migrate to cerubld user

2026-03-07 23:48:38 +10:00 · 2026-03-07 23:48:38 +10:00 · 630389a598
commit 630389a598
parent 6b579dff1e
3 changed files with 116 additions and 22 deletions
--- a/cerulean/nixos/default.nix
+++ b/cerulean/nixos/default.nix
@ -13,29 +13,32 @@
 # limitations under the License.
 {
  root,
-  pkgs,
  system,
+  hostname,
+  node,
+  pkgs,
+  lib,
  _cerulean,
  ...
 } @ args: {
-  imports = with _cerulean.inputs;
+  imports =
    [
+      _cerulean.inputs.sops-nix.nixosModules.sops
+      # _cerulean.inputs.microvm.nixosModules.microvm
+
      # add support for `options.legacyImports`
      # ./legacy-imports.nix

-      # user configuration
-      (import /${root}/nixpkgs.nix)
-      # options declarations
+      # nixos options declarations
      (import ./nixpkgs.nix (args // {contextName = "hosts";}))

-      sops-nix.nixosModules.sops
-      # microvm.nixosModules.microvm
+      # user's nixpkg configuration
+      (import /${root}/nixpkgs.nix)
    ]
-    ++ (
-      if _cerulean.homeManager != null
-      then [./home.nix]
-      else []
-    );
+    # homemanager options declarations
+    ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
+    # remote deployment configuration
+    ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);

  networking.hostName = lib.mkDefault hostname;

--- a/cerulean/nixos/remote-deploy/default.nix
+++ b/cerulean/nixos/remote-deploy/default.nix
@ -0,0 +1,72 @@
+{
+  config,
+  node,
+  lib,
+  pkgs,
+  hostname,
+  ...
+}: let
+  user = node.deploy.ssh.user;
+  cfg = config.users.users.${user};
+
+  DEFAULT_USER = "cerubld";
+
+  isStandardDeployUser = user == DEFAULT_USER;
+in {
+  assertions = [
+    {
+      assertion = builtins.length node.deploy.ssh.publicKeys != 0;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` must have at least
+        one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
+      '';
+    }
+    {
+      assertion = cfg.isSystemUser && !cfg.isNormalUser;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
+        Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
+      '';
+    }
+  ];
+
+  warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
+    The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
+    It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
+    This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
+  '';
+
+  # prefer sudo-rs over sudo
+  security.sudo-rs = {
+    enable = true;
+    wheelNeedsPassword = true;
+
+    # allow the build user to run nix commands
+    extraRules = [
+      {
+        users = [user];
+        runAs = "${node.deploy.user}:ALL";
+        commands = [
+          "${pkgs.nix}/bin/nix"
+        ];
+      }
+    ];
+  };
+
+  # ensure deployment user has SSH permissions
+  services.openssh.settings.AllowUsers = [user];
+
+  users = lib.mkIf isStandardDeployUser {
+    groups.${user} = {};
+
+    users.${user} = {
+      enable = true;
+      isSystemUser = true;
+      group = user;
+      description = "Cerulean's user for building and remote deployment.";
+
+      shell = pkgs.bash;
+      openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
+    };
+  };
+}
--- a/cerulean/snow/nodes/submodule.nix
+++ b/cerulean/snow/nodes/submodule.nix
@ -59,23 +59,32 @@
        default = "root";
        example = "admin";
        description = ''
-          The user that the system derivation will be deployed to. The command specified in
+          The user that the system derivation will be built with. The command specified in
          `<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the
          same as `<node>.deploy.ssh.user` the same as above).
        '';
      };

-      sudoCmd = mkOption {
-        type = types.str;
-        default = "sudo -u";
-        example = "doas -u";
+      warnNonstandardDeployUser = mkOption {
+        type = types.bool;
+        default = true;
+        example = false;
        description = ''
-          Which sudo command to use. Must accept at least two arguments:
-          1. the user name to execute commands as
-          2. the rest is the command to execute
+          Disables the warning that shows when `deploy.ssh.user` is set to a non-standard value.
        '';
      };

+      # sudoCmd = mkOption {
+      #   type = types.str;
+      #   default = "sudo -u";
+      #   example = "doas -u";
+      #   description = ''
+      #     Which sudo command to use. Must accept at least two arguments:
+      #     1. the user name to execute commands as
+      #     2. the rest is the command to execute
+      #   '';
+      # };
+
      interactiveSudo = mkOption {
        type = types.bool;
        default = false;
@ -145,8 +154,8 @@

      ssh = {
        host = mkOption {
-          type = types.str;
-          default = "";
+          type = types.nullOr types.str;
+          default = null;
          example = "dobutterfliescry.net";
          description = ''
            The host to connect to over ssh during deployment
@ -171,6 +180,16 @@
          '';
        };

+        publicKeys = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          example = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeyZuUUmyUYrYaEJwEMvcXqZFYm1NaZab8klOyK6Imr me@puter"];
+          description = ''
+            SSH public keys that will be authorized to the deployment user.
+            This key is intended solely for deployment, allowing for fine-grained permission control.
+          '';
+        };
+
        opts = mkOption {
          type = types.listOf types.str;
          default = [];