# A NixOS module which enables remotely-triggered deployment updates.
{ config, ... }:
let
  # Compute an authorized_keys line that allows the holder of a certain key to
  # execute a certain command *only*.
  restrictedKey = pubKey: command: "restrict,command=\"${command}\" ${pubKey}";
in {
  options = {
  };

  config = {
    users.users.deployment = {
      openssh.authorizedKeys.keys = [
        restrictedKey cfg.deployKey ./update-deployment
      ];
    };
  };
}