From b9b13df04e3334d7e678ff3099fe08a34e429b92 Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Tue, 15 Jul 2025 11:56:22 +0200
Subject: [PATCH] allow SSH access from continuous deployment (#460)

Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/460
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
---
 .forgejo/workflows/cd.yaml | 4 +++-
 infra/common/resource.nix  | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/cd.yaml b/.forgejo/workflows/cd.yaml
index 62ab5acf..8e45cbe0 100644
--- a/.forgejo/workflows/cd.yaml
+++ b/.forgejo/workflows/cd.yaml
@@ -13,12 +13,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH key to access age secrets
+      - name: Set up SSH key for age secrets and SSH
         run: |
           env
           mkdir -p ~/.ssh
           echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
+          eval "$(ssh-agent -s)"
+          ssh-add ~/.ssh/id_ed25519
 
       - name: Deploy
         run: nix-shell --run 'nixops4 apply default'
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 5e2b9fef..26b57c29 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -58,6 +58,8 @@ in
     users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
       # allow our panel vm access to the test machines
       keys.panel
+      # allow continuous deployment access
+      keys.cd
     ];
 
   };