Newer
Older
# A NixOS module which enables remotely-triggered deployment updates.
{ config, ... }:
let
# Compute an authorized_keys line that allows the holder of a certain key to
# execute a certain command *only*.
restrictedKey = pubKey: command: "restrict,command=\"${command}\" ${pubKey}";
in {
options = {
};
config = {
users.users.deployment = {
openssh.authorizedKeys.keys = [
restrictedKey cfg.deployKey ./update-deployment
];
};
};
}