hydra: overdrive: Allow un-authenticated sudo to wheel group.

This enables reconfiguring the overdrive machines via 'guix deploy'. * hydra/modules/sysadmin/overdrive.scm (overdrive-system) [sudoers-file]: New field.
2023-12-14 03:33:04 +01:00 · 2022-09-23 14:15:15 -04:00 · 2022-09-23 14:15:15 -04:00 · 8cd6fbee6d
parent ae6efd3523
commit 8cd6fbee6d
1 changed files with 15 additions and 1 deletions
--- a/hydra/modules/sysadmin/overdrive.scm
+++ b/hydra/modules/sysadmin/overdrive.scm
@ -30,6 +30,8 @@
  #:use-module (gnu services mcron)
  #:use-module (gnu services ssh)
  #:use-module (gnu services vpn)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
  #:use-module ((sysadmin services) #:select (berlin-wireguard-peer))
  #:export (overdrive-system))

@ -167,4 +169,16 @@
                             '("--max-jobs=2" "--cores=3")))))))

    (packages (cons* btrfs-progs screen openssh strace nss-certs
-                     %base-packages))))
+                     %base-packages))
+
+    ;; Allow sysadmins (sudoers) to use 'sudo' without a password so
+    ;; they can 'guix deploy' these machines as their own user.
+    (sudoers-file
+     (plain-file "sudoers"
+                 (string-join
+                  (append (remove (cut string-prefix? "%wheel" <>)
+                                  (string-split
+                                   (string-trim-right (plain-file-content
+                                                       %sudoers-specification))
+                                   #\newline))
+		          (list "%wheel ALL = NOPASSWD: ALL\n")) "\n")))))