feat: allow root ssh login for iso

.sops.yaml

@@ -5,6 +5,7 @@ keys:
   - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
   - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
   - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+  - &cube age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g
 
 creation_rules:
   # per-host secrets
@@ -23,8 +24,13 @@ creation_rules:
       - pgp: [*matej]
         age: [*floo]
 
+  - path_regex: ^secrets/cube\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*cube]
+
   # shared secrets (all hosts)
   - path_regex: ^secrets/common\.yaml$
     key_groups:
       - pgp: [*matej]
-        age: [*tower, *fw16, *floo]
+        age: [*tower, *fw16, *floo, *cube]

features/remote-base.nix

@@ -0,0 +1,12 @@
+{
+  nixos =
+    { config, user, ... }:
+    {
+      sops.secrets.user-password = {
+        sopsFile = ../secrets/common.yaml;
+        neededForUsers = true;
+      };
+
+      users.users.${user}.hashedPasswordFile = config.sops.secrets.user-password.path;
+    };
+}

flake/hosts.nix

@@ -73,6 +73,18 @@ in
       ];
     };
 
+    cube = mkHost "cube" {
+      system = "x86_64-linux";
+      user = "matej";
+      features = [
+        "openssh"
+        "localisation"
+        "shell"
+        "tailscale"
+        "remote-base"
+      ];
+    };
+
     # nix run github:nix-community/nixos-anywhere -- --flake .#floo root@<ip>
     floo = mkHost "floo" {
       system = "x86_64-linux";
@@ -82,6 +94,7 @@ in
         "localisation"
         "shell"
         "tailscale"
+        "remote-base"
       ];
     };
 

hosts/cube/configuration.nix

@@ -0,0 +1,41 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        esp = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+
+  localisation = {
+    timeZone = "Europe/Ljubljana";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  system.stateVersion = "25.11";
+}

hosts/cube/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/floo/configuration.nix

@@ -26,8 +26,6 @@
     };
   };
 
-  users.users.matej.hashedPassword = "$6$59Z5NIkOYZ3eSElX$FehMGGXQlC040G8eoO42JQDScb7hI04NbdVMAkKYKqVOLTO/.MJxfk8fHypQHrCdtAs67N1bnU2s5H/3zLWhC1";
-
   localisation = {
     timeZone = "Europe/Ljubljana";
     defaultLocale = "en_US.UTF-8";

hosts/iso/configuration.nix

@@ -1,10 +1,16 @@
-_: {
+{ lib, ... }:
+{
   image.modules.iso-installer = {
     isoImage.squashfsCompression = "zstd -Xcompression-level 6";
   };
 
   # live iso: passwordless login and sudo
   users.users.matej.initialHashedPassword = "";
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQGLdINKzs+sEy62Pefng0bcedgU396+OryFgeH99/c janezicmatej"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDk00+Km03epQXQs+xEwwH3zcurACzkEH+kDOPBw6RQe openpgp:0xB095D449"
+  ];
+  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
   security.sudo.wheelNeedsPassword = false;
 
   system.stateVersion = "25.05";

justfile

@@ -43,7 +43,20 @@ ephvm-ssh port="2222":
 
 # provision a host with nixos-anywhere
 provision host ip:
-    nix run github:nix-community/nixos-anywhere -- --flake .#{{host}} --generate-hardware-config nixos-generate-config ./hosts/{{host}}/hardware-configuration.nix root@{{ip}}
+    #!/usr/bin/env bash
+    set -euo pipefail
+    tmpdir=$(mktemp -d)
+    trap 'rm -rf "$tmpdir"' EXIT
+    install -d -m 755 "$tmpdir/etc/ssh"
+    ssh-keygen -t ed25519 -f "$tmpdir/etc/ssh/ssh_host_ed25519_key" -N ""
+    age_key=$(ssh-to-age < "$tmpdir/etc/ssh/ssh_host_ed25519_key.pub")
+    echo "age key: $age_key"
+    echo "add this key to .sops.yaml, re-encrypt secrets, then press enter to continue"
+    read -r
+    nix run github:nix-community/nixos-anywhere -- --no-reboot --flake .#{{host}} --extra-files "$tmpdir" --generate-hardware-config nixos-generate-config ./hosts/{{host}}/hardware-configuration.nix root@{{ip}}
+    echo "remove USB and press enter to reboot"
+    read -r
+    ssh root@{{ip}} reboot
 
