From 05a42b9dc8e95fba791ba7e9cc4d3f5f1f9c3dfc Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Sat, 16 Oct 2021 14:28:30 +0200
Subject: [PATCH] modules/deploy-rs-receiver: init

---
 modules/default.nix                    |  2 ++
 modules/deploy-rs-receiver/default.nix | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 modules/deploy-rs-receiver/default.nix

diff --git a/modules/default.nix b/modules/default.nix
index bcd8979..3c98cb8 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,6 +3,7 @@ with builtins;
 let
   aspects = {
     autopatch = import ./autopatch;
+    deploy-rs-receiver = import ./deploy-rs-receiver;
     enterprise = import ./enterprise;
     hydra = import ./hydra;
     ipfs-lain = import ./ipfs-lain;
@@ -25,6 +26,7 @@ in rec {
     networking = [ ssh ];
 
     server = [
+      deploy-rs-receiver
       nix-config-server
     ] ++ base ++ networking;
   };
diff --git a/modules/deploy-rs-receiver/default.nix b/modules/deploy-rs-receiver/default.nix
new file mode 100644
index 0000000..e658d46
--- /dev/null
+++ b/modules/deploy-rs-receiver/default.nix
@@ -0,0 +1,20 @@
+{
+  security.sudo.extraRules = [
+    ({
+      users = [ "deploy" ];
+      commands = [
+        "NOPASSWD: /nix/store/*-activate-rs/activate-rs"
+        "NOPASSWD: /run/current-system/sw/bin/rm /tmp/deploy-rs-canary-*"
+      ];
+      runAs = "root";
+    })
+  ];
+  nix.trustedUsers = [ "deploy" ];
+  users.users.deploy = {
+    isNormalUser = true;
+    uid = 1999;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
+    ];
+  };
+}