Deploying without Root¶
Requirements¶
NixOps 2.0 allows for deploying as users other than root, as long as the deploying user meets two requirements:
The user can become root without needing to type a password.
Nix considers the user to be a “trusted user”.
In this guide, we will use passwordless sudo.
We assume:
The deploying user’s name is “deployer”.
The target machine’s name is “hermes”.
The target machine is already managed by NixOps.
Steps¶
Configure the target machine according to the listed requirements.
Update the NixOps network to use our alternative user.
Deploy as the new user.
Configuring the Target Machine¶
First, mark the deploying user as trusted:
{
nix.trustedUsers = [ "deployer" ];
}
This will let the user copy Nix store paths to the target.
Let the deploying user use sudo:
{
users.users.deployer.extraGroups = [ "wheel" ];
}
Then, we configure the machine to have passwordless sudo:
{
security.sudo.wheelNeedsPassword = false;
}
Now use NixOps to deploy these changes to the server before taking the next step.
Configuring the NixOps Network¶
Edit your nixops.nix to specify the machine’s
deployment.targetUser
:
{
network.description = "Non-root deployment";
hermes =
{ resources, ... }:
{
deployment.targetUser = "deployer";
};
}
Testing our Changes¶
Then, run nixops deploy
to update the NixOps database. This deploy
will use your “deployer” user instead of root.
Try running nixops ssh
, and see that you are logged in as
“deployer”.
Notes¶
NixOps caches the target user and related variables in its state file, and commands like
nixops send-keys
andssh
use the cached data. After changing these values, runnixops deploy
to update the cache.