config: Enable authorization through ssh agent

This enables sudo-via-yubikey and therefore makes `-t` obsolete, in turn fixing a whole sleuth of issues with deploy-rs. *And* seems more secure and convenient at the same time.
2022-11-05 17:59:27 +00:00 · 2022-11-05 17:59:27 +00:00 · 997707021b
parent 0528f73187
commit 997707021b
2 changed files with 10 additions and 3 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -100,6 +100,15 @@
    gatewayPorts = "yes";
  };

+  security = {
+    sudo.execWheelOnly = true;
+
+    pam = {
+      enableSSHAgentAuth = true;
+      services.sudo.sshAgentAuth = true;
+    };
+  };
+
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
--- a/flake.nix
+++ b/flake.nix
@ -53,10 +53,8 @@
      };

      sshUser = "tlater";
-      sshOpts = ["-t" "-p" "2222"];
+      sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
      fastConnection = true;
-      # Currently broken, see https://github.com/serokell/deploy-rs/issues/78
-      magicRollback = false;
    };

    #########