From ba912810d18276cae62fe898ed02fc9cf6cc191f Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 20:25:50 +0000
Subject: [PATCH] fix: preconfigure remote nix trusted-users before rebuild

---
 nixos/kubeadm/scripts/rebuild-and-bootstrap.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
index 573df19..95cb6c4 100755
--- a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
+++ b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
@@ -130,6 +130,15 @@ rebuild_node() {
     --use-remote-sudo
 }
 
+prepare_remote_nix_trust() {
+  local node_ip="$1"
+  echo "==> Ensuring nix trusted-users on $node_ip"
+  remote "$node_ip" "sudo mkdir -p /etc/nix"
+  remote "$node_ip" "if [ -f /etc/nix/nix.conf ]; then sudo sed -i '/^trusted-users[[:space:]]*=/d' /etc/nix/nix.conf; fi"
+  remote "$node_ip" "echo 'trusted-users = root micqdf' | sudo tee -a /etc/nix/nix.conf >/dev/null"
+  remote "$node_ip" "sudo systemctl restart nix-daemon 2>/dev/null || true"
+}
+
 populate_nodes
 prepare_known_hosts
 export NIX_SSHOPTS="$SSH_OPTS"
@@ -143,10 +152,12 @@ ACTIVE_SSH_USER="$SSH_USER"
 detect_ssh_user "$PRIMARY_CP_IP"
 
 for node in "${CP_NAMES[@]}"; do
+  prepare_remote_nix_trust "${NODE_IPS[$node]}"
   rebuild_node "$node" "${NODE_IPS[$node]}"
 done
 
 for node in "${WK_NAMES[@]}"; do
+  prepare_remote_nix_trust "${NODE_IPS[$node]}"
   rebuild_node "$node" "${NODE_IPS[$node]}"
 done