From 1803025193e83c190e6034190203a34fa0ab4b26 Mon Sep 17 00:00:00 2001
From: julian <julian@jsts.xyz>
Date: Thu, 14 Sep 2023 20:19:49 +0200
Subject: [PATCH] Introduce colmena-deploy user

---
 config/common/nix.nix   |  1 -
 config/common/users.nix | 14 +++++++++++++-
 flake.nix               |  2 +-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/config/common/nix.nix b/config/common/nix.nix
index bab7829..f19f681 100644
--- a/config/common/nix.nix
+++ b/config/common/nix.nix
@@ -3,7 +3,6 @@
 {
   nix = {
     settings = {
-      trusted-users = [ "@wheel" ];
       auto-optimise-store = true;
       experimental-features = [ "nix-command" "flakes" ];
     };
diff --git a/config/common/users.nix b/config/common/users.nix
index 9b4a344..f150cc4 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -2,6 +2,9 @@
 # Sources for this configuration:
 # - a generated NixOS 23.05 configuration
 # - https://nixos.org/manual/nixos/stable/#sec-user-management
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/common/default.nix#L19
+# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
+# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
 
 { config, pkgs, lib, ... }:
 
@@ -11,6 +14,7 @@ let
     ref = "trunk";
     rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
   };
+  authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
   {
     users.mutableUsers = false;
@@ -19,9 +23,17 @@ in
       isNormalUser = true;
       description = "Chaos";
       extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
+      openssh.authorizedKeys.keys = authorizedKeys;
     };
 
+    users.users.colmena-deploy = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = authorizedKeys;
+    };
+
+    nix.settings.trusted-users = [ "colmena-deploy" ];
+
     # Since our user doesn't have a password, allow passwordless sudo for wheel.
     security.sudo.wheelNeedsPassword = false;
   }
diff --git a/flake.nix b/flake.nix
index fd5bfb7..0142921 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,7 +36,7 @@
         deployment = {
           targetHost = "audio.z9.ccchh.net";
           targetPort = 22;
-          targetUser = "chaos";
+          targetUser = "colmena-deploy";
           tags = "thinkcccluster";
         };
         imports = [