Allow guixdeploy user to do anything as root

This is required to use "guix deploy".

3 files changed, 12 insertions, 0 deletions

diff --git a/tw/system/common.scm b/tw/system/common.scm
index 57be678b..1eb48c52 100644
--- a/tw/system/common.scm
+++ b/tw/system/common.scm
@@ -29,6 +29,16 @@
                     "keypad:oss"
                     "kpdl:kposs")))
 
+(define-public %sudoers-file
+  (plain-file "sudoers"
+              (string-append
+               (plain-file-content %sudoers-specification)
+               ;; Let the "guixdeploy" user do anything as root, without a
+               ;; password required.  "guix deploy" needs this, so that it can
+               ;; reconfigure the system without logging in as root.
+               ;; See: '(guix)Invoking guix deploy' info node.
+               "guixdeploy ALL = NOPASSWD: ALL\n")))
+
 ;; This is used for the servers, and also by (tw home common) to generate the
 ;; appropriate ~/.ssh/config.
 (define-public %ssh-ports
diff --git a/tw/system/lud.scm b/tw/system/lud.scm
index 5e0ffda0..54e0ea4f 100644
--- a/tw/system/lud.scm
+++ b/tw/system/lud.scm
@@ -204,6 +204,7 @@ ProxyPass \"/\" \"https://127.0.0.1:48448/\"
          (locale-definition (name "pt_BR.utf8") (source "pt_BR"))
          (locale-definition (name "en_US.utf8") (source "en_US"))))
 
+  (sudoers-file %sudoers-file)
   (hosts-file %wireguard-etc-hosts)
   ;; Allow resolution of '.local' host names with mDNS.
   (name-service-switch %mdns-host-lookup-nss)
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index ddecc127..b6275b5a 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -27,6 +27,7 @@
            (locale-definition (name "fr_FR.utf8") (source "fr_FR"))
            (locale-definition (name "en_US.utf8") (source "en_US"))))
 
+    (sudoers-file %sudoers-file)
     (hosts-file %wireguard-etc-hosts)
     ;; Allow resolution of '.local' host names with mDNS.
     (name-service-switch %mdns-host-lookup-nss)