Skip to content

Commit

Permalink
Merge pull request #119 from ryan4yin/remote-deployment-ssh-known-hosts
Browse files Browse the repository at this point in the history 
feat:  remote-deployment - about ssh known_hosts
  • Loading branch information
@ryan4yin
ryan4yin committed Mar 15, 2024
2 parents 81a0783 + 1fbdfec commit f96986b
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
6 changes: 5 additions & 1 deletion docs/best-practices/remote-deployment.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ Before embarking on remote deployment, a few preparatory steps are necessary:
2. Add `security.sudo.wheelNeedsPassword = false;` to the remote host's configuration and manually deploy once in advance to grant the user passwordless sudo permissions..
1. **This will allow user-level programs to silently obtain sudo permissions, posing a security risk**! Therefore, if you choose this method, it's advisable to create a dedicated user for remote deployment, rather than using your regular user account!
2. Configure SSH public key authentication for the remote hosts.

1. Use the `users.users.<name>.openssh.authorizedKeys.keys` option to complete this task.
1. Add the remote host's Known Hosts record to your local machine. Otherwise, colmena/nixos-rebuild will fail to deploy due to the inability to verify the remote host's identity.
1. Use the `programs.ssh.knownHosts` option to add the remote host's public key to the Known Hosts record.
1. Manually use the `ssh root@<you-host>` command to verify that you can login to the remote host.
1. If you encounter any issues, resolve them before proceeding.

It's advisable to use the `root` user for deployment as it's more convenient and avoids the complexities of sudo permissions.

Expand Down
7 changes: 6 additions & 1 deletion docs/zh/best-practices/remote-deployment.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,12 @@ Nix 本身的设计就很适合远程部署,Nix 社区也有许多专门用于
1. 以远程主机的 `root` 用户身份部署,这是推荐使用的方法。
2. 在远程主机的配置中添加 `security.sudo.wheelNeedsPassword = false;` 并提前手动部署一次,从而为用户授予免密码验证的 sudo 权限。
1. **这会导致用户级别的程序能静默获取 sudo 权限,存在安全风险**!因此如果选用这种方法,建议远程部署创建一个专门的用户,不应该使用自己的常用用户!
2. 为远程主机配置 SSH 公钥身份验证。
2. 为远程主机配置 SSH 公钥身份验证
1. 可使用 `users.users.<name>.openssh.authorizedKeys.keys` 配置项完成配置。
1. 在本机主机上添加好远程主机的 Known Hosts 记录,否则 colmena/nixos-rebuild 会因为无法验证远程主机的身份而部署失败。
1. 可使用 `programs.ssh.knownHosts` 配置项将远程主机的公钥添加到 Known Hosts 记录中。
1. 手动使用 `ssh root@<you-host>` 命令,验证能正常登录到远程主机。
1. 如果遇到任何问题,请先解决它们,再继续后续操作。

建议使用 `root` 用户进行部署,因为这更方便且不需要额外的配置,没有令人头疼的 sudo 权限问题。

Expand Down

0 comments on commit f96986b

Please sign in to comment.