BUILD: Add sudo password to catcolab account

jmoggr · jmoggr · commit e2bc95f8965b · 2026-02-04T21:06:45.000-05:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -503,7 +503,7 @@ jobs:
 
     - name: Deploy to catcolab-next
       run: |
-       nix run github:serokell/deploy-rs -- --skip-checks .#catcolab-next
+       nix run github:serokell/deploy-rs -- --skip-checks .#catcolab-next-ci
 
     - name: Verify deployment
       run: |
diff --git a/flake.nix b/flake.nix
@@ -330,6 +330,7 @@
           profiles.system = {
             sshUser = "catcolab";
             user = "root";
+            interactiveSudo = true;
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab;
           };
         };
@@ -338,6 +339,14 @@
           profiles.system = {
             sshUser = "catcolab";
             user = "root";
+            interactiveSudo = true;
+            path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab-next;
+          };
+        };
+        catcolab-next-ci = {
+          hostname = "backend-next.catcolab.org";
+          profiles.system = {
+            sshUser = "root";
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab-next;
           };
         };
@@ -349,9 +358,8 @@
               "-p"
               "2221"
             ];
-            sshUser = "catcolab";
+            sshUser = "root";
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab-vm;
-            user = "root";
           };
         };
       };
diff --git a/infrastructure/hosts/catcolab-next/default.nix b/infrastructure/hosts/catcolab-next/default.nix
@@ -48,6 +48,7 @@ in
         catcolab-next-deployuser
         kasbah
       ];
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
       backup = {
         enable = true;
         rcloneConfigFile = config.age.secrets.rcloneConf.path;
diff --git a/infrastructure/hosts/catcolab-vm/default.nix b/infrastructure/hosts/catcolab-vm/default.nix
@@ -30,6 +30,7 @@
     environmentFile = /etc/catcolab/catcolab-secrets.env;
     host = {
       enable = true;
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
       userKeys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos"
diff --git a/infrastructure/hosts/catcolab/default.nix b/infrastructure/hosts/catcolab/default.nix
@@ -43,6 +43,7 @@ in
         jmoggr
         kasbah
       ];
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
       backup = {
         enable = true;
         rcloneConfigFile = config.age.secrets.rcloneConf.path;
diff --git a/infrastructure/modules/catcolab/host.nix b/infrastructure/modules/catcolab/host.nix
@@ -17,6 +17,15 @@ with lib;
       description = "SSH public keys to access the catcolab user.";
       default = [ ];
     };
+    sudoPasswordHash = mkOption {
+      type = types.str;
+      description = "Hashed password for sudo authentication. Generate with: mkpasswd";
+    };
+    rootKeys = mkOption {
+      type = types.listOf types.str;
+      description = "SSH public keys for root access only (e.g., for CI deployment).";
+      default = [ ];
+    };
   };
 
   config = lib.mkIf config.catcolab.host.enable {
@@ -26,20 +35,23 @@ with lib;
           isNormalUser = true;
           extraGroups = [ "wheel" ];
           openssh.authorizedKeys.keys = config.catcolab.host.userKeys;
+          hashedPassword = config.catcolab.host.sudoPasswordHash;
         };
-        # TODO: root access can be dropped after the next prod deploy
-        root.openssh.authorizedKeys.keys = config.catcolab.host.userKeys;
+
+        # Need to access root for deploying to bypass sudo password. The root user should not generally
+        # not be used directly.
+        root.openssh.authorizedKeys.keys = config.catcolab.host.userKeys ++ config.catcolab.host.rootKeys;
       };
 
       groups.catcolab = { };
       mutableUsers = false;
     };
 
-    security.sudo = {
-      wheelNeedsPassword = false;
+    services.openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
     };
 
-    services.openssh.enable = true;
     nix = {
       settings.trusted-users = [
         "catcolab"
