add ssh key to not need root user

infra/flake-part.nix

@@ -33,7 +33,7 @@ let
               {
                 nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                   # allow our panel vm access to the test machines
-                  (import ../keys).systems.fedi201
+                  (import ../keys).panel
                 ];
               }
             ]

infra/machines/fedi201/fedipanel.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   ...
 }:
 let
@@ -16,34 +15,20 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
-  # start SSH agent for root user
+  age.secrets.panel-ssh-key = {
-  systemd.services.ssh-agent = {
+    owner = name;
-    description = "SSH Agent";
+    group = name;
-    wantedBy = [ "default.target" ];
+    mode = "400";
-    unitConfig.ConditionUser = "!@system";
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
-      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
-      StandardOutput = "null";
-      Type = "forking";
-      Restart = "on-failure";
-      SuccessExitStatus = "0 2";
-    };
-    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
   };
 
-  environment.extraInit = ''
+  programs.ssh.startAgent = true;
-    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
-      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
-    fi
-  '';
 
   home-manager = {
-    users.root.home = {
+    users.${name}.home = {
       stateVersion = "25.05";
       file.".ssh/config" = {
         text = ''
-          IdentityFile /etc/ssh/ssh_host_ed25519_key
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
         '';
       };
     };

keys/default.nix

@@ -34,4 +34,5 @@ in
 {
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }

keys/panel-ssh-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201

launch/resource.nix

@@ -39,6 +39,6 @@ in
   ## supports users with password-less sudo.
   users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
     # allow our panel vm access to the test machines
-    keys.systems.fedi201
+    keys.panel
   ];
 }

panel/nix/configuration.nix

@@ -158,6 +158,11 @@ in
       };
     };
 
+    users.users.${name} = {
+      isNormalUser = true;
+      group = name;
+    };
+
     users.groups.${name} = { };
     systemd.services.${name} = {
       description = "${name} ASGI server";
@@ -182,7 +187,7 @@ in
       '';
       serviceConfig = {
         Restart = "always";
-        User = "root";
+        User = name;
         WorkingDirectory = "/var/lib/${name}";
         StateDirectory = name;
         RuntimeDirectory = name;

secrets/secrets.nix

@@ -28,6 +28,7 @@ concatMapAttrs
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ ];
       panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];