From 3f07d27c78d3298ca3e7dcf651dccd93f4b25bdf Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:11:08 +0100
Subject: [PATCH 1/5] fix deploy-rs: use SSH port 2299 and user steffen instead
 of root

deploy-rs was configured with default port 22 and user root, but
SSH runs on port 2299 and root login is disabled. Also fix ssh-keyscan
in the deploy workflow to use the correct port.
---
 .forgejo/workflows/deploy.yml | 2 +-
 flake.nix                     | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 3d51189..9ae1e1e 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -29,7 +29,7 @@ jobs:
           mkdir -p ~/.ssh
           echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
+          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
 
       - name: Deploy with deploy-rs
         run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
diff --git a/flake.nix b/flake.nix
index 0dba405..7a481c8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -123,8 +123,13 @@
         nodes = {
           cryodev-main = {
             hostname = constants.domain;
+            sshOpts = [
+              "-p"
+              "2299"
+            ];
             profiles.system = {
-              user = "root";
+              user = "steffen";
+              sshUser = "steffen";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
             };
           };

From 92abe2574d12fa3a3802e0a27e125f1ae9d8f49e Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:13:26 +0100
Subject: [PATCH 2/5] enable root SSH key-only login for deploy-rs

- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)

Root can only login via SSH key, password auth remains disabled.
---
 flake.nix                               | 3 +--
 hosts/cryodev-main/services/openssh.nix | 5 +++++
 modules/nixos/openssh/default.nix       | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index 7a481c8..1e759b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,8 +128,7 @@
               "2299"
             ];
             profiles.system = {
-              user = "steffen";
-              sshUser = "steffen";
+              user = "root";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
             };
           };
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index f71c084..b38495e 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -9,4 +9,9 @@
   ];
 
   services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../users/steffen/pubkeys/forgejo-deploy.pub
+  ];
 }
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
index 0958445..00f05c1 100644
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
       PasswordAuthentication = mkDefault false;
     };
   };

From 402086b37410760590c0e3b5cb5db70d7694b24f Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:15:40 +0100
Subject: [PATCH 3/5] move deploy key to host config, add ralph and benjamin
 users

- Move forgejo-deploy pubkey from users/steffen to hosts/cryodev-main/
  (deploy key belongs to the host, not a user)
- Remove deploy key from steffen's authorized keys
- Add users ralph and benjamin (pubkeys pending)
- Register both new users in cryodev-main host config
---
 .../cryodev-main/deploy-key.pub                       |  0
 hosts/cryodev-main/services/openssh.nix               |  2 +-
 hosts/cryodev-main/users.nix                          |  2 ++
 users/benjamin/default.nix                            | 11 +++++++++++
 users/ralph/default.nix                               | 11 +++++++++++
 users/steffen/default.nix                             |  5 +----
 6 files changed, 26 insertions(+), 5 deletions(-)
 rename users/steffen/pubkeys/forgejo-deploy.pub => hosts/cryodev-main/deploy-key.pub (100%)
 create mode 100644 users/benjamin/default.nix
 create mode 100644 users/ralph/default.nix

diff --git a/users/steffen/pubkeys/forgejo-deploy.pub b/hosts/cryodev-main/deploy-key.pub
similarity index 100%
rename from users/steffen/pubkeys/forgejo-deploy.pub
rename to hosts/cryodev-main/deploy-key.pub
diff --git a/hosts/cryodev-main/services/openssh.nix b/hosts/cryodev-main/services/openssh.nix
index b38495e..db9a56a 100644
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@@ -12,6 +12,6 @@
 
