From 997707021b70aa694ef863f6ae088e4c6fb4c702 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?=
 <tristan.maat@codethink.co.uk>
Date: Sat, 5 Nov 2022 17:59:27 +0000
Subject: [PATCH] config: Enable authorization through ssh agent

This enables sudo-via-yubikey and therefore makes `-t` obsolete, in
turn fixing a whole sleuth of issues with deploy-rs.

*And* seems more secure and convenient at the same time.
---
 configuration/default.nix | 9 +++++++++
 flake.nix                 | 4 +---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/configuration/default.nix b/configuration/default.nix
index f5d68fb..fc1ba7a 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -100,6 +100,15 @@
     gatewayPorts = "yes";
   };
 
+  security = {
+    sudo.execWheelOnly = true;
+
+    pam = {
+      enableSSHAgentAuth = true;
+      services.sudo.sshAgentAuth = true;
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
diff --git a/flake.nix b/flake.nix
index 2dc31c0..04aa990 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,10 +53,8 @@
       };
 
       sshUser = "tlater";
-      sshOpts = ["-t" "-p" "2222"];
+      sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
       fastConnection = true;
-      # Currently broken, see https://github.com/serokell/deploy-rs/issues/78
-      magicRollback = false;
     };
 
     #########
-- 
2.44.1