From 1fbdfecf2598295f2527c45d04d70939f4769ce7 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Fri, 15 Mar 2024 14:21:31 +0800 Subject: [PATCH] feat: remote-deployment - about ssh known_hosts --- docs/best-practices/remote-deployment.md | 6 +++++- docs/zh/best-practices/remote-deployment.md | 7 ++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/best-practices/remote-deployment.md b/docs/best-practices/remote-deployment.md index 1c86e56..68691e7 100644 --- a/docs/best-practices/remote-deployment.md +++ b/docs/best-practices/remote-deployment.md @@ -19,7 +19,11 @@ Before embarking on remote deployment, a few preparatory steps are necessary: 2. Add `security.sudo.wheelNeedsPassword = false;` to the remote host's configuration and manually deploy once in advance to grant the user passwordless sudo permissions.. 1. **This will allow user-level programs to silently obtain sudo permissions, posing a security risk**! Therefore, if you choose this method, it's advisable to create a dedicated user for remote deployment, rather than using your regular user account! 2. Configure SSH public key authentication for the remote hosts. - + 1. Use the `users.users..openssh.authorizedKeys.keys` option to complete this task. +1. Add the remote host's Known Hosts record to your local machine. Otherwise, colmena/nixos-rebuild will fail to deploy due to the inability to verify the remote host's identity. + 1. Use the `programs.ssh.knownHosts` option to add the remote host's public key to the Known Hosts record. +1. Manually use the `ssh root@` command to verify that you can login to the remote host. + 1. If you encounter any issues, resolve them before proceeding. It's advisable to use the `root` user for deployment as it's more convenient and avoids the complexities of sudo permissions. diff --git a/docs/zh/best-practices/remote-deployment.md b/docs/zh/best-practices/remote-deployment.md index a2f547c..5888ba1 100644 --- a/docs/zh/best-practices/remote-deployment.md +++ b/docs/zh/best-practices/remote-deployment.md @@ -17,7 +17,12 @@ Nix 本身的设计就很适合远程部署,Nix 社区也有许多专门用于 1. 以远程主机的 `root` 用户身份部署,这是推荐使用的方法。 2. 在远程主机的配置中添加 `security.sudo.wheelNeedsPassword = false;` 并提前手动部署一次,从而为用户授予免密码验证的 sudo 权限。 1. **这会导致用户级别的程序能静默获取 sudo 权限,存在安全风险**!因此如果选用这种方法,建议远程部署创建一个专门的用户,不应该使用自己的常用用户! -2. 为远程主机配置 SSH 公钥身份验证。 +2. 为远程主机配置 SSH 公钥身份验证 + 1. 可使用 `users.users..openssh.authorizedKeys.keys` 配置项完成配置。 +1. 在本机主机上添加好远程主机的 Known Hosts 记录,否则 colmena/nixos-rebuild 会因为无法验证远程主机的身份而部署失败。 + 1. 可使用 `programs.ssh.knownHosts` 配置项将远程主机的公钥添加到 Known Hosts 记录中。 +1. 手动使用 `ssh root@` 命令,验证能正常登录到远程主机。 + 1. 如果遇到任何问题,请先解决它们,再继续后续操作。 建议使用 `root` 用户进行部署,因为这更方便且不需要额外的配置,没有令人头疼的 sudo 权限问题。