Skip to content
Snippets Groups Projects
Normal view Permalink
deployment.nix 474 B
Newer Older
  • Learn to ignore specific revisions
    • Jean-Paul Calderone's avatar
    Some initial pieces for coercing nodes into updating themselves
    Jean-Paul Calderone committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 
    # A NixOS module which enables remotely-triggered deployment updates.
{ config, ... }:
let
  # Compute an authorized_keys line that allows the holder of a certain key to
  # execute a certain command *only*.
  restrictedKey = pubKey: command: "restrict,command=\"${command}\" ${pubKey}";
in {
  options = {
  };

  config = {
    users.users.deployment = {
      openssh.authorizedKeys.keys = [
        restrictedKey cfg.deployKey ./update-deployment
      ];
    };
  };
}