Automatically git root access to all contributors

2025-01-31 10:59:36 +01:00 · 2025-01-31 10:59:36 +01:00 · 873a1c9177
commit 873a1c9177
parent d92d5f40ae
2 changed files with 8 additions and 9 deletions
--- a/infra/common/users.nix
+++ b/infra/common/users.nix
@ -30,11 +30,4 @@
  security.sudo.wheelNeedsPassword = false;

  nix.settings.trusted-users = [ "@wheel" ];
-
-  ## FIXME: Remove direct root authentication once NixOps4 supports users with
-  ## password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
-  ];
 }
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -6,7 +6,7 @@
 }:

 let
-  inherit (builtins) mapAttrs;
+  inherit (lib) attrValues mapAttrs;
  inherit (lib.attrsets) genAttrs;

  makeResource =
@ -32,7 +32,13 @@ let
          vmmodule
          ./common
          self.nixosModules.ageSecrets
-          { fediversity.hostPublicKey = self.keys.systems.${vmid}; }
+          {
+            fediversity.hostPublicKey = self.keys.systems.${vmid};
+
+            ## FIXME: Remove direct root authentication once the NixOps4 NixOS
+            ## provider supports users with password-less sudo.
+            users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
+          }
        ];
      };
    };