From 02ded5d4f0d53eaeb68f1b68469926fd21acc6db Mon Sep 17 00:00:00 2001
From: _cry64 <them@dobutterfliescry.net>
Date: Sun, 8 Mar 2026 02:21:51 +1000
Subject: [PATCH] TEMP fix for cerubld not having permissions

---
 cerulean/nixos/remote-deploy/default.nix | 30 ++++++++++++++++--------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/cerulean/nixos/remote-deploy/default.nix b/cerulean/nixos/remote-deploy/default.nix
index f2f4a90..4aa39fd 100644
--- a/cerulean/nixos/remote-deploy/default.nix
+++ b/cerulean/nixos/remote-deploy/default.nix
@@ -21,13 +21,13 @@ in {
         one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
       '';
     }
-    {
-      assertion = cfg.isSystemUser && !cfg.isNormalUser;
-      message = ''
-        The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
-        Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
-      '';
-    }
+    # {
+    #   assertion = cfg.isSystemUser && !cfg.isNormalUser;
+    #   message = ''
+    #     The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
+    #     Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
+    #   '';
+    # }
   ];
 
   warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
@@ -47,12 +47,16 @@ in {
         users = [user];
         runAs = "${node.deploy.user}:ALL";
         commands = [
-          "${pkgs.nix}/bin/nix"
+          # "${pkgs.nix}/bin/nix"
+          "ALL" # XXX: WARNING: FIX: TODO: DO NOT FUCKING USE `ALL`
         ];
       }
     ];
   };
 
+  # XXX: WARNING: FIX: TODO: use `trusted-public-keys` instead
+  nix.settings.trusted-users = [user];
+
   # ensure deployment user has SSH permissions
   services.openssh.settings.AllowUsers = [user];
 
@@ -61,11 +65,17 @@ in {
 
     users.${user} = {
       enable = true;
-      isSystemUser = true;
-      group = user;
       description = "Cerulean's user for building and remote deployment.";
 
+      isSystemUser = true;
+      group = user;
+
+      createHome = true;
+      home = "/var/lib/cerulean/cerubld";
+
+      useDefaultShell = false;
       shell = pkgs.bash;
+
       openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
     };
   };