{
  security.sudo.extraRules = [
    {
      users = [ "deploy" ];
      commands = [
        "NOPASSWD: /nix/store/*-activate-rs/activate-rs"
        "NOPASSWD: /run/current-system/sw/bin/rm /tmp/deploy-rs-canary-*"
      ];
      runAs = "root";
    }
  ];
  nix.trustedUsers = [ "deploy" ];
  users.users.deploy = {
    isNormalUser = true;
    uid = 1999;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho"
    ];
  };
}