From cded5bfdf7df57e7215ef37ca41b29468f2c4d61 Mon Sep 17 00:00:00 2001
From: Nico <nico@astolfo.org>
Date: Sat, 30 Aug 2025 18:13:07 +1000
Subject: [PATCH 1/2] users: add deploy

---
 flake.nix                |  1 +
 modules/users/deploy.nix | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 modules/users/deploy.nix

diff --git a/flake.nix b/flake.nix
index 28fcd00..f8f3bd4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,6 +52,7 @@
 
         ./modules/users/nico.nix
         ./modules/users/alex.nix
+        ./modules/users/deploy.nix
         ./modules/hardware/secureboot.nix
         lanzaboote.nixosModules.lanzaboote
 
diff --git a/modules/users/deploy.nix b/modules/users/deploy.nix
new file mode 100644
index 0000000..9af6eb4
--- /dev/null
+++ b/modules/users/deploy.nix
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ...}:
+
+{
+  users.users.deploy = {
+    isNormalUser = true;
+    home = "/var/empty";
+    group = "deploy";
+  };
+
+  users.groups.deploy = {};
+
+  users.users.deploy.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXwl+UyfeN/9M/z21mlVS3guYEqIjtgAf5pCPkjXhR0"
+  ];
+
+  security.sudo.extraRules = [
+    {
+      users = [ "deploy" ];
+      runAs = "root";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+}

From 254433bc62d1583b0231272c2d2f76ab4dccf7d2 Mon Sep 17 00:00:00 2001
From: Nico <nico@astolfo.org>
Date: Sat, 30 Aug 2025 18:13:27 +1000
Subject: [PATCH 2/2] Revert "k3s: init"

This reverts commit 04a828d78d5b93c3f61e9253b9de49944c1aeb97.
---
 flake.nix                |  1 -
 modules/services/k3s.nix | 12 ------------
 2 files changed, 13 deletions(-)
 delete mode 100644 modules/services/k3s.nix

diff --git a/flake.nix b/flake.nix
index f8f3bd4..105e1fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -34,7 +34,6 @@
         ./modules/applications/1password.nix
         ./modules/services/archiveteam-warrior.nix
         ./modules/services/linkding.nix
-        ./modules/services/k3s.nix
 
         ./modules/nix/linux.nix
         ./modules/shell.nix
diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
deleted file mode 100644
index 403b42a..0000000
--- a/modules/services/k3s.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, ... }:
-
-{
-  services.k3s = {
-    enable = true;
-    role = "server";
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
-  ];
-}