From db0b1c388340fb13d630e473f346fcf7b0c808ba Mon Sep 17 00:00:00 2001
From: Emile Clark-Boman <eclarkboman@gmail.com>
Date: Thu, 24 Jul 2025 13:41:54 +1000
Subject: [PATCH] Permit sudo via pam_ssh_agent_auth module

---
 hosts/hyrule/default.nix | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix
index 3cc73c2..85dad4f 100755
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@@ -83,8 +83,8 @@ in {
         isNormalUser = true;
         extraGroups = ["wheel"];
         shell = pkgs.bash;
-        home = "/home/ae"; # TEMP: remove and replace with home-manager
-        packages = with pkgs; [
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@imbored.dev"
         ];
       };
 
@@ -107,7 +107,6 @@ in {
       ae = import ../../homes/ae;
       subspace = import ../../homes/subspace;
     };
-    sharedModules = [];
   };
 
   services = {
@@ -412,11 +411,17 @@ in {
       };
     };
   };
-  # accept Lets Encrypt's security policy (for nginx)
-  security.acme = {
-    acceptTerms = true;
-    # TODO: change this to me@imbored.dev
-    defaults.email = "eclarkboman@gmail.com";
+  security = {
+    # accept Lets Encrypt's security policy (for nginx)
+    acme = {
+      acceptTerms = true;
+      # TODO: change this to me@imbored.dev
+      defaults.email = "eclarkboman@gmail.com";
+    };
+
+    # allow SSH keys for passwordless auth
+    # TODO: DO NOT USE THIS (create my own alternative to colmena)
+    pam.services.sudo.sshAgentAuth = true;
   };
 
   environment.systemPackages = with pkgs; [