wire

Appearance

Use a non-root user

Deploy without root permissions with wire.

Deploying User Requirements

For deployment commands to succeed, the user defined in deployment.target.user must meet the following criteria:

  1. Essential Config

  • Sudo Access: The user must be wheel (A sudo user)

  • SSH Key Authentication: The user must be authenticated through SSH keys, and password-based SSH auth is not supported.

    Why? Wire can prompt you for your sudo password, but not your ssh password.

  1. Deploying with Secrets

  • Trusted User: The user must be listed in the trusted-users nix config.

    If the user is not trusted, wire will fail in the key deployment stage.

For setting up a trusted user, see Manage Secrets - Prerequisites.

Changing the user

By default, the target is set to root:

nix
{
  deployment.target.user = "root";
}

But it can be any user you want so long as it fits the requirements above.

nix
{
  deployment.target.user = "root"; 
  deployment.target.user = "deploy-user"; 
}

After this change, wire will prompt you for sudo authentication, and tell you the exact command wire wants privileged:

sh
$ wire apply keys --on media
 INFO eval_hive: evaluating hive Flake("/path/to/hive")
...
 INFO media | step="Upload key @ NoFilter" progress="3/4"
deploy-user@node:22 | Authenticate for "sudo /nix/store/.../bin/key_agent":
[sudo] password for deploy-user:

Using alternative privilege escalation

You may change the privilege escalation command with the deployment.privilegeEscalationCommand option.

For example, doas:

nix
{
  deployment.privilegeEscalationCommand = [
    "sudo"
    "--"
    "doas"
  ];
}