From a9fd6e10f39878f4a17156d1e77b5188458f1455 Mon Sep 17 00:00:00 2001
From: prescientmoon <git@moonythm.dev>
Date: Thu, 13 Jun 2024 15:50:52 +0200
Subject: [PATCH] Allow guacamole to ssh into `lapetus`

---
 hosts/nixos/common/global/services/openssh.nix     | 9 +++------
 hosts/nixos/lapetus/services/guacamole/default.nix | 3 +++
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hosts/nixos/common/global/services/openssh.nix b/hosts/nixos/common/global/services/openssh.nix
index b8fe378..150e379 100644
--- a/hosts/nixos/common/global/services/openssh.nix
+++ b/hosts/nixos/common/global/services/openssh.nix
@@ -16,11 +16,8 @@ in
     enable = true;
 
     settings = {
-      # Forbid root login through SSH.
-      PermitRootLogin = "no";
-
-      # Use keys only. Remove if you want to SSH using password (not recommended)
-      PasswordAuthentication = false;
+      PermitRootLogin = "no"; # Forbid root login through SSH.
+      PasswordAuthentication = false; # Use keys only.
     };
 
     # Automatically remove stale sockets
@@ -38,8 +35,8 @@ in
       ];
   };
 
-  # Passwordless sudo when SSH'ing with keys
   # TODO: is this safe? Can we ssh back and gain root access this way?
+  # Passwordless sudo when SSH'ing with keys
   # security.pam.enableSSHAgentAuth = true;
 
   # SSH on slow connections
diff --git a/hosts/nixos/lapetus/services/guacamole/default.nix b/hosts/nixos/lapetus/services/guacamole/default.nix
index 7e8e5ca..c51b4f8 100644
--- a/hosts/nixos/lapetus/services/guacamole/default.nix
+++ b/hosts/nixos/lapetus/services/guacamole/default.nix
@@ -11,4 +11,7 @@
   services.guacamole-client = {
     enable = true;
   };
+
+  # Allow ssh-ing using the provided key
+  users.users.pilot.openssh.authorizedKeys.keyFiles = [ ./ed25519.pub ];
 }