deployment fails as a user different than root even when it's part of "root"/"wheel" groups

[teto]

I try to deploy a machine as non root (both ssh and during deploy) and it fails with a write issue in /boot:

$ deploy .\#ovh2-prod -d --ssh-user nova
[ovh2-prod.system]
user = "nova"
ssh_user = "nova"
path = "/nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a"
hostname = "ovh-hybrid-runner-2.devops.novadiscovery.net"
ssh_opts = ["-F", "ssh_config"]

🚀 ❓ [deploy] [DEBUG] Finding the deriver of store path for /nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a
🚀 ℹ️ [deploy] [INFO] Building profile `system` for node `ovh2-prod`
🚀 ℹ️ [deploy] [INFO] Copying profile `system` to node `ovh2-prod`
🚀 ℹ️ [deploy] [INFO] Activating profile `system` for node `ovh2-prod`
🚀 ❓ [deploy] [DEBUG] Constructed activation command: /nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a/activate-rs --debug-logs activate '/nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a' '/nix/var/nix/profiles/per-user/nova/system' --temp-path '/tmp' --confirm-timeout 30 --magic-rollback --auto-rollback
🚀 ❓ [deploy] [DEBUG] Constructed wait command: /nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a/activate-rs --debug-logs wait '/nix/store/irvyjylk0qbj9gqwr7l40zldri7win9y-activatable-nixos-system-ovh2-22.11.20220824.b784c5a' --temp-path '/tmp'
🚀 ℹ️ [deploy] [INFO] Creating activation waiter
⭐ ℹ️ [activate] [INFO] Activating profile
👀 ℹ️ [wait] [INFO] Waiting for confirmation event...
⭐ ❓ [activate] [DEBUG] Running activation script
updating GRUB 2 menu...
cannot copy /nix/store/wdxxa2kiidbdhaqqzvyzabahwqk07f61-grub-2.06/share/grub/unicode.pf2 to /boot: Permission denied
⭐ ⚠️ [activate] [WARN] De-activating due to error
error: no profile version older than the current (1) exists
⭐ ❌ [activate] [ERROR] There was an error de-activating after an error was encountered: The rollback resulted in a bad exit code: Some(1)
🚀 ❓ [deploy] [DEBUG] Activate command exited with an error
🚀 ❌ [deploy] [ERROR] Activating over SSH resulted in a bad exit code: Some(1)
🚀 ℹ️ [deploy] [INFO] Revoking previous deploys

If I ssh into the machine:

[nova@ovh:~]$ cp /nix/store/wdxxa2kiidbdhaqqzvyzabahwqk07f61-grub-2.06/share/grub/unicode.pf2 /boot
cp: cannot create regular file '/boot/unicode.pf2': Permission denied

[nova@ovh:~]$ sudo cp /nix/store/wdxxa2kiidbdhaqqzvyzabahwqk07f61-grub-2.06/share/grub/unicode.pf2 /boot

works fine. I have tried redeploying with the user "root"

$ deploy .\#ovh2-prod -d --ssh-user nova
[ovh2-prod.system]
user = "root"    <---- NOTE THE CHANGE HERE
ssh_user = "nova"

and it worked fine.

Is that expected ? my nova user is part of "root" and "wheel" so I would expect the build to succeed. Does deploy-rs has something akin to --use-remote-sudo

[notgne2]

the user setting is what the actual activation script gets ran as, for NixOS systems this needs to be root. As far as using sudo on the remote, that's exactly what happens automatically if your user and ssh_user are different (including if ssh_user is inferred from your username)