modules/deploy-rs-receiver: init

2021-10-16 14:28:30 +02:00 · 2021-10-16 14:28:30 +02:00 · 05a42b9dc8
commit 05a42b9dc8
parent a0fa47ddda
2 changed files with 22 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -3,6 +3,7 @@ with builtins;
 let
  aspects = {
    autopatch = import ./autopatch;
+    deploy-rs-receiver = import ./deploy-rs-receiver;
    enterprise = import ./enterprise;
    hydra = import ./hydra;
    ipfs-lain = import ./ipfs-lain;
@ -25,6 +26,7 @@ in rec {
    networking = [ ssh ];

    server = [
+      deploy-rs-receiver
      nix-config-server
    ] ++ base ++ networking;
  };
--- a/modules/deploy-rs-receiver/default.nix
+++ b/modules/deploy-rs-receiver/default.nix
@ -0,0 +1,20 @@
+{
+  security.sudo.extraRules = [
+    ({
+      users = [ "deploy" ];
+      commands = [
+        "NOPASSWD: /nix/store/*-activate-rs/activate-rs"
+        "NOPASSWD: /run/current-system/sw/bin/rm /tmp/deploy-rs-canary-*"
+      ];
+      runAs = "root";
+    })
+  ];
+  nix.trustedUsers = [ "deploy" ];
+  users.users.deploy = {
+    isNormalUser = true;
+    uid = 1999;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
+    ];
+  };
+}