Newer
Older
# A NixOS module which enables remotely-triggered deployment updates.
{ config, lib, ... }:
# A handy alias for our part of the configuration.
cfg = config.services.private-storage.deployment;
# Compute an authorized_keys line that allows the holder of a certain key to
# execute a certain command *only*.
restrictedKey =
{ authorizedKey, command, gridName }:
"restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
in {
options = {
services.private-storage.deployment.authorizedKey = lib.mkOption {
type = lib.types.str;
example = lib.literalExample ''
ssh-ed25519 AAAAC3N...
'';
description = ''
The SSH public key to authorize to trigger a deployment update.
'';
};
services.private-storage.deployment.gridName = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "staging";
description = ''
The name of the grid configuration to use to update this deployment.
'';
};
};
config = {
users.users.deployment = {
# Without some shell no login is possible at all, even to execute our
# restricted command.
useDefaultShell = true;
# Without a home directory, lots of tools break.
createHome = true;
home = "/home/deployment";
openssh.authorizedKeys.keys = [
(restrictedKey {
inherit (cfg) authorizedKey gridName;
command = ./update-deployment;
})
];
};
};
}