From 165c4645bfaf4134ae381735d8fac02c312f4cc1 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git_laptop@brendan.ie>
Date: Sat, 30 Sep 2023 23:18:14 +0100
Subject: [PATCH] feat: move off of using root for deployment

---
 applications/ldap/client.nix | 5 +++++
 machines/agentjones.nix      | 2 +-
 machines/earth.nix           | 2 +-
 machines/galatea.nix         | 2 +-
 machines/gir.nix             | 2 +-
 machines/glados.nix          | 2 +-
 machines/kitt.nix            | 2 +-
 machines/neuromancer.nix     | 2 +-
 machines/optimus.nix         | 2 +-
 machines/retired/ash.nix     | 2 +-
 machines/skynet.nix          | 2 +-
 machines/vendetta.nix        | 2 +-
 machines/vigil.nix           | 2 +-
 machines/wheatly.nix         | 2 +-
 14 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/applications/ldap/client.nix b/applications/ldap/client.nix
index d172b42..32ce8da 100644
--- a/applications/ldap/client.nix
+++ b/applications/ldap/client.nix
@@ -69,6 +69,11 @@ in {
       }
     ];
 
+    nix.settings.trusted-users = [
+      "root"
+      "@skynet-admins-linux"
+    ];
+
     # give users a home dir
     security.pam.services.sshd.makeHomeDir = true;
 
diff --git a/machines/agentjones.nix b/machines/agentjones.nix
index 3276335..f3f9e2e 100644
--- a/machines/agentjones.nix
+++ b/machines/agentjones.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     # somehow ssh from runner to this fails
     tags = ["active-firewall"];
diff --git a/machines/earth.nix b/machines/earth.nix
index 577a772..e8c2f9d 100644
--- a/machines/earth.nix
+++ b/machines/earth.nix
@@ -26,7 +26,7 @@ in {
   deployment = {
     targetHost = ip_pub;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-core"];
   };
diff --git a/machines/galatea.nix b/machines/galatea.nix
index 6500e7f..f82217c 100644
--- a/machines/galatea.nix
+++ b/machines/galatea.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active"];
   };
diff --git a/machines/gir.nix b/machines/gir.nix
index a30ecb6..ebb17e2 100644
--- a/machines/gir.nix
+++ b/machines/gir.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-core"];
   };
diff --git a/machines/glados.nix b/machines/glados.nix
index bf63cd5..d1e7d2c 100644
--- a/machines/glados.nix
+++ b/machines/glados.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-gitlab"];
   };
diff --git a/machines/kitt.nix b/machines/kitt.nix
index aa7efcd..da699d3 100644
--- a/machines/kitt.nix
+++ b/machines/kitt.nix
@@ -28,7 +28,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-core"];
   };
diff --git a/machines/neuromancer.nix b/machines/neuromancer.nix
index 59521bd..abfc3e5 100644
--- a/machines/neuromancer.nix
+++ b/machines/neuromancer.nix
@@ -37,7 +37,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-core"];
   };
diff --git a/machines/optimus.nix b/machines/optimus.nix
index 9a3e598..095c55c 100644
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active"];
   };
diff --git a/machines/retired/ash.nix b/machines/retired/ash.nix
index bbb04e5..ca2384b 100644
--- a/machines/retired/ash.nix
+++ b/machines/retired/ash.nix
@@ -30,7 +30,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
   };
 
   # these two are to be able to add the rules for firewall and dns
diff --git a/machines/skynet.nix b/machines/skynet.nix
index db34510..250f069 100644
--- a/machines/skynet.nix
+++ b/machines/skynet.nix
@@ -28,7 +28,7 @@ in {
   deployment = {
     targetHost = ip_pub;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     # this one is manually deployed
     tags = ["active-ext"];
diff --git a/machines/vendetta.nix b/machines/vendetta.nix
index c1ddcb5..eb594ab 100644
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@@ -27,7 +27,7 @@ in {
   deployment = {
     targetHost = ip_pub;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-dns" "dns"];
   };
diff --git a/machines/vigil.nix b/machines/vigil.nix
index 4d5c9dd..e3c811c 100644
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@@ -24,7 +24,7 @@ in {
   deployment = {
     targetHost = ip_pub;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-dns" "dns"];
   };
diff --git a/machines/wheatly.nix b/machines/wheatly.nix
index a787be0..02eabce 100644
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@@ -26,7 +26,7 @@ in {
   deployment = {
     targetHost = hostname;
     targetPort = 22;
-    targetUser = "root";
+    targetUser = null;
 
     tags = ["active-gitlab"];
   };