diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 4eebc4ee..c849dc46 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -33,7 +33,7 @@ let { nixos.module.users.users.root.openssh.authorizedKeys.keys = [ # allow our panel vm access to the test machines - (import ../keys).systems.fedi201 + (import ../keys).panel ]; } ] diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix index 15ca8916..788f4c26 100644 --- a/infra/machines/fedi201/fedipanel.nix +++ b/infra/machines/fedi201/fedipanel.nix @@ -1,6 +1,5 @@ { config, - pkgs, ... }: let @@ -16,34 +15,20 @@ in defaults.email = "beheer@procolix.com"; }; - # start SSH agent for root user - systemd.services.ssh-agent = { - description = "SSH Agent"; - wantedBy = [ "default.target" ]; - unitConfig.ConditionUser = "!@system"; - serviceConfig = { - ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; - ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent"; - StandardOutput = "null"; - Type = "forking"; - Restart = "on-failure"; - SuccessExitStatus = "0 2"; - }; - environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS + age.secrets.panel-ssh-key = { + owner = name; + group = name; + mode = "400"; }; - environment.extraInit = '' - if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent" - fi - ''; + programs.ssh.startAgent = true; home-manager = { - users.root.home = { + users.${name}.home = { stateVersion = "25.05"; file.".ssh/config" = { text = '' - IdentityFile /etc/ssh/ssh_host_ed25519_key + IdentityFile ${config.age.secrets.panel-ssh-key.path} ''; }; }; diff --git a/keys/default.nix b/keys/default.nix index c51049cb..6e33783b 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -34,4 +34,5 @@ in { contributors = collectKeys ./contributors; systems = collectKeys ./systems; + panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub); } diff --git a/keys/panel-ssh-key.pub b/keys/panel-ssh-key.pub new file mode 100644 index 00000000..3f2d09a8 --- /dev/null +++ b/keys/panel-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201 diff --git a/launch/resource.nix b/launch/resource.nix index 6b03305b..7ae3f99f 100644 --- a/launch/resource.nix +++ b/launch/resource.nix @@ -39,6 +39,6 @@ in ## supports users with password-less sudo. users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [ # allow our panel vm access to the test machines - keys.systems.fedi201 + keys.panel ]; } diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix index 0006c14b..dc609906 100644 --- a/panel/nix/configuration.nix +++ b/panel/nix/configuration.nix @@ -158,6 +158,11 @@ in }; }; + users.users.${name} = { + isNormalUser = true; + group = name; + }; + users.groups.${name} = { }; systemd.services.${name} = { description = "${name} ASGI server"; @@ -182,7 +187,7 @@ in ''; serviceConfig = { Restart = "always"; - User = "root"; + User = name; WorkingDirectory = "/var/lib/${name}"; StateDirectory = name; RuntimeDirectory = name; diff --git a/secrets/panel-ssh-key.age b/secrets/panel-ssh-key.age new file mode 100644 index 00000000..427d9972 Binary files /dev/null and b/secrets/panel-ssh-key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f2e30797..167234d4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -28,6 +28,7 @@ concatMapAttrs forgejo-email-password = [ vm02116 ]; forgejo-runner-token = [ ]; panel-secret-key = [ fedi201 ]; + panel-ssh-key = [ fedi201 ]; wiki-basicauth-htpasswd = [ vm02187 ]; wiki-password = [ vm02187 ]; wiki-smtp-password = [ vm02187 ];