Olivier
2a911b057b
- Introduced a new `navi` module for managing deployments across multiple hosts. - Enhanced SSH inventory management to support public key application for authorized hosts. - Configured system deployment builder for seamless integration with Navi. - Updated various host configurations to enable deployment capabilities and streamline SSH access.
50 lines
1.6 KiB
Nix
50 lines
1.6 KiB
Nix
# Navi / remote-deploy identity: push closures + activate system profiles over SSH.
|
|
{ ... }: {
|
|
flake.nixosModules.systemDeployBuilder =
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.chiasson.system.deploy.builder;
|
|
in
|
|
{
|
|
options.chiasson.system.deploy.builder = {
|
|
enable = lib.mkEnableOption ''
|
|
Fleet deploy user for Navi (and similar tools).
|
|
|
|
Creates the `builder` catalog user, trusts it with the Nix daemon for
|
|
`nix copy`, and grants passwordless sudo for non-interactive activation.
|
|
SSH inbound is limited to the deploy machine key (see catalog `builder.ssh`).
|
|
'';
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
chiasson.users.enabled = lib.mkAfter [ "builder" ];
|
|
|
|
users.users.builder = {
|
|
password = "!";
|
|
# nix copy / navi push opens an SSH session; nologin breaks the store protocol.
|
|
shell = pkgs.bash;
|
|
};
|
|
|
|
nix.settings.trusted-users = lib.mkAfter [ "builder" ];
|
|
|
|
# Navi wraps remote steps in `sudo -H --` (nix-env, switch-to-configuration,
|
|
# provenance under /etc/navi, readlink, …). Scoped store-path rules are fragile;
|
|
# this account has no wheel; SSH/key-only in practice (password locked).
|
|
security.sudo.extraRules = [
|
|
{
|
|
users = [ "builder" ];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = [
|
|
"NOPASSWD"
|
|
"SETENV"
|
|
];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|