use root user as in #301 - given #297 seems to actually deploy!

flake.lock

@@ -571,6 +571,26 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743860185,
+        "narHash": "sha256-TkhfJ+vH+iGxLQL6RJLObMmldAQpysVJ+p1WnnKyIeQ=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "b5e29565131802cc8adee7dccede794226da8614",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "mk-naked-shell": {
       "flake": false,
       "locked": {
@@ -1215,6 +1235,7 @@
         "disko": "disko",
         "flake-parts": "flake-parts",
         "git-hooks": "git-hooks",
+        "home-manager": "home-manager_2",
         "nixops4": "nixops4",
         "nixops4-nixos": "nixops4-nixos",
         "nixpkgs": "nixpkgs_7"

flake.nix

@@ -3,6 +3,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     flake-parts.url = "github:hercules-ci/flake-parts";
     git-hooks.url = "github:cachix/git-hooks.nix";
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
     agenix.url = "github:ryantm/agenix";
 
     disko.url = "github:nix-community/disko";

infra/common/resource.nix

@@ -34,6 +34,7 @@ in
     imports = [
       inputs.agenix.nixosModules.default
       inputs.disko.nixosModules.default
+      inputs.home-manager.nixosModules.home-manager
       ./options.nix
       ./nixos
     ];

infra/machines/fedi201/fedipanel.nix

@@ -1,5 +1,6 @@
 {
   config,
+  pkgs,
   ...
 }:
 let
@@ -15,6 +16,39 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
+  # start SSH agent for root user
+  systemd.services.ssh-agent = {
+    description = "SSH Agent";
+    wantedBy = [ "default.target" ];
+    unitConfig.ConditionUser = "!@system";
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
+      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
+      StandardOutput = "null";
+      Type = "forking";
+      Restart = "on-failure";
+      SuccessExitStatus = "0 2";
+    };
+    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
+  };
+
+  environment.extraInit = ''
+    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
+      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
+    fi
+  '';
+
+  home-manager = {
+    users.root.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile /etc/ssh/ssh_host_ed25519_key
+        '';
+      };
+    };
+  };
+
   services.${name} = {
     enable = true;
     production = true;

launch/resource.nix

@@ -37,5 +37,8 @@ in
 
   ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
   ## supports users with password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+    # allow our panel vm access to the test machines
+    keys.systems.fedi201
+  ];
 }

panel/nix/configuration.nix

@@ -158,11 +158,6 @@ in
       };
     };
 
-    users.users.${name} = {
-      isSystemUser = true;
-      group = name;
-    };
-
     users.groups.${name} = { };
     systemd.services.${name} = {
       description = "${name} ASGI server";
@@ -187,7 +182,7 @@ in
       '';
       serviceConfig = {
         Restart = "always";
-        User = name;
+        User = "root";
         WorkingDirectory = "/var/lib/${name}";
         StateDirectory = name;
         RuntimeDirectory = name;

panel/src/panel/views.py

@@ -103,7 +103,7 @@ class DeploymentStatus(ConfigurationForm):
         # Check for deploy button
         if "deploy" in self.request.POST.keys():
             deployment_result, deployment_params = self.deployment(obj)
-            deployment_succeeded = deployment_result.returncode == 0
+            deployment_succeeded = deployment_result == 0
 
         return render(self.request, "partials/deployment_result.html", {
             "deployment_succeeded": deployment_succeeded,
@@ -157,6 +157,6 @@ class DeploymentStatus(ConfigurationForm):
             "--auto-approve",
             "-lock=false",
         ]
-        deployment_result = subprocess.run(cmd, cwd=cwd, env=env)
+        deployment_result = subprocess.run(cmd, cwd=cwd, env=env, user="root")
         print(deployment_result)
         return deployment_result, deployment_params