+23

doc/guides/keys.md

reviewed

··· 21 21 - [Age](https://github.com/FiloSottile/age) 22 22 - Anything that non-interactively decrypts to `stdout`. 23 23 24 24 + ### Prerequisites 25 25 + 26 26 + wire uses a Rust binary to recieve encrypted key data, so your deploying 27 27 + user must be trusted or you must add garnix as a trusted public key: 28 28 + 29 29 + ```nix 30 30 + { config, ... }: 31 31 + { 32 32 + nix.settings.trusted-users = [ 33 33 + config.deployment.target.user # [!code ++] 34 34 + ]; 35 35 + } 36 36 + ``` 37 37 + 38 38 + Otherwise, you may see errors such as: 39 39 + 40 40 + ``` 41 41 + error: cannot add path '/nix/store/...-wire-tool-key_agent-x86_64-linux-...' because it lacks a signature by a trusted key 42 42 + ``` 43 43 + 44 44 + This is a requirement because `nix copy` is used to copy the binary. 45 45 + As a benefit to this approach, key deployments are significantly faster! 46 46 + 24 47 ### A Trivial "Key" 25 48 26 49 ```nix:line-numbers [hive.nix]

+11 -7

doc/guides/non-root-user.md

reviewed

··· 1 1 --- 2 2 comment: true 3 3 title: Use a non-root user 4 4 - description: Deploy as any user with wire. 4 4 + description: Deploy without root permissions with wire. 5 5 --- 6 6 7 7 # {{ $frontmatter.title }} ··· 13 13 If your selected deployment user does not fit the following requirements, the 14 14 deployment commands will likely fail with an error: 15 15 16 16 - | | Password-based SSH | Non-interactive SSH Auth | 17 17 - | :--------------------------------- | -----------------: | -----------------------: | 18 18 - | In `wheel` (Sudo User) | ❌ Not Supported | ✅ Supported | 19 19 - | Not In `wheel` (Unprivileged user) | ❌ Not Supported | ❌ Not Supported | 16 16 + | `deployment.target.user` is... | ❌ Will Not Work | 🟧 Deploys w/o Keys | ✅ Deploys w/ Keys | 17 17 + | :----------------------------- | :--------------: | :-----------------: | :----------------: | 18 18 + | In `wheel` (Sudo User) | No | Yes | Yes | 19 19 + | Has Non-Interactive SSH Auth | - | Yes | Yes | 20 20 + | A Trusted User | - | No | Yes | 21 21 + 22 22 + When using a non-trusted user, `wire apply` will likely fail if the deploying user is 23 23 + not trusted, see [Manage Secrets - Prerequisites](/guides/keys.html#prerequisites). 20 24 21 25 - "In `wheel`" here meaning a sudoer, whether it be `root` or not. 22 26 - "Non-interactive SSH Auth" here most likely meaning an SSH key, anything that 23 27 does not require keyboard input in the terminal. 24 28 25 25 - To put it simply, you cannot have a password on _ssh_, but you can have a 26 26 - password on _sudo_. 29 29 + To put it simply, wire can currently prompt for your password on `sudo`, 30 30 + but not `ssh`. 27 31 28 32 ## Changing the user 29 33

+24 -8

wire/lib/src/commands/common.rs

reviewed

··· 15 15 }, 16 16 }; 17 17 18 18 + fn get_common_copy_path_help(error: &CommandError) -> Option<String> { 19 19 + if let CommandError::CommandFailed { logs, .. } = error 20 20 + && (logs.contains("error: unexpected end-of-file")) 21 21 + { 22 22 + Some("wire requires the deploying user or wire binary cache is trusted on the remote server. if you're attempting to make that change, skip keys with --no-keys. please read https://wire.althaea.zone/guides/keys for more information".to_string()) 23 23 + } else { 24 24 + None 25 25 + } 26 26 + } 27 27 + 18 28 pub async fn push(context: &Context<'_>, push: Push<'_>) -> Result<(), HiveLibError> { 19 29 let command_string = format!( 20 30 "nix --extra-experimental-features nix-command \ ··· 40 50 ) 41 51 .await?; 42 52 43 43 - child 44 44 - .wait_till_success() 45 45 - .await 46 46 - .map_err(|error| HiveLibError::NixCopyError { 47 47 - name: context.name.clone(), 48 48 - path: push.to_string(), 49 49 - error: Box::new(error), 50 50 - })?; 53 53 + let status = child.wait_till_success().await; 54 54 + 55 55 + let help = if let Err(ref error) = status { 56 56 + get_common_copy_path_help(error).map(Box::new) 57 57 + } else { 58 58 + None 59 59 + }; 60 60 + 61 61 + status.map_err(|error| HiveLibError::NixCopyError { 62 62 + name: context.name.clone(), 63 63 + path: push.to_string(), 64 64 + error: Box::new(error), 65 65 + help, 66 66 + })?; 51 67 52 68 Ok(()) 53 69 }

+2

wire/lib/src/errors.rs

reviewed

··· 336 336 path: String, 337 337 #[source] 338 338 error: Box<CommandError>, 339 339 + #[help] 340 340 + help: Option<Box<String>>, 339 341 }, 340 342 341 343 #[diagnostic(code(wire::Evaluate))]