add ssh key to not need root user

2025-04-06 11:22:39 +02:00 · 2025-04-06 11:22:39 +02:00 · c93b46cc30
commit c93b46cc30
parent 820ae3ebb7
8 changed files with 17 additions and 23 deletions
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -33,7 +33,7 @@ let
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                  # allow our panel vm access to the test machines
-                  (import ../keys).systems.fedi201
+                  (import ../keys).panel
                ];
              }
            ]
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@ -16,34 +16,20 @@ in
    defaults.email = "beheer@procolix.com";
  };

-  # start SSH agent for root user
-  systemd.services.ssh-agent = {
-    description = "SSH Agent";
-    wantedBy = [ "default.target" ];
-    unitConfig.ConditionUser = "!@system";
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
-      ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
-      StandardOutput = "null";
-      Type = "forking";
-      Restart = "on-failure";
-      SuccessExitStatus = "0 2";
-    };
-    environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
+  age.secrets.panel-ssh-key = {
+    owner = name;
+    group = name;
+    mode = "400";
  };

-  environment.extraInit = ''
-    if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
-      export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
-    fi
-  '';
+  programs.ssh.startAgent = true;

  home-manager = {
-    users.root.home = {
+    users.${name}.home = {
      stateVersion = "25.05";
      file.".ssh/config" = {
        text = ''
-          IdentityFile /etc/ssh/ssh_host_ed25519_key
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
        '';
      };
    };
--- a/keys/default.nix
+++ b/keys/default.nix
@ -34,4 +34,5 @@ in
 {
  contributors = collectKeys ./contributors;
  systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }
--- a/keys/panel-ssh-key.pub
+++ b/keys/panel-ssh-key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201
--- a/launch/resource.nix
+++ b/launch/resource.nix
@ -39,6 +39,6 @@ in
  ## supports users with password-less sudo.
  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
    # allow our panel vm access to the test machines
-    keys.systems.fedi201
+    keys.panel
  ];
 }
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -158,6 +158,11 @@ in
      };
    };

+    users.users.${name} = {
+      isNormalUser = true;
+      group = name;
+    };
+
    users.groups.${name} = { };
    systemd.services.${name} = {
      description = "${name} ASGI server";
--- a/secrets/panel-ssh-key.age
+++ b/secrets/panel-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -28,6 +28,7 @@ concatMapAttrs
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ ];
      panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
      wiki-password = [ vm02187 ];
      wiki-smtp-password = [ vm02187 ];
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201`