From 3b26e1404698491591023063afc7d94b28978dbb Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 24 Jan 2026 11:03:00 -0800
Subject: ensure ssh keys for root are in the iso

---
 machines/iso.nix        |  1 +
 machines/rivendell.nix  |  2 ++
 profiles/defaults.nix   | 12 ++----------
 profiles/users/root.nix |  8 ++++++++
 4 files changed, 13 insertions(+), 10 deletions(-)
 create mode 100644 profiles/users/root.nix

diff --git a/machines/iso.nix b/machines/iso.nix
index 093bda2..a119287 100644
--- a/machines/iso.nix
+++ b/machines/iso.nix
@@ -6,6 +6,7 @@
     "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
     ../profiles/home-manager.nix
     ../profiles/users/admin-user.nix
+    ../profiles/users/root.nix
     ../profiles/users/home-manager.nix
   ];
 
diff --git a/machines/rivendell.nix b/machines/rivendell.nix
index d697734..924b46d 100644
--- a/machines/rivendell.nix
+++ b/machines/rivendell.nix
@@ -8,6 +8,7 @@
 {
   wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
   publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
+  ephemeralRoot = true;
 
   age.secrets = {
     wireguard.file = ../secrets/rivendell/wireguard.age;
@@ -48,6 +49,7 @@
     ../profiles/remote-unlock.nix
     ../profiles/restic-backup.nix
     ../profiles/server.nix
+    ../profiles/state.nix
     ../profiles/users/admin-user.nix
     ../profiles/users/builder.nix
     ../profiles/users/home-manager.nix
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 834c28d..ab11f81 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -2,7 +2,6 @@
   config,
   pkgs,
   lib,
-  adminUser,
   ...
 }:
 let
@@ -19,6 +18,7 @@ in
 {
   imports = [
     ./cgroups.nix
+    ./users/root.nix
   ];
 
   boot = {
@@ -122,15 +122,7 @@ in
   ## disable that slow "building man-cache" step
   documentation.man.generateCaches = lib.mkForce false;
 
-  users = {
-    mutableUsers = false;
-    users.root.openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [
-      onepassword
-      yubikey-personal-nano
-      yubikey-personal-keychain
-      yubikey-personal-backup
-    ];
-  };
+  users.mutableUsers = false;
 
   security.sudo.wheelNeedsPassword = false;
 
diff --git a/profiles/users/root.nix b/profiles/users/root.nix
new file mode 100644
index 0000000..4d432a5
--- /dev/null
+++ b/profiles/users/root.nix
@@ -0,0 +1,8 @@
+{ adminUser, ... }:
+{
+  users.users.root.openssh.authorizedKeys.keys = with adminUser.userinfo.sshPublicKeys; [
+    yubikey-personal-nano
+    yubikey-personal-keychain
+    yubikey-personal-backup
+  ];
+}
-- 
cgit v1.2.3