add deploy-rs for remotely deploy nixos config

nixos/configurations/Cape/default.nix

@@ -17,6 +17,7 @@
       unixName = "alice";
       hostName = "Cape";
     };
+    users.deploy.enable = true;
     programs = {
       openssh.enable = true;
       tailscale.enable = true;

nixos/configurations/Cape/users/default.nix

@@ -12,6 +12,7 @@
     ];
   };
 
+  users.mutableUsers = false;
   programs.fish.enable = true;
   users.users.alice.shell = pkgs.fish;
   users.users.alice.openssh.authorizedKeys.keyFiles = [

nixos/modules/default.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   inputs,
   outputs,
   ...
@@ -15,6 +16,7 @@
       disko.nixosModules.disko
     ])
     ++ [
+      ./deploy
       ./nix.nix
       ./home.nix
       ./sops.nix
@@ -39,5 +41,8 @@
         additions
       ];
     };
+    environment.systemPackages = with pkgs; [
+      deploy-rs
+    ];
   };
 }

nixos/modules/deploy/default.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  cfg = config.youthlic.users.deploy;
+in
+{
+  options = {
+    youthlic.users.deploy = {
+      enable = lib.mkEnableOption "deploy";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.deploy = {
+      isNormalUser = true;
+      hashedPassword = "$y$j9T$B/igbpUxYMx9W4hV/Uc0/.$Z9.cTGfXQ0YD03MmfvDCd6.ijEo5L9v2CbrhN8Fvkf6";
+      home = "/home/deploy";
+      extraGroups = [
+        "wheel"
+        "nix"
+      ];
+      openssh.authorizedKeys.keyFiles = [
+        ./id_ed25519_deploy.pub
+      ];
+    };
+  };
+}

nixos/modules/deploy/id_ed25519_deploy.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgT+TvQDdCJXpxCvqII7sE4KR3gpCDEhIt6RdL+mIny david@Tytonidae