steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

Compare commits

base: steffen:72e53ea17fc7c3cdc4202671fbaa8f98fc9cd890
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5
..
compare: steffen:5607cad78ff1be89ae2999e6f1070ea3f40d2082
Branches Tags
steffen:main
steffen:develop
steffen:v2026-03-14-b0f78c3
steffen:v2026-03-14-33bc9f5

5 commits
72e53ea17f ... 5607cad78f

Author SHA1 Message Date
steffen
5607cad78f make templates user-agnostic
Some checks failed
Deploy / flake-check (push) Successful in 40s
Details
Deploy / deploy-cryodev-main (push) Has been cancelled
Details
Deploy / create-release (push) Has been cancelled
Details
Deploy / build-pi-images (cryodev-pi) (push) Has been cancelled
Details 
Templates should not reference specific users. Users are added
manually when creating a new host from the template.
 2026-03-14 14:22:21 +01:00
steffen
7c7eaf32af remove cryotherm user from all hosts and templates 2026-03-14 14:18:05 +01:00
steffen
402086b374 move deploy key to host config, add ralph and benjamin users 
- Move forgejo-deploy pubkey from users/steffen to hosts/cryodev-main/
  (deploy key belongs to the host, not a user)
- Remove deploy key from steffen's authorized keys
- Add users ralph and benjamin (pubkeys pending)
- Register both new users in cryodev-main host config
 2026-03-14 14:15:40 +01:00
steffen
92abe2574d enable root SSH key-only login for deploy-rs 
- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)

Root can only login via SSH key, password auth remains disabled.
 2026-03-14 14:13:26 +01:00
steffen
3f07d27c78 fix deploy-rs: use SSH port 2299 and user steffen instead of root 
deploy-rs was configured with default port 22 and user root, but
SSH runs on port 2299 and root login is disabled. Also fix ssh-keyscan
in the deploy workflow to use the correct port.
 2026-03-14 14:11:08 +01:00
13 changed files with 40 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/deploy.yml
View file

@ -29,7 +29,7 @@ jobs:
mkdir -p ~/.ssh mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519 echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts ssh-keyscan -p 2299 -H cryodev.xyz >> ~/.ssh/known_hosts
- name: Deploy with deploy-rs - name: Deploy with deploy-rs
run: nix run github:serokell/deploy-rs -- -s .#cryodev-main run: nix run github:serokell/deploy-rs -- -s .#cryodev-main

4
flake.nix
View file

@ -123,6 +123,10 @@
nodes = { nodes = {
cryodev-main = { cryodev-main = {
hostname = constants.domain; hostname = constants.domain;
sshOpts = [
"-p"
"2299"
];
profiles.system = { profiles.system = {
user = "root"; user = "root";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main; path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.cryodev-main;

0
users/steffen/pubkeys/forgejo-deploy.pub → hosts/cryodev-main/deploy-key.pub
View file

5
hosts/cryodev-main/services/openssh.nix
View file

@ -9,4 +9,9 @@
]; ];
services.openssh.enable = true; services.openssh.enable = true;
# Root SSH key for deploy-rs (key-only, no password)
users.users.root.openssh.authorizedKeys.keyFiles = [
../deploy-key.pub
];
} }

2
hosts/cryodev-main/users.nix
View file

@ -4,5 +4,7 @@
imports = [ imports = [
outputs.nixosModules.normalUsers outputs.nixosModules.normalUsers
../../users/steffen ../../users/steffen
../../users/ralph
../../users/benjamin
]; ];
} }

1
hosts/cryodev-pi/users.nix
View file

@ -4,6 +4,5 @@
imports = [ imports = [
outputs.nixosModules.normalUsers outputs.nixosModules.normalUsers
../../users/steffen ../../users/steffen
../../users/cryotherm
]; ];
} }

2
modules/nixos/openssh/default.nix
View file

@ -9,7 +9,7 @@ in
ports = mkDefault [ 2299 ]; ports = mkDefault [ 2299 ];
openFirewall = mkDefault true; openFirewall = mkDefault true;
settings = { settings = {
PermitRootLogin = mkDefault "no"; PermitRootLogin = mkDefault "prohibit-password";
PasswordAuthentication = mkDefault false; PasswordAuthentication = mkDefault false;
}; };
}; };

4
templates/generic-server/users.nix
View file

@ -3,7 +3,7 @@
{ {
imports = [ imports = [
outputs.nixosModules.normalUsers outputs.nixosModules.normalUsers
../../users/steffen # Add users here, e.g.:
../../users/cryotherm # ../../users/<username>
]; ];
} }

4
templates/raspberry-pi/users.nix
View file

@ -3,7 +3,7 @@
{ {
imports = [ imports = [
outputs.nixosModules.normalUsers outputs.nixosModules.normalUsers
../../users/steffen # Add users here, e.g.:
../../users/cryotherm # ../../users/<username>
]; ];
} }

11
users/benjamin/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
normalUsers.benjamin = {
extraGroups = [
"wheel"
];
sshKeyFiles = [
# TODO: Add benjamin's public key
# ./pubkeys/benjamin.pub
];
};
}

7
users/cryotherm/default.nix
View file

@ -1,7 +0,0 @@
{
normalUsers.cryotherm = {
extraGroups = [ ];
# No sshKeyFiles, so password login only (if allowed) or local access
sshKeyFiles = [ ];
};
}

11
users/ralph/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
normalUsers.ralph = {
extraGroups = [
"wheel"
];
sshKeyFiles = [
# TODO: Add ralph's public key
# ./pubkeys/ralph.pub
];
};
}

5
users/steffen/default.nix
View file

@ -5,9 +5,6 @@
extraGroups = [ extraGroups = [
"wheel" "wheel"
]; ];
sshKeyFiles = [ sshKeyFiles = [ ./pubkeys/X670E.pub ];
./pubkeys/X670E.pub
./pubkeys/forgejo-deploy.pub
];
}; };
} }