diff options
| author | Franck Cuny <franck@fcuny.net> | 2026-01-24 11:03:00 -0800 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2026-01-24 11:03:00 -0800 |
| commit | 3b26e1404698491591023063afc7d94b28978dbb (patch) | |
| tree | ed4c4f0e313ceb3f2590ebd82d26fe74902e8ce6 | |
| parent | adding a new VM for testing (diff) | |
| download | infra-3b26e1404698491591023063afc7d94b28978dbb.tar.gz | |
ensure ssh keys for root are in the iso
| -rw-r--r-- | machines/iso.nix | 1 | ||||
| -rw-r--r-- | machines/rivendell.nix | 2 | ||||
| -rw-r--r-- | profiles/defaults.nix | 12 | ||||
| -rw-r--r-- | profiles/users/root.nix | 8 |
4 files changed, 13 insertions, 10 deletions
diff --git a/machines/iso.nix b/machines/iso.nix index 093bda2..a119287 100644 --- a/machines/iso.nix +++ b/machines/iso.nix @@ -6,6 +6,7 @@ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ../profiles/home-manager.nix ../profiles/users/admin-user.nix + ../profiles/users/root.nix ../profiles/users/home-manager.nix ]; diff --git a/machines/rivendell.nix b/machines/rivendell.nix index d697734..924b46d 100644 --- a/machines/rivendell.nix +++ b/machines/rivendell.nix @@ -8,6 +8,7 @@ { wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd"; + ephemeralRoot = true; age.secrets = { wireguard.file = ../secrets/rivendell/wireguard.age; @@ -48,6 +49,7 @@ ../profiles/remote-unlock.nix ../profiles/restic-backup.nix ../profiles/server.nix + ../profiles/state.nix ../profiles/users/admin-user.nix ../profiles/users/builder.nix ../profiles/users/home-manager.nix diff --git a/profiles/defaults.nix b/profiles/defaults.nix index 834c28d..ab11f81 100644 --- a/profiles/defaults.nix +++ b/profiles/defaults.nix @@ -2,7 +2,6 @@ config, pkgs, lib, - adminUser, ... }: let @@ -19,6 +18,7 @@ in { imports = [ ./cgroups.nix + ./users/root.nix ]; boot = { @@ -122,15 +122,7 @@ in ## disable that slow "building man-cache" step documentation.man.generateCaches = lib.mkForce false; - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [ - onepassword - yubikey-personal-nano - yubikey-personal-keychain - yubikey-personal-backup - ]; - }; + users.mutableUsers = false; security.sudo.wheelNeedsPassword = false; diff --git a/profiles/users/root.nix b/profiles/users/root.nix new file mode 100644 index 0000000..4d432a5 --- /dev/null +++ b/profiles/users/root.nix @@ -0,0 +1,8 @@ +{ adminUser, ... }: +{ + users.users.root.openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [ + yubikey-personal-nano + yubikey-personal-keychain + yubikey-personal-backup + ]; +} |