Passwordless sudo with remote `nixos-rebuild` and SSH keys

Sat, 18 Apr 2026 14:58:23 -0400

In my homelab I now have a few machines that run NixOS. This came to be because I wanted the ability to quickly rebuild machines from scratch without having to fiddle with individual settings. Thanks to NixOS I now have a repository that holds a flake that can build bootable images and perform remote nixos-rebuild switch.

Having the ability to remotely perform nixos-rebuild switch is great. All changes are tracked in git, I can standardize certain aspects via Nix modules and it covers all aspects of a system, something I never really got to work reliably in Ansible. Remote nixos-rebuild switch works by specifying --target-host user@host which will use ssh to perform switch on the other machine. If pubkeys are set up authentication will be automatic. However, if the remote user is not root, and it shouldn’t be, sudo is required via --sudo and that will require password and with -S nixos-rebuild will ask you for the password. Not ideal.

SSH (Remote) Tunnels

Sun, 02 Jan 2011 12:36:58 -0400

Just figured out how SSH remote tunnels work and wanted to write it down.

Nomenclature:

[Local] Client: your local computer. In fact, if I say local, I mean the client.
[Remote] Server: the server you connect to. If I say remote, I mean server.

Forward Tunnels

Your standard tunnel, allows you to take a local port and redirect it to a remote port on the server:

$ ssh -L REMOTEPORT:client:CLIENTPORT user@server

Now, that by opening a tunnel in this way:

Ssh on ilikeorangutans

Passwordless sudo with remote `nixos-rebuild` and SSH keys

SSH (Remote) Tunnels

Forward Tunnels