doc/guides/non-root-user.md at stable

althaea.zone / wire

fork atom

ALPHA: wire is a tool to deploy nixos systems wire.althaea.zone/

fork atom

wire / doc / guides / non-root-user.md

at stable 78 lines 2.0 kB view raw view rendered

wrap content

marshmallow a few docs fixes and changes 3mo ago

25d965a4

 1---
 2comment: true
 3title: Use a non-root user
 4description: Deploy without root permissions with wire.
 5---
 6
 7# Use a non-root user
 8
 9{{ $frontmatter.description }}
10
11## Deploying User Requirements
12
13For deployment commands to succeed, the user defined in `deployment.target.user` must meet the following criteria:
14
151. Essential Config
16
17- **Sudo Access**: The user must be `wheel` (A sudo user)
18- **SSH Key Authentication**: The user must be authenticated through SSH keys,
19  and password-based SSH auth is not supported.
20
21  **Why?** Wire can prompt you for your `sudo` password, but not your `ssh` password.
22
232. Deploying with Secrets
24
25- **Trusted User**: The user must be listed in the `trusted-users` nix config.
26
27  If the user is not trusted, wire will fail in the key deployment stage.
28
29For setting up a trusted user, see [Manage Secrets - Prerequisites](/guides/keys.html#prerequisites).
30
31## Changing the user
32
33By default, the target is set to root:
34
35```nix
36{
37  deployment.target.user = "root";
38}
39```
40
41But it can be any user you want so long as it fits the requirements above.
42
43```nix
44{
45  deployment.target.user = "root"; # [!code --]
46  deployment.target.user = "deploy-user"; # [!code ++]
47}
48```
49
50After this change, wire will prompt you for sudo authentication, and tell you
51the exact command wire wants privileged:
52
53```sh{6}
54$ wire apply keys --on media
55 INFO eval_hive: evaluating hive Flake("/path/to/hive")
56...
57 INFO media | step="Upload key @ NoFilter" progress="3/4"
58deploy-user@node:22 | Authenticate for "sudo /nix/store/.../bin/key_agent":
59[sudo] password for deploy-user:
60```
61
62## Using alternative privilege escalation
63
64You may change the privilege escalation command with the
65[deployment.privilegeEscalationCommand](/reference/module.html#deployment-privilegeescalationcommand)
66option.
67
68For example, doas:
69
70```nix
71{
72  deployment.privilegeEscalationCommand = [
73    "sudo" # [!code --]
74    "--" # [!code --]
75    "doas" # [!code ++]
76  ];
77}
78```