Sep 17 00:00:00 2001 From: julian Date: Thu, 14 Sep 2023 20:19:49 +0200 Subject: [PATCH] Introduce colmena-deploy user --- config/common/nix.nix | 1 - config/common/users.nix | 14 +++++++++++++- flake.nix | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/config/common/nix.nix b/config/common/nix.nix index bab7829..f19f681 100644 --- a/config/common/nix.nix +++ b/config/common/nix.nix @@ -3,7 +3,6 @@ { nix = { settings = { - trusted-users = [ "@wheel" ]; auto-optimise-store = true; experimental-features = [ "nix-command" "flakes" ]; }; diff --git a/config/common/users.nix b/config/common/users.nix index 9b4a344..f150cc4 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -2,6 +2,9 @@ # Sources for this configuration: # - a generated NixOS 23.05 configuration # - https://nixos.org/manual/nixos/stable/#sec-user-management +# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/common/default.nix#L19 +# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix +# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings { config, pkgs, lib, ... }: @@ -11,6 +14,7 @@ let ref = "trunk"; rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a"; }; + authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); in { users.mutableUsers = false; @@ -19,9 +23,17 @@ in isNormalUser = true; description = "Chaos"; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); + openssh.authorizedKeys.keys = authorizedKeys; }; + users.users.colmena-deploy = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = authorizedKeys; + }; + + nix.settings.trusted-users = [ "colmena-deploy" ]; + # Since our user doesn't have a password, allow passwordless sudo for wheel. security.sudo.wheelNeedsPassword = false; } diff --git a/flake.nix b/flake.nix index fd5bfb7..0142921 100644 --- a/flake.nix +++ b/flake.nix @@ -36,7 +36,7 @@ deployment = { targetHost = "audio.z9.ccchh.net"; targetPort = 22; - targetUser = "chaos"; + targetUser = "colmena-deploy"; tags = "thinkcccluster"; }; imports = [