I would like to configure my servers with the following command but with the minimal required sudo NOPASSWD config.
As in I don’t want the user to be able to run all commands without password.
If you don’t mind actually typing out a password occasionally, you can use export NIX_SSHOPTS="-t" (ideally in a devShell so you don’t forget) to work around the bug that --use-remote-sudo doesn’t launch a proper TTY to type your password into.
You’d specify the commands in security.sudo.extraRules.*.commands. I don’t think it’s guaranteed that those commands stay stable, though, so make sure you have an escape hatch somewhere.
Or if you’d like to over-engineer, parse nixos-rebuild during the build, so your commands are always up-to-date?
Thank The scripts looks like a good starting point.
I already have the NIX_SSHOPTS in my script which requires two password inputs per host which gets a bit annoying with the amount of servers I’m currently running.
I’m going to start small maybe I over-engineer it at a later point ;).
The pseudo-terminal thing doesn’t seem o work anymore.
Without I get:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
and with it’s:
Pseudo-terminal will not be allocated because stdin is not a terminal.
Also tried both and piping in the password into the command, i.e. pass some/password | nixos-rebuild switch --use-remote-sudo --target-host ... --flake ... to no avail.
This is the code snippet I found on github from @cole-h has served me well. You only need /nix/store/*/bin/switch-to-configuration, /run/current-system/sw/bin/nix-env and /run/current-system/sw/bin/nix-store for a
passwordless remote deploy, others in that snippet are just for something else I guess.