From 92abe2574d12fa3a3802e0a27e125f1ae9d8f49e Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:13:26 +0100
Subject: [PATCH] enable root SSH key-only login for deploy-rs

- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)

Root can only login via SSH key, password auth remains disabled.
---
 flake.nix                               | 3 +--
 hosts/cryodev-main/services/openssh.nix | 5 +++++
 modules/nixos/openssh/default.nix       | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index 7a481c8..1e759b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,8 +128,7 @@
               "2299"
             ];
             profiles.system = {
-              user = "steffen";
-              sshUser = "steffen";
+              user = "root";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
             };
           };
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index f71c084..b38495e 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -9,4 +9,9 @@
   ];
 
   services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../users/steffen/pubkeys/forgejo-deploy.pub
+  ];
 }
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
index 0958445..00f05c1 100644
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };