migrate to cerubld user

TODO.md

@@ -5,9 +5,6 @@
 - [ ] support hs system per dir, ie hosts/<name>/overlays or hosts/<name>/nixpkgs.nix
 
 ## Queued
-- [X] base should automatically be set as the default (dont do anything with the default)
-- [X] try to remove common foot guns, ie abort if the user provides the home-manager or microvm nixosModules
-      since cerulean ALREADY provides these
 - [ ] per node home configuration is a lil jank rn
 
 - [ ] deploy port should default to the first port given to `services.openssh`

cerulean/nixos/default.nix

@@ -13,29 +13,34 @@
 # limitations under the License.
 {
   root,
-  pkgs,
   system,
+  hostname,
+  node,
+  pkgs,
+  lib,
   _cerulean,
   ...
 } @ args: {
-  imports = with _cerulean.inputs;
+  imports =
     [
+      _cerulean.inputs.sops-nix.nixosModules.sops
+      # _cerulean.inputs.microvm.nixosModules.microvm
+
       # add support for `options.legacyImports`
       # ./legacy-imports.nix
 
-      # user configuration
+      # nixos options declarations
-      (import /${root}/nixpkgs.nix)
-      # options declarations
       (import ./nixpkgs.nix (args // {contextName = "hosts";}))
 
-      sops-nix.nixosModules.sops
+      # user's nixpkg configuration
-      # microvm.nixosModules.microvm
+      (import /${root}/nixpkgs.nix)
     ]
-    ++ (
+    # homemanager options declarations
-      if _cerulean.homeManager != null
+    ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
-      then [./home.nix]
+    # remote deployment configuration
-      else []
+    ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);
-    );
+
+  networking.hostName = lib.mkDefault hostname;
 
   environment.systemPackages =
     (with pkgs; [

cerulean/nixos/remote-deploy/default.nix

@@ -0,0 +1,72 @@
+{
+  config,
+  node,
+  lib,
+  pkgs,
+  hostname,
+  ...
+}: let
+  user = node.deploy.ssh.user;
+  cfg = config.users.users.${user};
+
+  DEFAULT_USER = "cerubld";
+
+  isStandardDeployUser = user == DEFAULT_USER;
+in {
+  assertions = [
+    {
+      assertion = builtins.length node.deploy.ssh.publicKeys != 0;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` must have at least
+        one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
+      '';
+    }
+    {
+      assertion = cfg.isSystemUser && !cfg.isNormalUser;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
+        Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
+      '';
+    }
+  ];
+
+  warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
+    The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
+    It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
+    This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
+  '';
+
+  # prefer sudo-rs over sudo
+  security.sudo-rs = {
+    enable = true;
+    wheelNeedsPassword = true;
+
+    # allow the build user to run nix commands
+    extraRules = [
+      {
+        users = [user];
+        runAs = "${node.deploy.user}:ALL";
+        commands = [
+          "${pkgs.nix}/bin/nix"
+        ];
+      }
+    ];
+  };
+
+  # ensure deployment user has SSH permissions
+  services.openssh.settings.AllowUsers = [user];
+
+  users = lib.mkIf isStandardDeployUser {
+    groups.${user} = {};
+
+    users.${user} = {
+      enable = true;
+      isSystemUser = true;
+      group = user;
+      description = "Cerulean's user for building and remote deployment.";
+
+      shell = pkgs.bash;
+      openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
+    };
+  };
+}

cerulean/snow/default.nix

@@ -86,9 +86,10 @@ in
 
           userArgs = nodes.args // node.args;
           ceruleanArgs = {
-            inherit systems root base;
+            inherit systems root base node;
             inherit (node) system;
             inherit (this) snow;
+            hostname = name;
 
             _cerulean = {
               inherit inputs userArgs ceruleanArgs homeManager;
@@ -128,7 +129,6 @@ in
           (node.deploy)
           ssh
           user
-          sudoCmd
           interactiveSudo
           remoteBuild
           rollback
@@ -140,14 +140,17 @@ in
 
         nixosFor = system: inputs.deploy-rs.lib.${system}.activate.nixos;
       in {
-        hostname = ssh.host;
+        hostname =
+          if ssh.host != null
+          then ssh.host
+          else "";
 
         profilesOrder = ["default"]; # profiles priority
         profiles.default = {
           path = nixosFor node.system nixosConfigurations.${name};
 
           user = user;
-          sudo = sudoCmd;
+          sudo = "sudo -u";
           interactiveSudo = interactiveSudo;
 
           fastConnection = false;

cerulean/snow/nodes/submodule.nix

@@ -59,23 +59,32 @@
         default = "root";
         example = "admin";
         description = ''
-          The user that the system derivation will be deployed to. The command specified in
+          The user that the system derivation will be built with. The command specified in
           `<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the
           same as `<node>.deploy.ssh.user` the same as above).
         '';
       };
 
-      sudoCmd = mkOption {
+      warnNonstandardDeployUser = mkOption {
-        type = types.str;
+        type = types.bool;
-        default = "sudo -u";
+        default = true;
-        example = "doas -u";
+        example = false;
         description = ''
-          Which sudo command to use. Must accept at least two arguments:
+          Disables the warning that shows when `deploy.ssh.user` is set to a non-standard value.
-          1. the user name to execute commands as
-          2. the rest is the command to execute
         '';
       };
 
+      # sudoCmd = mkOption {
+      #   type = types.str;
+      #   default = "sudo -u";
+      #   example = "doas -u";
+      #   description = ''
+      #     Which sudo command to use. Must accept at least two arguments:
+      #     1. the user name to execute commands as
+      #     2. the rest is the command to execute
+      #   '';
+      # };
+
       interactiveSudo = mkOption {
         type = types.bool;
         default = false;
@@ -145,8 +154,8 @@
 
       ssh = {
         host = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
-          default = "";
+          default = null;
           example = "dobutterfliescry.net";
           description = ''
             The host to connect to over ssh during deployment
@@ -171,6 +180,16 @@
           '';
         };
 
+        publicKeys = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          example = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeyZuUUmyUYrYaEJwEMvcXqZFYm1NaZab8klOyK6Imr me@puter"];
+          description = ''
+            SSH public keys that will be authorized to the deployment user.
+            This key is intended solely for deployment, allowing for fine-grained permission control.
+          '';
+        };
+
         opts = mkOption {
           type = types.listOf types.str;
           default = [];