search

pinpox / lollypops

Lollypop Operations - NixOS Deployment Tool
https://pinpox.github.io/lollypops/
GNU General Public License v3.0
118 stars 17 forks source link

assertion: cfg.deployment.local-evaluation -> !cfg.deployment.sudo.enable #24

Closed MayNiklas closed 9 months ago

MayNiklas commented 9 months ago

As discussed before, it is not possible to combine local-evolution with using sudo. local-evolution: we copy the closure into a remote nix-store. This requires the root user.

This assertion might be helpful for people wondering why something does not work...

pf56 commented 8 months ago

Is there a specific scenario where using local-evaluation = true and sudo.enable = true at the same time doesn't work? I've been deploying with a non-root user and both options set without issue for a while now.

flake.nix:167 even sets --use-remote-sudo, which should allow deploying without root (assuming sudo is enabled).

MayNiklas commented 8 months ago

Is there a specific scenario where using local-evaluation = true and sudo.enable = true at the same time doesn't work? I've been deploying with a non-root user and both options set without issue for a while now.

flake.nix:167 even sets --use-remote-sudo, which should allow deploying without root (assuming sudo is enabled).

Until today, I was convinced, that local-evaluation = true will never work with a non root user 🤔 That being said: when I've done a lot of my testing, rsync was quite broken -> might have caused the problem. I will reevaluate this today!

MayNiklas commented 8 months ago

Is there a specific scenario where using local-evaluation = true and sudo.enable = true at the same time doesn't work? I've been deploying with a non-root user and both options set without issue for a while now.

flake.nix:167 even sets --use-remote-sudo, which should allow deploying without root (assuming sudo is enabled).

You're right! Once I've set

    local-evaluation = true;
    ssh = { user = "nik"; };
    sudo.enable = true;

as well as

security.sudo.wheelNeedsPassword = false;

I was able to execute :rebuild. While my sudo password was enabled, I struggled to get it to work (even with -S).

@pinpox can you revert this merge? Something changed (maybe it got caused by those rsync issues) -> works now.

pinpox commented 8 months ago

@pinpox can you revert this merge? Something changed (maybe it got caused by those rsync issues) -> works now.

Reverted.