using root account get and keep access presuming pre-existing key

2025-04-05 13:49:41 +02:00 · 2025-04-05 13:49:41 +02:00 · 429a4cbe23
commit 429a4cbe23
parent 6a1db9750d
8 changed files with 65 additions and 8 deletions
--- a/flake.lock
+++ b/flake.lock
@ -571,6 +571,26 @@
        "type": "github"
      }
    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743717835,
+        "narHash": "sha256-LJm6FoIcUoBw3w25ty12/sBfut4zZuNGdN0phYj/ekU=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "66a6ec65f84255b3defb67ff45af86c844dd451b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "mk-naked-shell": {
      "flake": false,
      "locked": {
@ -1215,6 +1235,7 @@
        "disko": "disko",
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
+        "home-manager": "home-manager_2",
        "nixops4": "nixops4",
        "nixops4-nixos": "nixops4-nixos",
        "nixpkgs": "nixpkgs_7"
--- a/flake.nix
+++ b/flake.nix
@ -3,6 +3,8 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";

    disko.url = "github:nix-community/disko";
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -34,6 +34,7 @@ in
    imports = [
      inputs.agenix.nixosModules.default
      inputs.disko.nixosModules.default
+      inputs.home-manager.nixosModules.home-manager
      ./options.nix
      ./nixos
    ];
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@ -1,5 +1,6 @@
 {
  config,
+  pkgs,
  ...
 }:
 let
@ -15,6 +16,39 @@ in
    defaults.email = "beheer@procolix.com";
  };

+  # start SSH agent for root user
+  systemd.services.ssh-agent = {
+    description = "SSH Agent";
+    wantedBy = [ "default.target" ];
+    unitConfig.ConditionUser = "!@system";
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
+      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
+      StandardOutput = "null";
+      Type = "forking";
+      Restart = "on-failure";
+      SuccessExitStatus = "0 2";
+    };
+    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
+  };
+
+  environment.extraInit = ''
+    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
+      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
+    fi
+  '';
+
+  home-manager = {
+    users.root.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile /etc/ssh/ssh_host_ed25519_key
+        '';
+      };
+    };
+  };
+
  services.${name} = {
    enable = true;
    production = true;
--- a/launch/resource.nix
+++ b/launch/resource.nix
@ -37,5 +37,8 @@ in

  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
  ## supports users with password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+    # allow our panel vm access to the test machines
+    keys.systems.fedi201
+  ];
 }
--- a/panel/env.nix
+++ b/panel/env.nix
@ -10,6 +10,6 @@
    pkgs.coreutils
    pkgs.openssh
    pkgs.git
-    pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+    pkgs.jq # implicit dep of deploy script
  ];
 }
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -158,11 +158,6 @@ in
      };
    };

-    users.users.${name} = {
-      isSystemUser = true;
-      group = name;
-    };
-
    users.groups.${name} = { };
    systemd.services.${name} = {
      description = "${name} ASGI server";
@ -187,7 +182,7 @@ in
      '';
      serviceConfig = {
        Restart = "always";
-        User = name;
+        User = "root";
        WorkingDirectory = "/var/lib/${name}";
        StateDirectory = name;
        RuntimeDirectory = name;
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@ -169,6 +169,7 @@ class DeploymentStatus(ConfigurationForm):
                    logger.debug(f"deployment_params: {deployment_params}")
                    deployment_result = deployment_result or subprocess.run(
                        ["./deploy.sh"],
+                        user="root",
                        cwd=f"{settings.repo_dir}/launch",
                        env={
                            "PATH": settings.bin_path,