From 4bd2cc3eb8da337d70238e857dbc90571f408ca9 Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Tue, 22 Apr 2025 19:19:22 +0200
Subject: [PATCH] fix authorized keys

---
 infra/common/resource.nix | 6 +++++-
 infra/dev/main.tf         | 2 +-
 infra/operator/main.tf    | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index afb20666..1a395d20 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -5,7 +5,7 @@
 }:
 
 let
-  inherit (lib) elem mkDefault;
+  inherit (lib) attrValues elem mkDefault;
   inherit (lib.attrsets) concatMapAttrs optionalAttrs;
   inherit (lib.strings) removeSuffix;
 
@@ -34,4 +34,8 @@ in
       ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
     }
   ) secrets;
+
+  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+  ## supports users with password-less sudo.
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
 }
diff --git a/infra/dev/main.tf b/infra/dev/main.tf
index bb3ea4d4..5dde95ba 100644
--- a/infra/dev/main.tf
+++ b/infra/dev/main.tf
@@ -14,7 +14,7 @@ module "nixos" {
     # wiki = "vm02187" # does not resolve
     # forgejo = "vm02116" # does not resolve
     # TODO: move these to a separate `host` dir
-    # dns = "fedi200" # does not accept root user
+    dns = "fedi200"
     fedipanel = "fedi201"
   } : name => {
       hostname = inst
diff --git a/infra/operator/main.tf b/infra/operator/main.tf
index 08612136..aa631078 100644
--- a/infra/operator/main.tf
+++ b/infra/operator/main.tf
@@ -64,7 +64,7 @@ module "nixos" {
         ## FIXME: switch root authentication to users with password-less sudo, see #24
         users.users.root.openssh.authorizedKeys.keys = let
           keys = import ../../keys;
-        in builtins.attrValues keys.contributors ++ [
+        in [
           # allow our panel vm access to the test machines
           keys.panel
         ];