make templates user-agnostic

Templates should not reference specific users. Users are added manually when creating a new host from the template.
remove cryotherm user from all hosts and templates
2026-03-14 14:22:21 +01:00 · 2026-03-14 14:18:05 +01:00 · 2026-03-14 14:15:40 +01:00 · 2026-03-14 14:13:26 +01:00 · 2026-03-14 14:11:08 +01:00
13 changed files with 40 additions and 18 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -29,7 +29,7 @@ jobs:
          mkdir -p ~/.ssh
          echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
+          ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts

      - name: Deploy with deploy-rs
        run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
--- a/flake.nix
+++ b/flake.nix
@ -123,6 +123,10 @@
        nodes = {
          cryodev-main = {
            hostname = constants.domain;
+            sshOpts = [
+              "-p"
+              "2299"
+            ];
            profiles.system = {
              user = "root";
              path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;
--- a/users/steffen/pubkeys/forgejo-deploy.pub
+++ b/users/steffen/pubkeys/forgejo-deploy.pub
--- a/hosts/cryodev-main/services/openssh.nix
+++ b/hosts/cryodev-main/services/openssh.nix
@ -9,4 +9,9 @@
  ];

  services.openssh.enable = true;
+
+  # Root SSH key for deploy-rs (key-only, no password)
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../deploy-key.pub
+  ];
 }
--- a/hosts/cryodev-main/users.nix
+++ b/hosts/cryodev-main/users.nix
@ -4,5 +4,7 @@
  imports = [
    outputs.nixosModules.normalUsers
    ../../users/steffen
+    ../../users/ralph
+    ../../users/benjamin
  ];
 }
--- a/hosts/cryodev-pi/users.nix
+++ b/hosts/cryodev-pi/users.nix
@ -4,6 +4,5 @@
  imports = [
    outputs.nixosModules.normalUsers
    ../../users/steffen
-    ../../users/cryotherm
  ];
 }
--- a/modules/nixos/openssh/default.nix
+++ b/modules/nixos/openssh/default.nix
@ -9,7 +9,7 @@ in
    ports = mkDefault [ 2299 ];
    openFirewall = mkDefault true;
    settings = {
-      PermitRootLogin = mkDefault "no";
+      PermitRootLogin = mkDefault "prohibit-password";
      PasswordAuthentication = mkDefault false;
    };
  };
--- a/templates/generic-server/users.nix
+++ b/templates/generic-server/users.nix
@ -3,7 +3,7 @@
 {
  imports = [
    outputs.nixosModules.normalUsers
-    ../../users/steffen
-    ../../users/cryotherm
+    # Add users here, e.g.:
+    # ../../users/<username>
  ];
 }
--- a/templates/raspberry-pi/users.nix
+++ b/templates/raspberry-pi/users.nix
@ -3,7 +3,7 @@
 {
  imports = [
    outputs.nixosModules.normalUsers
-    ../../users/steffen
-    ../../users/cryotherm
+    # Add users here, e.g.:
+    # ../../users/<username>
  ];
 }
--- a/users/benjamin/default.nix
+++ b/users/benjamin/default.nix
@ -0,0 +1,11 @@
+{
+  normalUsers.benjamin = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add benjamin's public key
+      # ./pubkeys/benjamin.pub
+    ];
+  };
+}
--- a/users/cryotherm/default.nix
+++ b/users/cryotherm/default.nix
@ -1,7 +0,0 @@
-{
-  normalUsers.cryotherm = {
-    extraGroups = [ ];
-    # No sshKeyFiles, so password login only (if allowed) or local access
-    sshKeyFiles = [ ];
-  };
-}
--- a/users/ralph/default.nix
+++ b/users/ralph/default.nix
@ -0,0 +1,11 @@
+{
+  normalUsers.ralph = {
+    extraGroups = [
+      "wheel"
+    ];
+    sshKeyFiles = [
+      # TODO: Add ralph's public key
+      # ./pubkeys/ralph.pub
+    ];
+  };
+}
--- a/users/steffen/default.nix
+++ b/users/steffen/default.nix
@ -5,9 +5,6 @@
    extraGroups = [
      "wheel"
    ];
-    sshKeyFiles = [
-      ./pubkeys/X670E.pub
-      ./pubkeys/forgejo-deploy.pub
-    ];
+    sshKeyFiles = [ ./pubkeys/X670E.pub ];
  };
 }
Author	SHA1	Message	Date
steffen	5607cad78f	make templates user-agnostic Some checks failed Deploy / flake-check (push) Successful in 40s Details Deploy / deploy-cryodev-main (push) Has been cancelled Details Deploy / create-release (push) Has been cancelled Details Deploy / build-pi-images (cryodev-pi) (push) Has been cancelled Details Templates should not reference specific users. Users are added manually when creating a new host from the template.	2026-03-14 14:22:21 +01:00
steffen	7c7eaf32af	remove cryotherm user from all hosts and templates	2026-03-14 14:18:05 +01:00
steffen	402086b374	move deploy key to host config, add ralph and benjamin users - Move forgejo-deploy pubkey from users/steffen to hosts/cryodev-main/ (deploy key belongs to the host, not a user) - Remove deploy key from steffen's authorized keys - Add users ralph and benjamin (pubkeys pending) - Register both new users in cryodev-main host config	2026-03-14 14:15:40 +01:00
steffen	92abe2574d	enable root SSH key-only login for deploy-rs - Change PermitRootLogin from 'no' to 'prohibit-password' (key-only) - Add forgejo-deploy public key to root's authorized_keys - Revert deploy-rs user back to root (needs root for activation) Root can only login via SSH key, password auth remains disabled.	2026-03-14 14:13:26 +01:00
steffen	3f07d27c78	fix deploy-rs: use SSH port 2299 and user steffen instead of root deploy-rs was configured with default port 22 and user root, but SSH runs on port 2299 and root login is disabled. Also fix ssh-keyscan in the deploy workflow to use the correct port.	2026-03-14 14:11:08 +01:00