From 497bea8462254eee05935d3c4d1c92bbbb7c2023 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Sun, 31 May 2026 02:35:37 +0000
Subject: [PATCH] nix: add root SSH authorized key to
 cc-ci-orchestrator-hetzner config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nixos-rebuild removed the infect-provisioned authorized_keys — declare it
explicitly so rebuilds don't lock out root access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
index 0d5ca61..f2c173e 100644
--- a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
+++ b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
@@ -9,7 +9,15 @@
 {
   # hardware.nix is the nixos-infect generated hardware-configuration.nix (see README Stage 2a).
 
-  services.openssh = { enable = true; settings.PermitRootLogin = "yes"; };
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+  };
+
+  # Root SSH access (the cc-ci-root-ed25519 key used by all loops tooling).
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526"
+  ];
   networking.useDHCP = true;
   networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
   networking.firewall = {