enable root SSH key-only login for deploy-rs

- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)

Root can only login via SSH key, password auth remains disabled.

flake.nix

@@ -128,8 +128,7 @@
               "2299"
             ];
             profiles.system = {
-              user = "steffen";
+              user = "root";
-              sshUser = "steffen";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
             };
           };

hosts/cryodev-main/services/openssh.nix

@@ -9,4 +9,9 @@
   ];
 
   services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../users/steffen/pubkeys/forgejo-deploy.pub
+  ];
 }

modules/nixos/openssh/default.nix

@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };