add deploy user for hosts

profiles/nix/default.nix

@@ -40,7 +40,7 @@ with config.deviceSpecific; {
         "ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
         "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
       ];
-      trusted-users = [ "root" config.mainuser "@wheel" ];
+      trusted-users = [ "root" config.mainuser "deploy" "@wheel" ];
       use-xdg-base-directories = true;
     };
 

profiles/security/user.nix

@@ -34,6 +34,13 @@
 
     shell = pkgs.zsh;
   };
+  users.users.deploy = {
+    description = "The administrator account for deploy-rs.";
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys =
+      config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
+  };
   programs.zsh.enable = true;
   # Safe, because we using doas
   users.allowNoPasswordLogin = true;

profiles/security/vlock.nix

@@ -19,8 +19,13 @@
       } {
         command = "/run/current-system/sw/bin/chown ${config.mainuser} /tmp/.X11-unix";
         options = [ "SETENV" "NOPASSWD" ];
-      }
+      }];
-      ];
+    } {
+      users = [ "deploy" ];
+      commands = [{
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }];
     }];
   };
   security.doas = {
@@ -29,12 +34,6 @@
       users = [ config.mainuser ];
       keepEnv = true;
       persist = true;
-    } {
-      users = [ config.mainuser ];
-      noPass = true;
-      keepEnv = true;
-      cmd = "/run/current-system/sw/bin/btrfs";
-      args = [ "fi" "usage" "/" ];
     }] ++ lib.optionals config.deviceSpecific.isLaptop [{
       users = [ config.mainuser ];
       noPass = true;