Add zima authorized key

hosts/zima/configuration.nix

@@ -86,6 +86,10 @@
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.secrets.hashedPassword.neededForUsers = true;
 
+  users.users."root".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL syncoid@cryochamber"
+  ];
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.hunner = {
     uid = 1000;
@@ -169,60 +173,12 @@
     };
   };
 
-  users.users.backup = {
-    uid = 1001;
-    isNormalUser = true;
-    description = "Backup replication user";
-    shell = pkgs.bash;
-    packages = with pkgs; [
-      sanoid
-    ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber"
-    ];
-  };
-  #services.syncoid = {
-  #  enable = true;
-  #  user = "backup";
-  #  sshKey = "/var/lib/syncoid/.ssh/id_ed25519";
-  #  commonArgs = [
-  #    #"--sshoption=StrictHostKeyChecking=off"
-  #    "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts"
-  #    "--sshoption=IdentitiesOnly=yes"
-  #    "--no-sync-snap"
-  #  ];
-  #  commands."backup-zima-bitrot" = {
-  #    source = "bitrot";
-  #    target = "root@cryochamber:tank/backups/zima/bitrot";
-  #    recursive = true;
-  #  };
-  #  commands."backup-zima-rpool-safe" = {
-  #    source = "rpool/safe";
-  #    target = "root@cryochamber:tank/backups/zima/rpool-safe";
-  #    recursive = true;
-  #  };
-  #};
-  # This was needed when trying to get the backup user to work instead of using
-  # root; probably not needed now
-  #systemd.services.syncoid-backup-zima-bitrot.serviceConfig = {
-  #  Environment = [
-  #    "HOME=/var/lib/syncoid"
-  #    "SSH_AUTH_SOCK="
-  #  ];
-  #  ExecStartPre = [
-  #    "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/"
-  #    "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/"
-  #    "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh"
-  #    "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519"
-  #  ];
-  #};
 
   services.tailscale.enable = true;
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
   services.openssh.settings.Macs = [
     "hmac-sha2-256"
     "hmac-sha2-512-etm@openssh.com"

hosts/zima/secrets/config.yaml

@@ -19,7 +19,7 @@ sops:
             L0hXK1ZSY292dTRDU0Z2NGlJNHhpb2cK76bGG3yJD8ORZFPvW/WAlHLi9mt2A8+Q
             /uOs6FBcubW6MGiC50OlSAI19yvg7BYqqWRFI+XEkXjxbLlwhWy1RA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-21T01:32:03Z"
-    mac: ENC[AES256_GCM,data:PezvH3WCehALUH3QEvIu21hJX5xyjnuGIvZAtVbEhDeD1JdO+lXSFVyH2gWjNWSgrDiDEKXMKtdl0Q+5eXJPpqHjNHIh0lDLePG0JSMZWdOz/F7uuiXqqeA7b4Plrf28PniqA4+c2PURhp5UggW6Tb2mBmVgwtsSuVH7kPnted8=,iv:59HIfn640uI6YvRwJ5WCY9QiJLvMnrdVnjpsCTG000k=,tag:3rZ4sm9cwc/n9cK/SOnMLw==,type:str]
+    lastmodified: "2025-12-30T06:33:44Z"
+    mac: ENC[AES256_GCM,data:pmop5GVM3saheiCWbXD58hpW9uy3cbwJPTjESqw0w6L54+OjGdOKZF/k86nPIP+DGGRnMjG3DF2GiMkZz4C8/Tx6mM9Fo9eSPOKgV2ZFkf5ws08fJH2Vubvh7wvJ1ReFthz5/RIhvpgAwMYNB594KwlbTriPLJSuq1litUAfDZw=,iv:GQ/rHlk3qrUVK/CumLnkY6EB3AkC7wTgQnB42GeGiZU=,tag:mBtBndRXUTED8Gk4X2324Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0