From bfa31bad071ed35f00e560dbabbe9116f1d0c8ed Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Sun, 6 Apr 2025 11:22:39 +0200
Subject: [PATCH] add ssh key to not need root user

---
 infra/flake-part.nix                 |   2 +-
 infra/machines/fedi201/fedipanel.nix |  29 +++++++--------------------
 keys/default.nix                     |   1 +
 keys/panel-ssh-key.pub               |   1 +
 launch/resource.nix                  |   2 +-
 panel/nix/configuration.nix          |   7 ++++++-
 secrets/panel-ssh-key.age            | Bin 0 -> 1271 bytes
 secrets/secrets.nix                  |   1 +
 8 files changed, 18 insertions(+), 25 deletions(-)
 create mode 100644 keys/panel-ssh-key.pub
 create mode 100644 secrets/panel-ssh-key.age

diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 4eebc4ee..c849dc46 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -33,7 +33,7 @@ let
               {
                 nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                   # allow our panel vm access to the test machines
-                  (import ../keys).systems.fedi201
+                  (import ../keys).panel
                 ];
               }
             ]
diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix
index 15ca8916..788f4c26 100644
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   ...
 }:
 let
@@ -16,34 +15,20 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
-  # start SSH agent for root user
-  systemd.services.ssh-agent = {
-    description = "SSH Agent";
-    wantedBy = [ "default.target" ];
-    unitConfig.ConditionUser = "!@system";
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
-      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
-      StandardOutput = "null";
-      Type = "forking";
-      Restart = "on-failure";
-      SuccessExitStatus = "0 2";
-    };
-    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
+  age.secrets.panel-ssh-key = {
+    owner = name;
+    group = name;
+    mode = "400";
   };
 
-  environment.extraInit = ''
-    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
-      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
-    fi
-  '';
+  programs.ssh.startAgent = true;
 
   home-manager = {
-    users.root.home = {
+    users.${name}.home = {
       stateVersion = "25.05";
       file.".ssh/config" = {
         text = ''
-          IdentityFile /etc/ssh/ssh_host_ed25519_key
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
         '';
       };
     };
diff --git a/keys/default.nix b/keys/default.nix
index c51049cb..6e33783b 100644
--- a/keys/default.nix
+++ b/keys/default.nix
@@ -34,4 +34,5 @@ in
 {
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }
diff --git a/keys/panel-ssh-key.pub b/keys/panel-ssh-key.pub
new file mode 100644
index 00000000..3f2d09a8
--- /dev/null
+++ b/keys/panel-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201
diff --git a/launch/resource.nix b/launch/resource.nix
index 6b03305b..7ae3f99f 100644
--- a/launch/resource.nix
+++ b/launch/resource.nix
@@ -39,6 +39,6 @@ in
   ## supports users with password-less sudo.
   users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
     # allow our panel vm access to the test machines
-    keys.systems.fedi201
+    keys.panel
   ];
 }
diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 0006c14b..dc609906 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -158,6 +158,11 @@ in
       };
     };
 
+    users.users.${name} = {
+      isNormalUser = true;
+      group = name;
+    };
+
     users.groups.${name} = { };
     systemd.services.${name} = {
       description = "${name} ASGI server";
@@ -182,7 +187,7 @@ in
       '';
       serviceConfig = {
         Restart = "always";
-        User = "root";
+        User = name;
         WorkingDirectory = "/var/lib/${name}";
         StateDirectory = name;
         RuntimeDirectory = name;
diff --git a/secrets/panel-ssh-key.age b/secrets/panel-ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..427d9972ece0589406e2f166004b80999f86c92d
GIT binary patch
literal 1271
zcmZY4`)?Bk0KjpAi$DoV3=V=wI&{Bqls>QR@wDw-d+pl0Ufb(y@WWkuy*}^VyX!{q
zfeLOa=+t1q7&2jGpukW<#F;H1N)%0)86d<VCJYD$2Z0GF=+E;X_<r)GSjNO~IjJEi
zC7xT(ORQP78cb`9vRpJVc^e2?A!A6$*{mL;>T^=QL<nrqL0gJW5;d$1EYY4|F$<Fl
zNx(K<C__5taF#VgEeg2PE<IlHTiqqz>{5#1P!z4$lPadGHKIr}A&V<y=Lya-Rr7je
zH{mgMxB@YY$Z3|U3rohla$SxnhzAa!5h9OZxE)|a0L;q8HZN~*(Ig}&0OHq~oRH#T
zpl+ru^>Pf#*#R({N23wF5d&e)?RHGn_yWOIStHdJAu#~XvGs^-m*|X+FchiO{Z2wJ
zIW6TxT*3-C(5R7!W`N?L!vPRQz?*BJ;bbT-J7}|8cXFw0)?Z9R3KyuxM5og({!jDa
zvY>j52*aqHgvDx+s-%YfPM+6fmlI+;#B>4`6wH!{xhk;;tfL--TFGHp7DOc(^As^C
z;m6{^C}B$~(Nu!V`=~Y?F9^{(n&8N(Z??3QU^OGj#BE^GR@PD+-v*^6Sm(@fkxFnj
zrog&zO_bF<hfDPi&0$c?UJUnVbcoc5l9%-h1v<=Pp;8s~QlWZGhVWVkEHgnLNlewO
z5fTvzBbj7tSlHuEqZT-TL1{s878^pmjC&e%8i)ZlSk4e0C|lHIgBlibtwcnN7{x#?
z3##y0b1KaX!BC`BcIl<0l_@*woFk*KQ?*LE;RXp~Ll2qxdXQv!ktzf!M9Kzhnh&uh
zNKWyhQifJaY|gAAf|WE_a&{?))I1~xWy4h5ONdoK^k->Y>?j3mVGsUaOx6UfoaYTD
zlgY@^K?nsaR<lB4h~{JMJZHz8l~O{i1Zupm4Dw*!QcL5NnA>1wDu;fWe{$&Fy!QQ*
z#oXhkm+z3&k>r)#@2@$0;A5e8G&0^W?Vk6`7Pt?Yee!MRDyO`yUtJ7(CtCHLgTcn7
z)td^#cltx09lkj8v8G|;^IG@57nG+`Td($B*BzH{u8Q?8SbDef)Y2IXJGFmyHcuSi
zR4ChfTUWpK>YFn+u7{eJZ=e49;O)e>?;aSO9BtkC@Lb=ml|A;4%>6$;Gi}AOo)-_E
zUmBpd=Dt~SD>QC(|K7wcS$A{ek=Z}*i4S)#3hv4U)K^yTdN}mSS$g8&sRrC~ADrWz
zJ_c{zva)9ua%=M13hS9)2i};~vhB!)X>V<~xbD*4quc)uwBO&6SoWyZ*>gtTzii(e
z+}qu?xMOXgW!J){zn;BYnTF2&>ip>T-q^(D$?l_|et14G^Edy3_YNH$S=%?mV)&dL
z`+_>QxBW)-=@WZC{b96_(PlTTl15H5;{zK$7`{p!@8@odi~6XR=Gt{^pg1%EJi2ps
zylY_oo#y==neKBp!s}m}yZ%Jii3iM+#~zG*`Df>~D_;|vmt5>>8G6*&wD7|x(5)jE
Y#-4k*{g33}JKs+%zK0HfSMN&w3#6^-jQ{`u

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f2e30797..167234d4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,7 @@ concatMapAttrs
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ ];
       panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];