use root user as in #301 - given #297 seems to actually deploy!

2025-04-05 16:04:23 +02:00 · 2025-04-05 16:04:23 +02:00 · 551e860b5b
commit 551e860b5b
parent 3270cc89e7
7 changed files with 32 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@ -571,6 +571,26 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1743860185,
        "narHash": "sha256-TkhfJ+vH+iGxLQL6RJLObMmldAQpysVJ+p1WnnKyIeQ=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "b5e29565131802cc8adee7dccede794226da8614",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "mk-naked-shell": {
      "flake": false,
      "locked": {
@ -1215,6 +1235,7 @@
        "disko": "disko",
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
        "home-manager": "home-manager_2",
        "nixops4": "nixops4",
        "nixops4-nixos": "nixops4-nixos",
        "nixpkgs": "nixpkgs_7"
--- a/flake.nix
+++ b/flake.nix
@ -3,6 +3,8 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
    disko.url = "github:nix-community/disko";
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -34,6 +34,7 @@ in
    imports = [
      inputs.agenix.nixosModules.default
      inputs.disko.nixosModules.default
      inputs.home-manager.nixosModules.home-manager
      ./options.nix
      ./nixos
    ];
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@ -1,5 +1,6 @@
 {
  config,
  pkgs,
  ...
 }:
 let
--- a/launch/resource.nix
+++ b/launch/resource.nix
@ -37,5 +37,8 @@ in
  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
  ## supports users with password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
    # allow our panel vm access to the test machines
    keys.systems.fedi201
  ];
 }
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -186,7 +186,7 @@ in
      '';
      serviceConfig = {
        Restart = "always";
-        User = name;
+        User = "root";
        WorkingDirectory = "/var/lib/${name}";
        StateDirectory = name;
        RuntimeDirectory = name;
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@ -103,7 +103,7 @@ class DeploymentStatus(ConfigurationForm):
        # Check for deploy button
        if "deploy" in self.request.POST.keys():
            deployment_result, deployment_params = self.deployment(obj)
-            deployment_succeeded = deployment_result.returncode == 0
+            deployment_succeeded = deployment_result == 0
        return render(self.request, "partials/deployment_result.html", {
            "deployment_succeeded": deployment_succeeded,
@ -157,6 +157,6 @@ class DeploymentStatus(ConfigurationForm):
            "--auto-approve",
            "-lock=false",
        ]
-        deployment_result = subprocess.run(cmd, cwd=cwd, env=env)
+        deployment_result = subprocess.run(cmd, cwd=cwd, env=env, user="root")
        print(deployment_result)
        return deployment_result, deployment_params