From d1a79653fe2e9caa13aa479c1a27dc9e13cd98c8 Mon Sep 17 00:00:00 2001
From: Qubasa <consulting@qube.email>
Date: Wed, 26 Mar 2025 18:35:20 +0100
Subject: [PATCH] checks/installation-without-system: modify to install through
 normal user instead of root

---
 .../flake-module.nix                          | 13 ++++--
 pkgs/clan-cli/clan_cli/machines/hardware.py   |  5 +++
 pkgs/clan-cli/clan_cli/ssh/upload.py          | 40 +++++++++++++++++--
 3 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/checks/installation-without-system/flake-module.nix b/checks/installation-without-system/flake-module.nix
index e47e4283a..ac6e8d7e6 100644
--- a/checks/installation-without-system/flake-module.nix
+++ b/checks/installation-without-system/flake-module.nix
@@ -165,7 +165,6 @@
                 (modulesPath + "/../tests/common/auto-format-root-device.nix")
               ];
               services.openssh.enable = true;
-              users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
               system.nixos.variant_id = "installer";
               environment.systemPackages = [ pkgs.nixos-facter ];
               virtualisation.emptyDiskImages = [ 512 ];
@@ -184,6 +183,12 @@
                   "flakes"
                 ];
               };
+              users.users.nonrootuser = {
+                isNormalUser = true;
+                openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ];
+                extraGroups = [ "wheel" ];
+              };
+              security.sudo.wheelNeedsPassword = false;
               system.extraDependencies = dependencies;
             };
           nodes.client = {
@@ -211,14 +216,14 @@
             installer.start()
 
             client.succeed("${pkgs.coreutils}/bin/install -Dm 600 ${../lib/ssh/privkey} /root/.ssh/id_ed25519")
-            client.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v root@installer hostname")
+            client.wait_until_succeeds("timeout 2 ssh -o StrictHostKeyChecking=accept-new -v nonrootuser@installer hostname")
             client.succeed("cp -r ${../..} test-flake && chmod -R +w test-flake")
             client.fail("test -f test-flake/machines/test-install-machine-without-system/hardware-configuration.nix")
             client.fail("test -f test-flake/machines/test-install-machine-without-system/facter.json")
-            client.succeed("clan machines update-hardware-config --flake test-flake test-install-machine-without-system root@installer >&2")
+            client.succeed("clan machines update-hardware-config --flake test-flake test-install-machine-without-system nonrootuser@installer >&2")
             client.succeed("test -f test-flake/machines/test-install-machine-without-system/facter.json")
             client.succeed("rm test-flake/machines/test-install-machine-without-system/facter.json")
-            client.succeed("clan machines install --debug --flake test-flake --yes test-install-machine-without-system --target-host root@installer --update-hardware-config nixos-facter >&2")
+            client.succeed("clan machines install --debug --flake test-flake --yes test-install-machine-without-system --target-host nonrootuser@installer --update-hardware-config nixos-facter >&2")
             try:
               installer.shutdown()
             except BrokenPipeError:
diff --git a/pkgs/clan-cli/clan_cli/machines/hardware.py b/pkgs/clan-cli/clan_cli/machines/hardware.py
index 6074e889e..6835cc725 100644
--- a/pkgs/clan-cli/clan_cli/machines/hardware.py
+++ b/pkgs/clan-cli/clan_cli/machines/hardware.py
@@ -135,6 +135,11 @@ def generate_machine_hardware_info(opts: HardwareGenerateOptions) -> HardwareCon
         ]
 
     host = machine.target_host
+
+    # HACK: to make non-root user work
+    if host.user != "root":
+        config_command.insert(0, "sudo")
+
     cmd = nix_shell(
         [
             "nixpkgs#openssh",
diff --git a/pkgs/clan-cli/clan_cli/ssh/upload.py b/pkgs/clan-cli/clan_cli/ssh/upload.py
index 370c72bcf..f7ed5e74e 100644
--- a/pkgs/clan-cli/clan_cli/ssh/upload.py
+++ b/pkgs/clan-cli/clan_cli/ssh/upload.py
@@ -64,8 +64,24 @@ def upload(
                 *host.ssh_cmd(),
                 "--",
                 *priviledge_escalation,
-                "bash", "-c", "exec \"$@\"", "--",
-                f"rm -r {remote_dest!s} ; mkdir -m {dir_mode:o} -p {str(remote_dest)} && tar -C {str(remote_dest)} -xzf -",
+                "bash",
+                "-c",
+                'exec "$@"',
+                "--",
+                "rm",
+                "-r",
+                str(remote_dest),
+                "mkdir",
+                "-m",
+                f"{dir_mode:o}",
+                "-p",
+                str(remote_dest),
+                "&&",
+                "tar",
+                "-C",
+                str(remote_dest),
+                "-xzf",
+                "-",
             ]
         else:
             # For single file, extract to parent directory and ensure correct name
@@ -73,8 +89,24 @@ def upload(
                 *host.ssh_cmd(),
                 "--",
                 *priviledge_escalation,
-                "bash", "-c", "exec \"$@\"", "--",
-                f"rm -f {str(remote_dest)} ; mkdir -m {dir_mode:o} -p {str(remote_dest.parent)} && tar -C {str(remote_dest.parent)} -xzf -",
+                "bash",
+                "-c",
+                'exec "$@"',
+                "--",
+                "rm",
+                "-r",
+                str(remote_dest),
+                "mkdir",
+                "-m",
+                f"{dir_mode:o}",
+                "-p",
+                str(remote_dest.parent),
+                "&&",
+                "tar",
+                "-C",
+                str(remote_dest.parent),
+                "-xzf",
+                "-",
             ]
 
         # TODO accept `input` to be  an IO object instead of bytes so that we don't have to read the tarfile into memory.