Introduce colmena-deploy user

2023-09-14 20:19:49 +02:00 · 2023-09-14 20:19:49 +02:00 · 1803025193
commit 1803025193
parent bd1d59e8b4
3 changed files with 14 additions and 3 deletions
--- a/config/common/nix.nix
+++ b/config/common/nix.nix
@ -3,7 +3,6 @@
 {
  nix = {
    settings = {
-      trusted-users = [ "@wheel" ];
      auto-optimise-store = true;
      experimental-features = [ "nix-command" "flakes" ];
    };
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -2,6 +2,9 @@
 # Sources for this configuration:
 # - a generated NixOS 23.05 configuration
 # - https://nixos.org/manual/nixos/stable/#sec-user-management
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/common/default.nix#L19
+# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
+# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings

 { config, pkgs, lib, ... }:

@ -11,6 +14,7 @@ let
    ref = "trunk";
    rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
  };
+  authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
  {
    users.mutableUsers = false;
@ -19,9 +23,17 @@ in
      isNormalUser = true;
      description = "Chaos";
      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
+      openssh.authorizedKeys.keys = authorizedKeys;
    };

+    users.users.colmena-deploy = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = authorizedKeys;
+    };
+
+    nix.settings.trusted-users = [ "colmena-deploy" ];
+
    # Since our user doesn't have a password, allow passwordless sudo for wheel.
    security.sudo.wheelNeedsPassword = false;
  }
--- a/flake.nix
+++ b/flake.nix
@ -36,7 +36,7 @@
        deployment = {
          targetHost = "audio.z9.ccchh.net";
          targetPort = 22;
-          targetUser = "chaos";
+          targetUser = "colmena-deploy";
          tags = "thinkcccluster";
        };
        imports = [