From 429a4cbe238304c2c2bf8e7bf2abc093bd26d4ab Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Sat, 5 Apr 2025 13:49:41 +0200
Subject: [PATCH] using root account get and keep access presuming pre-existing
 key

---
 flake.lock                           | 21 +++++++++++++++++
 flake.nix                            |  2 ++
 infra/common/resource.nix            |  1 +
 infra/machines/fedi201/fedipanel.nix | 34 ++++++++++++++++++++++++++++
 launch/resource.nix                  |  5 +++-
 panel/env.nix                        |  2 +-
 panel/nix/configuration.nix          |  7 +-----
 panel/src/panel/views.py             |  1 +
 8 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/flake.lock b/flake.lock
index ad891639..bc6e6a88 100644
--- a/flake.lock
+++ b/flake.lock
@@ -571,6 +571,26 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743717835,
+        "narHash": "sha256-LJm6FoIcUoBw3w25ty12/sBfut4zZuNGdN0phYj/ekU=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "66a6ec65f84255b3defb67ff45af86c844dd451b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "mk-naked-shell": {
       "flake": false,
       "locked": {
@@ -1215,6 +1235,7 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "git-hooks": "git-hooks",
+        "home-manager": "home-manager_2",
         "nixops4": "nixops4",
         "nixops4-nixos": "nixops4-nixos",
         "nixpkgs": "nixpkgs_7"
diff --git a/flake.nix b/flake.nix
index 9e0a719b..476c44db 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     flake-parts.url = "github:hercules-ci/flake-parts";
     git-hooks.url = "github:cachix/git-hooks.nix";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
     agenix.url = "github:ryantm/agenix";
 
     disko.url = "github:nix-community/disko";
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 15b5693b..3e52835f 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -34,6 +34,7 @@ in
     imports = [
       inputs.agenix.nixosModules.default
       inputs.disko.nixosModules.default
+      inputs.home-manager.nixosModules.home-manager
       ./options.nix
       ./nixos
     ];
diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix
index f9fc1554..15ca8916 100644
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@@ -1,5 +1,6 @@
 {
   config,
+  pkgs,
   ...
 }:
 let
@@ -15,6 +16,39 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
+  # start SSH agent for root user
+  systemd.services.ssh-agent = {
+    description = "SSH Agent";
+    wantedBy = [ "default.target" ];
+    unitConfig.ConditionUser = "!@system";
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
+      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
+      StandardOutput = "null";
+      Type = "forking";
+      Restart = "on-failure";
+      SuccessExitStatus = "0 2";
+    };
+    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
+  };
+
+  environment.extraInit = ''
+    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
+      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
+    fi
+  '';
+
+  home-manager = {
+    users.root.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile /etc/ssh/ssh_host_ed25519_key
+        '';
+      };
+    };
+  };
+
   services.${name} = {
     enable = true;
     production = true;
diff --git a/launch/resource.nix b/launch/resource.nix
index 04811271..6b03305b 100644
--- a/launch/resource.nix
+++ b/launch/resource.nix
@@ -37,5 +37,8 @@ in
 
   ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
   ## supports users with password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+    # allow our panel vm access to the test machines
+    keys.systems.fedi201
+  ];
 }
diff --git a/panel/env.nix b/panel/env.nix
index ad184cad..aae32ec4 100644
--- a/panel/env.nix
+++ b/panel/env.nix
@@ -10,6 +10,6 @@
     pkgs.coreutils
     pkgs.openssh
     pkgs.git
-    pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+    pkgs.jq # implicit dep of deploy script
   ];
 }
diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 01d90df6..0006c14b 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -158,11 +158,6 @@ in
       };
     };
 
-    users.users.${name} = {
-      isSystemUser = true;
-      group = name;
-    };
-
     users.groups.${name} = { };
     systemd.services.${name} = {
       description = "${name} ASGI server";
@@ -187,7 +182,7 @@ in
       '';
       serviceConfig = {
         Restart = "always";
-        User = name;
+        User = "root";
         WorkingDirectory = "/var/lib/${name}";
         StateDirectory = name;
         RuntimeDirectory = name;
diff --git a/panel/src/panel/views.py b/panel/src/panel/views.py
index 1aced5a8..b6e32cd4 100644
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@@ -169,6 +169,7 @@ class DeploymentStatus(ConfigurationForm):
                     logger.debug(f"deployment_params: {deployment_params}")
                     deployment_result = deployment_result or subprocess.run(
                         ["./deploy.sh"],
+                        user="root",
                         cwd=f"{settings.repo_dir}/launch",
                         env={
                             "PATH": settings.bin_path,