From c69f1f52e01b2f58ea6289ea32547d58c4cee6d1 Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Wed, 9 Apr 2025 16:58:50 +0200
Subject: [PATCH] allow accessing test vms from fedi201, closes #286 (#297)

Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/297
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
---
 infra/common/resource.nix            |   6 +++++-
 infra/flake-part.nix                 |  24 ++++++++++++++++++++----
 infra/machines/fedi201/fedipanel.nix |  18 ++++++++++++++++++
 keys/default.nix                     |   1 +
 keys/panel-ssh-key.pub               |   1 +
 panel/nix/configuration.nix          |   3 +--
 secrets/panel-ssh-key.age            | Bin 0 -> 1271 bytes
 secrets/secrets.nix                  |   1 +
 8 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 keys/panel-ssh-key.pub
 create mode 100644 secrets/panel-ssh-key.age

diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 15b5693b..4606ddf4 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -54,6 +54,10 @@ in
 
     ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
     ## supports users with password-less sudo.
-    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+      # allow our panel vm access to the test machines
+      keys.panel
+    ];
+
   };
 }
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 6a69278e..c849dc46 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -22,10 +22,26 @@ let
     { vmName, isTestVm }:
     {
       _module.args = { inherit inputs; };
-      imports = [
-        ./common/resource.nix
-        (if isTestVm then ./test-machines + "/${vmName}" else ./machines + "/${vmName}")
-      ];
+      imports =
+        [
+          ./common/resource.nix
+        ]
+        ++ (
+          if isTestVm then
+            [
+              ./test-machines/${vmName}
+              {
+                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
+                  # allow our panel vm access to the test machines
+                  (import ../keys).panel
+                ];
+              }
+            ]
+          else
+            [
+              ./machines/${vmName}
+            ]
+        );
       fediversityVm.name = vmName;
     };
 
diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix
index 4f90c473..5c4236fc 100644
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@@ -15,6 +15,24 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
+  age.secrets.panel-ssh-key = {
+    owner = name;
+    mode = "400";
+  };
+
+  programs.ssh.startAgent = true;
+
+  home-manager = {
+    users.${name}.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
+        '';
+      };
+    };
+  };
+
   services.${name} = {
     enable = true;
     production = true;
diff --git a/keys/default.nix b/keys/default.nix
index c51049cb..6e33783b 100644
--- a/keys/default.nix
+++ b/keys/default.nix
@@ -34,4 +34,5 @@ in
 {
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }
diff --git a/keys/panel-ssh-key.pub b/keys/panel-ssh-key.pub
new file mode 100644
index 00000000..3f2d09a8
--- /dev/null
+++ b/keys/panel-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201
diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 27359503..ecf06e0f 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -158,8 +158,7 @@ in
     };
 
     users.users.${name} = {
-      isSystemUser = true;
-      group = name;
+      isNormalUser = true;
     };
 
     users.groups.${name} = { };
diff --git a/secrets/panel-ssh-key.age b/secrets/panel-ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..427d9972ece0589406e2f166004b80999f86c92d
GIT binary patch
literal 1271
zcmZY4`)?Bk0KjpAi$DoV3=V=wI&{Bqls>QR@wDw-d+pl0Ufb(y@WWkuy*}^VyX!{q
zfeLOa=+t1q7&2jGpukW<#F;H1N)%0)86d<VCJYD$2Z0GF=+E;X_<r)GSjNO~IjJEi
zC7xT(ORQP78cb`9vRpJVc^e2?A!A6$*{mL;>T^=QL<nrqL0gJW5;d$1EYY4|F$<Fl
zNx(K<C__5taF#VgEeg2PE<IlHTiqqz>{5#1P!z4$lPadGHKIr}A&V<y=Lya-Rr7je
zH{mgMxB@YY$Z3|U3rohla$SxnhzAa!5h9OZxE)|a0L;q8HZN~*(Ig}&0OHq~oRH#T
zpl+ru^>Pf#*#R({N23wF5d&e)?RHGn_yWOIStHdJAu#~XvGs^-m*|X+FchiO{Z2wJ
zIW6TxT*3-C(5R7!W`N?L!vPRQz?*BJ;bbT-J7}|8cXFw0)?Z9R3KyuxM5og({!jDa
zvY>j52*aqHgvDx+s-%YfPM+6fmlI+;#B>4`6wH!{xhk;;tfL--TFGHp7DOc(^As^C
z;m6{^C}B$~(Nu!V`=~Y?F9^{(n&8N(Z??3QU^OGj#BE^GR@PD+-v*^6Sm(@fkxFnj
zrog&zO_bF<hfDPi&0$c?UJUnVbcoc5l9%-h1v<=Pp;8s~QlWZGhVWVkEHgnLNlewO
z5fTvzBbj7tSlHuEqZT-TL1{s878^pmjC&e%8i)ZlSk4e0C|lHIgBlibtwcnN7{x#?
z3##y0b1KaX!BC`BcIl<0l_@*woFk*KQ?*LE;RXp~Ll2qxdXQv!ktzf!M9Kzhnh&uh
zNKWyhQifJaY|gAAf|WE_a&{?))I1~xWy4h5ONdoK^k->Y>?j3mVGsUaOx6UfoaYTD
zlgY@^K?nsaR<lB4h~{JMJZHz8l~O{i1Zupm4Dw*!QcL5NnA>1wDu;fWe{$&Fy!QQ*
z#oXhkm+z3&k>r)#@2@$0;A5e8G&0^W?Vk6`7Pt?Yee!MRDyO`yUtJ7(CtCHLgTcn7
z)td^#cltx09lkj8v8G|;^IG@57nG+`Td($B*BzH{u8Q?8SbDef)Y2IXJGFmyHcuSi
zR4ChfTUWpK>YFn+u7{eJZ=e49;O)e>?;aSO9BtkC@Lb=ml|A;4%>6$;Gi}AOo)-_E
zUmBpd=Dt~SD>QC(|K7wcS$A{ek=Z}*i4S)#3hv4U)K^yTdN}mSS$g8&sRrC~ADrWz
zJ_c{zva)9ua%=M13hS9)2i};~vhB!)X>V<~xbD*4quc)uwBO&6SoWyZ*>gtTzii(e
z+}qu?xMOXgW!J){zn;BYnTF2&>ip>T-q^(D$?l_|et14G^Edy3_YNH$S=%?mV)&dL
z`+_>QxBW)-=@WZC{b96_(PlTTl15H5;{zK$7`{p!@8@odi~6XR=Gt{^pg1%EJi2ps
zylY_oo#y==neKBp!s}m}yZ%Jii3iM+#~zG*`Df>~D_;|vmt5>>8G6*&wD7|x(5)jE
Y#-4k*{g33}JKs+%zK0HfSMN&w3#6^-jQ{`u

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f2e30797..167234d4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,7 @@ concatMapAttrs
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ ];
       panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];