Add navi deployment module and integrate SSH inventory for remote management

- Introduced a new `navi` module for managing deployments across multiple hosts. - Enhanced SSH inventory management to support public key application for authorized hosts. - Configured system deployment builder for seamless integration with Navi. - Updated various host configurations to enable deployment capabilities and streamline SSH access.
2026-06-04 16:51:30 -03:00
parent 403cf2fde5
commit 2a911b057b
11 changed files with 585 additions and 44 deletions
@@ -0,0 +1,49 @@
+# Navi / remote-deploy identity: push closures + activate system profiles over SSH.
+{ ... }: {
+  flake.nixosModules.systemDeployBuilder =
+    { config, lib, pkgs, ... }:
+    let
+      cfg = config.chiasson.system.deploy.builder;
+    in
+    {
+      options.chiasson.system.deploy.builder = {
+        enable = lib.mkEnableOption ''
+          Fleet deploy user for Navi (and similar tools).
+
+          Creates the `builder` catalog user, trusts it with the Nix daemon for
+          `nix copy`, and grants passwordless sudo for non-interactive activation.
+          SSH inbound is limited to the deploy machine key (see catalog `builder.ssh`).
+        '';
+      };
+
+      config = lib.mkIf cfg.enable {
+        chiasson.users.enabled = lib.mkAfter [ "builder" ];
+
+        users.users.builder = {
+          password = "!";
+          # nix copy / navi push opens an SSH session; nologin breaks the store protocol.
+          shell = pkgs.bash;
+        };
+
+        nix.settings.trusted-users = lib.mkAfter [ "builder" ];
+
+        # Navi wraps remote steps in `sudo -H --` (nix-env, switch-to-configuration,
+        # provenance under /etc/navi, readlink, …). Scoped store-path rules are fragile;
+        # this account has no wheel; SSH/key-only in practice (password locked).
+        security.sudo.extraRules = [
+          {
+            users = [ "builder" ];
+            commands = [
+              {
+                command = "ALL";
+                options = [
+                  "NOPASSWD"
+                  "SETENV"
+                ];
+              }
+            ];
+          }
+        ];
+      };
+    };
+}