8 changed files with 47 additions and 7 deletions
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -54,6 +54,10 @@ in

    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
-    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+      # allow our panel vm access to the test machines
+      keys.panel
+    ];
+
  };
 }
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -22,10 +22,26 @@ let
    { vmName, isTestVm }:
    {
      _module.args = { inherit inputs; };
-      imports = [
-        ./common/resource.nix
-        (if isTestVm then ./test-machines + "/${vmName}" else ./machines + "/${vmName}")
-      ];
+      imports =
+        [
+          ./common/resource.nix
+        ]
+        ++ (
+          if isTestVm then
+            [
+              ./test-machines/${vmName}
+              {
+                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
+                  # allow our panel vm access to the test machines
+                  (import ../keys).panel
+                ];
+              }
+            ]
+          else
+            [
+              ./machines/${vmName}
+            ]
+        );
      fediversityVm.name = vmName;
    };

--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@ -15,6 +15,24 @@ in
    defaults.email = "beheer@procolix.com";
  };

+  age.secrets.panel-ssh-key = {
+    owner = name;
+    mode = "400";
+  };
+
+  programs.ssh.startAgent = true;
+
+  home-manager = {
+    users.${name}.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
+        '';
+      };
+    };
+  };
+
  services.${name} = {
    enable = true;
    production = true;
--- a/keys/default.nix
+++ b/keys/default.nix
@ -34,4 +34,5 @@ in
 {
  contributors = collectKeys ./contributors;
  systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }
--- a/keys/panel-ssh-key.pub
+++ b/keys/panel-ssh-key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -158,8 +158,7 @@ in
    };

    users.users.${name} = {
-      isSystemUser = true;
-      group = name;
+      isNormalUser = true;
    };

    users.groups.${name} = { };
--- a/secrets/panel-ssh-key.age
+++ b/secrets/panel-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -28,6 +28,7 @@ concatMapAttrs
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ ];
      panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
      wiki-password = [ vm02187 ];
      wiki-smtp-password = [ vm02187 ];
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201`