How to properly deploy to remote?

Hi, I’m toying with deploying a home server using nixos and I encounter a few problems. I initially installed nixos on the server (a mini pc) with nixos-anywhere. I added my ssh-key and I can ssh into the server no problem.

Now, when I try to do nixos-rebuild switch --flake .#server --target-host <user>@<ip> it throws out error: filesystem error: cannot create symlink: Permission denied. I can get around this by using --use-remote-sudo, but it then prompts me to manually type the password.

I have the user set as trusted on the server config. Also, the <user>.openssh.authorizedKeys.keys doesn’t seem to be reflected on the server after a rebuild.

Thanks for any help!

I use the following on the deployed/remote server to not have to type in sudo:

  users.users.myuser = {
   #...
    extraGroups = [
      "wheel" # Enable ‘sudo’ for the user.
      # ... 
    ];
  };

  # Don't ask for password when using sudo.
  security.sudo.wheelNeedsPassword = false;

At that point you’re just making those users root, seems to be of questionable security.

1 Like

I dunno: keys are pretty good. What’s the model here? Some threat that can read your private keys but can’t install a keylogger? No services run as a regular user that face the network typically, so it’s unlikely for someone to get a shell for your user that way.

The only real thing I think sudo passwords can protect against is unattended privilege escalation because you left your computer unlocked. I guess if that’s a concern so be it. For some remote system I don’t see the benefit at all.

Then just ssh in as root at that point and disable pw login

2 Likes

I use ssh keys for sudo. Not sure if it works with --use-remote-sudo.

security = {
    pam = {
        rssh.enable     =  true;
        services = {
            sudo.rssh   =  true;
        };
    };
    sudo.execWheelOnly  =  true;
};

Not in /etc/ssh/authorized_keys.d/ ?

Don’t forget ssh agent auth is an option:

  security.pam = {
    sshAgentAuth.enable = true;
    services.sudo.sshAgentAuth = true;
  };

(I think to be more secure one should also use security.pam.sshAgentAuth.authorizedKeysFiles)

I’m not sure exactly what classes of threat this protects against, but feels like a compromise between instant sudo without a password and requiring one. Particularly if one’s ssh keys were on a physical device?

Seems similar:

security.pam.rssh.enable
    Whether to enable authenticating using a signature performed by the ssh-agent.

security.pam.sshAgentAuth.enable
    Whether to enable authenticating using a signature performed by the ssh-agent.
  This allows using SSH keys exclusively, instead of passwords, for instance on
  remote machines .
1 Like

Then when you login you can only perform priviledged actions. If you never login interactively sure, root / nopw is functionally identical.