add deploy user for hosts

2023-06-27 23:07:48 +03:00 · 2023-06-27 23:07:48 +03:00 · 58703b9dc8
commit 58703b9dc8
parent 584506fa76
3 changed files with 15 additions and 9 deletions
--- a/profiles/nix/default.nix
+++ b/profiles/nix/default.nix
@ -40,7 +40,7 @@ with config.deviceSpecific; {
        "ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
        "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
      ];
-      trusted-users = [ "root" config.mainuser "@wheel" ];
+      trusted-users = [ "root" config.mainuser "deploy" "@wheel" ];
      use-xdg-base-directories = true;
    };

--- a/profiles/security/user.nix
+++ b/profiles/security/user.nix
@ -34,6 +34,13 @@

    shell = pkgs.zsh;
  };
+  users.users.deploy = {
+    description = "The administrator account for deploy-rs.";
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys =
+      config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
+  };
  programs.zsh.enable = true;
  # Safe, because we using doas
  users.allowNoPasswordLogin = true;
--- a/profiles/security/vlock.nix
+++ b/profiles/security/vlock.nix
@ -19,8 +19,13 @@
      } {
        command = "/run/current-system/sw/bin/chown ${config.mainuser} /tmp/.X11-unix";
        options = [ "SETENV" "NOPASSWD" ];
-      }
-      ];
+      }];
+    } {
+      users = [ "deploy" ];
+      commands = [{
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }];
    }];
  };
  security.doas = {
@ -29,12 +34,6 @@
      users = [ config.mainuser ];
      keepEnv = true;
      persist = true;
-    } {
-      users = [ config.mainuser ];
-      noPass = true;
-      keepEnv = true;
-      cmd = "/run/current-system/sw/bin/btrfs";
-      args = [ "fi" "usage" "/" ];
    }] ++ lib.optionals config.deviceSpecific.isLaptop [{
      users = [ config.mainuser ];
      noPass = true;