.forgejo/workflows/deploy.yml

@@ -29,7 +29,7 @@ jobs:
           mkdir -p ~/.ssh
           echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
+          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
 
       - name: Deploy with deploy-rs
         run: nix run github:serokell/deploy-rs -- -s .#cryodev-main

flake.nix

@@ -123,10 +123,6 @@
         nodes = {
           cryodev-main = {
             hostname = constants.domain;
-            sshOpts = [
-              "-p"
-              "2299"
-            ];
             profiles.system = {
               user = "root";
               path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;

hosts/cryodev-main/services/openssh.nix

@@ -9,9 +9,4 @@
   ];
 
   services.openssh.enable = true;
-
-  # Root SSH key for deploy-rs (key-only, no password)
-  users.users.root.openssh.authorizedKeys.keyFiles = [
-    ../deploy-key.pub
-  ];
 }

hosts/cryodev-main/users.nix

@@ -4,7 +4,5 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
-    ../../users/ralph
-    ../../users/benjamin
   ];
 }

hosts/cryodev-pi/users.nix

@@ -4,5 +4,6 @@
   imports = [
     outputs.nixosModules.normalUsers
     ../../users/steffen
+    ../../users/cryotherm
   ];
 }

modules/nixos/openssh/default.nix

@@ -9,7 +9,7 @@ in
     ports = mkDefault [ 2299 ];
     openFirewall = mkDefault true;
     settings = {
-      PermitRootLogin = mkDefault "prohibit-password";
+      PermitRootLogin = mkDefault "no";
       PasswordAuthentication = mkDefault false;
     };
   };

templates/generic-server/users.nix

@@ -3,7 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    # Add users here, e.g.:
+    ../../users/steffen
-    # ../../users/<username>
+    ../../users/cryotherm
   ];
 }

templates/raspberry-pi/users.nix

@@ -3,7 +3,7 @@
 {
   imports = [
     outputs.nixosModules.normalUsers
-    # Add users here, e.g.:
+    ../../users/steffen
-    # ../../users/<username>
+    ../../users/cryotherm
   ];
 }

users/benjamin/default.nix

@@ -1,11 +0,0 @@
-{
-  normalUsers.benjamin = {
-    extraGroups = [
-      "wheel"
-    ];
-    sshKeyFiles = [
-      # TODO: Add benjamin's public key
-      # ./pubkeys/benjamin.pub
-    ];
-  };
-}

users/cryotherm/default.nix

@@ -0,0 +1,7 @@
+{
+  normalUsers.cryotherm = {
+    extraGroups = [ ];
+    # No sshKeyFiles, so password login only (if allowed) or local access
+    sshKeyFiles = [ ];
+  };
+}

users/ralph/default.nix

@@ -1,11 +0,0 @@
-{
-  normalUsers.ralph = {
-    extraGroups = [
-      "wheel"
-    ];
-    sshKeyFiles = [
-      # TODO: Add ralph's public key
-      # ./pubkeys/ralph.pub
-    ];
-  };
-}

users/steffen/default.nix

@@ -5,6 +5,9 @@
     extraGroups = [
       "wheel"
     ];
-    sshKeyFiles = [ ./pubkeys/X670E.pub ];
+    sshKeyFiles = [
+      ./pubkeys/X670E.pub
+      ./pubkeys/forgejo-deploy.pub
+    ];
   };
 }