Introduce colmena-deploy user

This commit is contained in:
June 2023-09-14 20:19:49 +02:00
parent bd1d59e8b4
commit 1803025193
3 changed files with 14 additions and 3 deletions

View file

@ -3,7 +3,6 @@
{ {
nix = { nix = {
settings = { settings = {
trusted-users = [ "@wheel" ];
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [ "nix-command" "flakes" ];
}; };

View file

@ -2,6 +2,9 @@
# Sources for this configuration: # Sources for this configuration:
# - a generated NixOS 23.05 configuration # - a generated NixOS 23.05 configuration
# - https://nixos.org/manual/nixos/stable/#sec-user-management # - https://nixos.org/manual/nixos/stable/#sec-user-management
# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/common/default.nix#L19
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
@ -11,6 +14,7 @@ let
ref = "trunk"; ref = "trunk";
rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a"; rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
}; };
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in
{ {
users.mutableUsers = false; users.mutableUsers = false;
@ -19,9 +23,17 @@ in
isNormalUser = true; isNormalUser = true;
description = "Chaos"; description = "Chaos";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); openssh.authorizedKeys.keys = authorizedKeys;
}; };
users.users.colmena-deploy = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = authorizedKeys;
};
nix.settings.trusted-users = [ "colmena-deploy" ];
# Since our user doesn't have a password, allow passwordless sudo for wheel. # Since our user doesn't have a password, allow passwordless sudo for wheel.
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
} }

View file

@ -36,7 +36,7 @@
deployment = { deployment = {
targetHost = "audio.z9.ccchh.net"; targetHost = "audio.z9.ccchh.net";
targetPort = 22; targetPort = 22;
targetUser = "chaos"; targetUser = "colmena-deploy";
tags = "thinkcccluster"; tags = "thinkcccluster";
}; };
imports = [ imports = [