Comment by matrss

> I deploy using a dedicated user, which has passwordless sudo set up to work.

IMO there is no point in doing that over just using root, maybe unless you have multiple administrators and do it for audit purposes.

Anyway, what you can do is have a dedicated deployment key that is only allowed to execute a subset of commands (via the command= option in authorized_keys). I've used it to only allow starting the nixos-upgrade.service (and some other not necessarily required things), which then pulls updates from a predefined location.