 # deploy config to a remote host
 deploy host remote=host:

secrets/common.yaml

@@ -0,0 +1,55 @@
+user-password: ENC[AES256_GCM,data:c7y3RZSikVS32w7RTY5nBSWxDWbwNI5FhLIEoXcru5lpCUu3YqKjHNm8eMI7oeAg1VQIW/1axv0LPHM+bb7wn7SSHy49EvGyda4AU8hdVnsO9gNBul9WQy9Q6RM1PR5vW+IbX1HBFPTTOQ==,iv:oNsDzDugNq2E1CJ89BCXZ/ieCGV+evOwsOuKlKsotBg=,tag:jU8g9fIgexw2bm3E+ow3wA==,type:str]
+sops:
+    age:
+        - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOU9BTksxbXdjTkExRDJV
+            aFhVbUFGd1ZSeHFBL0lJRjdSRDRjcjl6ZEQ0Cjg2TFlNZENUWTh5aWNGck52TWFx
+            SC9LS0FrelFCWUI3RUZjdCs3cXF6aDQKLS0tIEwwTWkzOXgxUC9iTFgrQ0szRW8v
+            cGFMa2Rqd1VvWjU3Z2pUdExsdnJUT1EK9iQiW5qZszu65b0wEeq+9JnzzhiAS7fo
+            BmR9OWbDA4GZJBEPBJFD8KxIcO/BYFOjfW2A9PZaTsTpa50Z6+zWxw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPczdWeTRxalA1M3R0S0Qr
+            eGdtZnJxaHllZ2lKMXJUZTN3VWhhTnU1TFRnCjM5OHoxMnEzKzdQelZEQ3ZZRFpt
+            aWRzaTg4dUc5OXpQUngrVmtSRkk1Q3MKLS0tIEZOd0FyMFRlRElWbjlHOVVkZlZP
+            eEhwRVRrcVgvQUx6bi85YWxDYjJZa28K7Hrk4fAqbjeYJfPJODvsth1p8JYbsfMf
+            a6gTckyeQWTNlE+1Tw6g18lvMP1dzIAYRPHtyzmxeCaETVMmSn7XxQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUh0U1ZDc0ZOKzhxZ3Yv
+            ZHRwbzBIdVNsbEJmU0h4ZnpuTlNHSFdwRlQ0Ck1BREhlVFQ3bnVKajVlTGUzRjhN
+            cWpna25Ya1hoZG1ybFZ0REpCNTFTZmcKLS0tIG5ZQzNIWmd4a3J6YWxDQjYyY2px
+            Y085TkhubS9MSjJtMmZDakdZd2RhR3cKlGH906WAhXNDKwaWqHRoYO9bgiZau0ay
+            8ph3OLOVmrENPW3Othf17NDRet/nATFYZghBU/CI5CvZjr9n9SDYMg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRG5zRkxOT0RyeXVpTDJu
+            TSt2SFFtSlFrSTk1YUZBMnAxTEM3dnFnQkFrClA0cnVpMkdsQWxCakNEZm16OEVG
+            dHFIUDA3TDJLdytySEJJMSsrMGZHcTgKLS0tIHhvdWNXaUthbDJqMWVYeWxuOGpL
+            L0lEZ3FVbmlOcndGUXUybXA4RDA2alUKQo5ctVmARPNY0POf2Ft6AxjwIN1N06C7
+            ft4YX+B4D61tUZ+uvFqHzmKsNpvDdoV81zxvGnnCnv0nSXwNghPFxw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-29T23:11:10Z"
+    mac: ENC[AES256_GCM,data:XY5wElDn+YD4UHSIGd9Ru8ob39gJVE8VE5gqJJkmzF/xERXp7re/d/6RXxoYDgYS0qUnn8c2VFzJxCvakmV/lPLA8YulFk/ZDysEVn+U3CbfTIkjXcJzewJNz0N+hQKeVaCzPfWeB5oaGtB8bjxOg+GYz2TmSvEAT+kO1U/4Klg=,iv:QOlZ4O+eqvOS9/guc+RmWgVDgPzskb4WIlzyT/14MVM=,tag:ziJE9Yytlr680EpSnBGmdQ==,type:str]
+    pgp:
+        - created_at: "2026-03-29T23:25:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DPaEEpDtHdk8SAQdAPlvxgVq9o2boPPXWWwV6X3TjHZEl3lm9OcOj7lbsQxsw
+            5PTrX1rIV73XbRQUdFlnoYpUAwxh3UPULyA4+19fvCooC3L0FxA8e4wTiAdw6SKE
+            0l4BImy4sTiM8hNHXqB6u4rj3LbykCjesQve5C3fut62RV8x4cqUJHAB/aumQINT
+            QRXErylKmqo3h7ReRrCm2oOELauv4JFKNPi/cTE0MNh1+w9JxjoASoBufozDOxe4
+            =vIK+
+            -----END PGP MESSAGE-----
+          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1