From ae67454d07f2e2cfe66dbfaa19b4296499171ba8 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 2 Aug 2024 15:36:12 -0600
Subject: sys/auth: support root deployment keys

---
 sys/auth/openssh.nix | 27 +++++++++++++++++++--------
 sys/auth/ssh-key.pub |  1 +
 2 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 sys/auth/ssh-key.pub

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 0c23c81..3bc3a78 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -18,6 +18,11 @@ in
           default = false;
         };
       }) [ "ecdsa" "ed25519" "rsa" ]);
+
+    withDeployKeys = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -71,16 +76,22 @@ in
       '';
     };
 
-    users.users.tunnel = mkIf cfg.tunnel.enable {
-      uid = 1100;
-      group = "nogroup";
-      isSystemUser = true;
+    users.users = {
+      root = mkIf cfg.withDeployKeys {
+        openssh.authorizedKeys.keyFiles = [ ./ssh-key.pub ];
+      };
 
-      # Requiere oath
-      password = "tunnel";
+      tunnel = mkIf cfg.tunnel.enable {
+        uid = 1100;
+        group = "nogroup";
+        isSystemUser = true;
 
-      home = "/var/empty";
-      shell = "${pkgs.coreutils}/bin/true";
+        # Requiere oath
+        password = "tunnel";
+
+        home = "/var/empty";
+        shell = "${pkgs.coreutils}/bin/true";
+      };
     };
   };
 }
diff --git a/sys/auth/ssh-key.pub b/sys/auth/ssh-key.pub
new file mode 100644
index 0000000..1bb3788
--- /dev/null
+++ b/sys/auth/ssh-key.pub
@@ -0,0 +1 @@
+# This file has been lustrated.
-- 
cgit v1.2.3