Increase security: sudo with password, no more docker group for users

1 files changed, 19 insertions, 5 deletions

diff --git a/deploy.sh b/deploy.sh
index e4470c0..4d6387f 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -8,6 +8,8 @@ else
 	NIXHOSTLIST="$@"
 fi
 
+TMP_PATH=/tmp/tmp-deploy-$(date +%s)
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}
 
@@ -21,13 +23,25 @@ for NIXHOST in $NIXHOSTLIST; do
 
 	echo "Sending NixOS config files"
 
-	cat configuration.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/configuration.nix > /dev/null
-	cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/node.nix > /dev/null
-	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST sudo tee /etc/nixos/site.nix > /dev/null
+	ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH
+	cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
+	cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
+	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
 
 	echo "Sending secret files"
-	test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST sudo tee /root/rclone.conf > /dev/null)
+	test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null)
 
 	echo "Rebuilding NixOS"
-	ssh -F ssh_config $SSH_DEST sudo nixos-rebuild switch
+
+	ssh -F ssh_config $SSH_DEST tee $TMP_PATH/deploy.sh > /dev/null <<EOF
+set -ex
+
+cd $TMP_PATH
+mv configuration.nix node.nix site.nix /etc/nixos
+test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
+nixos-rebuild switch
+EOF
+
+	ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
+	ssh -F ssh_config $SSH_DEST rm -rv $TMP_PATH
 done