kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

using root account get and keep access presuming pre-existing key

Browse source
This commit is contained in:
Kiara Grouwstra 2025-04-05 13:49:41 +02:00
parent 6a1db9750d
commit 429a4cbe23
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
8 changed files with 65 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -571,6 +571,26 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1743717835,
"narHash": "sha256-LJm6FoIcUoBw3w25ty12/sBfut4zZuNGdN0phYj/ekU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "66a6ec65f84255b3defb67ff45af86c844dd451b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mk-naked-shell": { "mk-naked-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1215,6 +1235,7 @@
"disko": "disko", "disko": "disko",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nixops4": "nixops4", "nixops4": "nixops4",
"nixops4-nixos": "nixops4-nixos", "nixops4-nixos": "nixops4-nixos",
"nixpkgs": "nixpkgs_7" "nixpkgs": "nixpkgs_7"

2
flake.nix
View file

@ -3,6 +3,8 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.url = "github:cachix/git-hooks.nix";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";

1
infra/common/resource.nix
View file

@ -34,6 +34,7 @@ in
imports = [ imports = [
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.disko.nixosModules.default inputs.disko.nixosModules.default
inputs.home-manager.nixosModules.home-manager
./options.nix ./options.nix
./nixos ./nixos
]; ];

34
infra/machines/fedi201/fedipanel.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
pkgs,
... ...
}: }:
let let
@ -15,6 +16,39 @@ in
defaults.email = "beheer@procolix.com"; defaults.email = "beheer@procolix.com";
}; };
# start SSH agent for root user
systemd.services.ssh-agent = {
description = "SSH Agent";
wantedBy = [ "default.target" ];
unitConfig.ConditionUser = "!@system";
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
StandardOutput = "null";
Type = "forking";
Restart = "on-failure";
SuccessExitStatus = "0 2";
};
environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
};
environment.extraInit = ''
if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
fi
'';
home-manager = {
users.root.home = {
stateVersion = "25.05";
file.".ssh/config" = {
text = ''
IdentityFile /etc/ssh/ssh_host_ed25519_key
'';
};
};
};
services.${name} = { services.${name} = {
enable = true; enable = true;
production = true; production = true;

5
launch/resource.nix
View file

@ -37,5 +37,8 @@ in
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
## supports users with password-less sudo. ## supports users with password-less sudo.
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
# allow our panel vm access to the test machines
keys.systems.fedi201
];
} }

2
panel/env.nix
View file

@ -10,6 +10,6 @@
pkgs.coreutils pkgs.coreutils
pkgs.openssh pkgs.openssh
pkgs.git pkgs.git
pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416 pkgs.jq # implicit dep of deploy script
]; ];
} }

7
panel/nix/configuration.nix
View file

@ -158,11 +158,6 @@ in
}; };
}; };
users.users.${name} = {
isSystemUser = true;
group = name;
};
users.groups.${name} = { }; users.groups.${name} = { };
systemd.services.${name} = { systemd.services.${name} = {
description = "${name} ASGI server"; description = "${name} ASGI server";
@ -187,7 +182,7 @@ in
''; '';
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
User = name; User = "root";
WorkingDirectory = "/var/lib/${name}"; WorkingDirectory = "/var/lib/${name}";
StateDirectory = name; StateDirectory = name;
RuntimeDirectory = name; RuntimeDirectory = name;

1
panel/src/panel/views.py
View file

@ -169,6 +169,7 @@ class DeploymentStatus(ConfigurationForm):
logger.debug(f"deployment_params: {deployment_params}") logger.debug(f"deployment_params: {deployment_params}")
deployment_result = deployment_result or subprocess.run( deployment_result = deployment_result or subprocess.run(
["./deploy.sh"], ["./deploy.sh"],
user="root",
cwd=f"{settings.repo_dir}/launch", cwd=f"{settings.repo_dir}/launch",
env={ env={
"PATH": settings.bin_path, "PATH": settings.bin_path,