Automatically git root access to all contributors

infra/common/users.nix

@@ -30,11 +30,4 @@
   security.sudo.wheelNeedsPassword = false;
 
   nix.settings.trusted-users = [ "@wheel" ];
-
-  ## FIXME: Remove direct root authentication once NixOps4 supports users with
-  ## password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
-  ];
 }

infra/flake-part.nix

@@ -6,7 +6,7 @@
 }:
 
 let
-  inherit (builtins) mapAttrs;
+  inherit (lib) attrValues mapAttrs;
   inherit (lib.attrsets) genAttrs;
 
   makeResource =
@@ -32,7 +32,13 @@ let
           vmmodule
           ./common
           self.nixosModules.ageSecrets
-          { fediversity.hostPublicKey = self.keys.systems.${vmid}; }
+          {
+            fediversity.hostPublicKey = self.keys.systems.${vmid};
+
+            ## FIXME: Remove direct root authentication once the NixOps4 NixOS
+            ## provider supports users with password-less sudo.
+            users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
+          }
         ];
       };
     };