sys/auth: support root deployment keys

author: Alejandro Soto <alejandro@34project.org> 2024-08-02 15:36:12 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-08-02 17:30:49 -0600
commit: ae67454d07f2e2cfe66dbfaa19b4296499171ba8 (patch)
tree: cff4a41f7585112fb2adc3896e4b188749d99dba
parent: d16bcb693db18b8ab2508cef6400ce1219dac833 (diff)
2 files changed, 20 insertions, 8 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 0c23c81..3bc3a78 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -18,6 +18,11 @@ in
           default = false;
         };
       }) [ "ecdsa" "ed25519" "rsa" ]);
+
+    withDeployKeys = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -71,16 +76,22 @@ in
       '';
     };
 
-    users.users.tunnel = mkIf cfg.tunnel.enable {
-      uid = 1100;
-      group = "nogroup";
-      isSystemUser = true;
+    users.users = {
+      root = mkIf cfg.withDeployKeys {
+        openssh.authorizedKeys.keyFiles = [ ./ssh-key.pub ];
+      };
 
-      # Requiere oath
-      password = "tunnel";
+      tunnel = mkIf cfg.tunnel.enable {
+        uid = 1100;
+        group = "nogroup";
+        isSystemUser = true;
 
-      home = "/var/empty";
-      shell = "${pkgs.coreutils}/bin/true";
+        # Requiere oath
+        password = "tunnel";
+
+        home = "/var/empty";
+        shell = "${pkgs.coreutils}/bin/true";
+      };
     };
   };
 }
diff --git a/sys/auth/ssh-key.pub b/sys/auth/ssh-key.pub
new file mode 100644
index 0000000..1bb3788
--- /dev/null
+++ b/sys/auth/ssh-key.pub
@@ -0,0 +1 @@
+# This file has been lustrated.
author	Alejandro Soto <alejandro@34project.org>	2024-08-02 15:36:12 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-08-02 17:30:49 -0600
commit	ae67454d07f2e2cfe66dbfaa19b4296499171ba8 (patch)
tree	cff4a41f7585112fb2adc3896e4b188749d99dba
parent	d16bcb693db18b8ab2508cef6400ce1219dac833 (diff)