   # Root SSH key for deploy-rs (key-only, no password)
   users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../../../users/steffen/pubkeys/forgejo-deploy.pub
+    ../deploy-key.pub
   ];
 }
diff --git a/hosts/cryodev-main/users.nix b/hosts/cryodev-main/users.nix
index a198c5a..2703ead 100644
--- a/hosts/cryodev-main/users.nix
+++ b/hosts/cryodev-main/users.nix
@@ -4,5 +4,7 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
+    ../../users/ralph
+    ../../users/benjamin
   ];
 }
diff --git a/users/benjamin/default.nix b/users/benjamin/default.nix
new file mode 100644
index 0000000..d00df64
--- /dev/null
+++ b/users/benjamin/default.nix
@@ -0,0 +1,11 @@
+{
+  normalUsers.benjamin = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add benjamin's public key
+      # ./pubkeys/benjamin.pub
+    ];
+  };
+}
diff --git a/users/ralph/default.nix b/users/ralph/default.nix
new file mode 100644
index 0000000..f43dd0d
--- /dev/null
+++ b/users/ralph/default.nix
@@ -0,0 +1,11 @@
+{
+  normalUsers.ralph = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add ralph's public key
+      # ./pubkeys/ralph.pub
+    ];
+  };
+}
diff --git a/users/steffen/default.nix b/users/steffen/default.nix
index f58a45f..a7503e9 100644
--- a/users/steffen/default.nix
+++ b/users/steffen/default.nix
@@ -5,9 +5,6 @@
     extraGroups = [
       "wheel"
     ];
-    sshKeyFiles = [
-      ./pubkeys/X670E.pub
-      ./pubkeys/forgejo-deploy.pub
-    ];
+    sshKeyFiles = [ ./pubkeys/X670E.pub ];
   };
 }

From 7c7eaf32affd9b65812e8b3f84ac3831a50d20e4 Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:18:05 +0100
Subject: [PATCH 4/5] remove cryotherm user from all hosts and templates

---
 hosts/cryodev-pi/users.nix         | 1 -
 templates/generic-server/users.nix | 1 -
 templates/raspberry-pi/users.nix   | 1 -
 users/cryotherm/default.nix        | 7 -------
 4 files changed, 10 deletions(-)
 delete mode 100644 users/cryotherm/default.nix

diff --git a/hosts/cryodev-pi/users.nix b/hosts/cryodev-pi/users.nix
index 3570761..a198c5a 100644
--- a/hosts/cryodev-pi/users.nix
+++ b/hosts/cryodev-pi/users.nix
@@ -4,6 +4,5 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
-    ../../users/cryotherm
   ];
 }
diff --git a/templates/generic-server/users.nix b/templates/generic-server/users.nix
index 3570761..a198c5a 100644
--- a/templates/generic-server/users.nix
+++ b/templates/generic-server/users.nix
@@ -4,6 +4,5 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
-    ../../users/cryotherm
   ];
 }
diff --git a/templates/raspberry-pi/users.nix b/templates/raspberry-pi/users.nix
index 3570761..a198c5a 100644
--- a/templates/raspberry-pi/users.nix
+++ b/templates/raspberry-pi/users.nix
@@ -4,6 +4,5 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
-    ../../users/cryotherm
   ];
 }
diff --git a/users/cryotherm/default.nix b/users/cryotherm/default.nix
deleted file mode 100644
index 7de4740..0000000
--- a/users/cryotherm/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  normalUsers.cryotherm = {
-    extraGroups = [ ];
-    # No sshKeyFiles, so password login only (if allowed) or local access
-    sshKeyFiles = [ ];
-  };
-}

From 5607cad78ff1be89ae2999e6f1070ea3f40d2082 Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 14:20:23 +0100
Subject: [PATCH 5/5] make templates user-agnostic

Templates should not reference specific users. Users are added
manually when creating a new host from the template.
---
 templates/generic-server/users.nix | 3 ++-
 templates/raspberry-pi/users.nix   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/templates/generic-server/users.nix b/templates/generic-server/users.nix
index a198c5a..12ca230 100644
--- a/templates/generic-server/users.nix
+++ b/templates/generic-server/users.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    ../../users/steffen
+    # Add users here, e.g.:
+    # ../../users/<username>
   ];
 }
diff --git a/templates/raspberry-pi/users.nix b/templates/raspberry-pi/users.nix
index a198c5a..12ca230 100644
--- a/templates/raspberry-pi/users.nix
+++ b/templates/raspberry-pi/users.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    ../../users/steffen
+    # Add users here, e.g.:
+    # ../../users/<username>
   ];
 }