From 5082c8699f518955764b50e32836d7ef4a2dda77 Mon Sep 17 00:00:00 2001
From: Iulian Meghea <iulian@plumelo.com>
Date: Tue, 10 Feb 2026 12:03:07 +0000
Subject: [PATCH 1/2] fix: resolve PAM account management error for sudo in nix
 image

The coder user's shadow entry used '!' (locked account) which caused
pam_unix.so account management to return PAM_PERM_DENIED. Additionally,
sudo fell back to the catch-all /etc/pam.d/other config which lacked
appropriate auth rules for non-root users.

- Change shadow entries from '!' to '*' (no password, but not locked)
- Add dedicated /etc/pam.d/sudo PAM config with pam_permit.so for
  auth/account (sudoers handles actual authorisation)
---
 images/nix/flake.nix | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/images/nix/flake.nix b/images/nix/flake.nix
index f164e68..c5429ef 100644
--- a/images/nix/flake.nix
+++ b/images/nix/flake.nix
@@ -18,8 +18,8 @@
           extraGroupLines = [ "coder:x:1000:" ];
         })
         (writeTextDir "etc/shadow" ''
-root:!x:::::::
-coder:!:::::::
+root:*:::::::
+coder:*:::::::
         '')
         (writeTextDir "etc/gshadow" ''
 root:x::
@@ -39,6 +39,15 @@ auth sufficient pam_rootok.so
 password requisite pam_unix.so nullok yescrypt
 session required pam_unix.so
         '')
+        # Dedicated PAM config for sudo – auth and account use pam_permit
+        # because actual authorisation is handled by sudoers, while session
+        # uses pam_unix for proper session setup.
+        (writeTextDir "etc/pam.d/sudo" ''
+auth       sufficient pam_rootok.so
+auth       required   pam_permit.so
+account    required   pam_permit.so
+session    required   pam_unix.so
+        '')
       ];
 
       # Nix configuration with flakes enabled

From e07b95aca5fd76f4dbc1322fbc781d159037a3a3 Mon Sep 17 00:00:00 2001
From: Iulian Meghea <iulian@plumelo.com>
Date: Tue, 10 Feb 2026 12:07:57 +0000
Subject: [PATCH 2/2] ci: use published base image for devops CI check

The devops Dockerfile expects curl from the base image, but CI was
overriding BASE_IMAGE with ubuntu:noble (which lacks curl), causing
the build to always fail.
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bad35c0..9bb8b9e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,4 +57,4 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Build devops image
-        run: docker build ./images/devops --build-arg BASE_IMAGE=ubuntu:noble
+        run: docker build ./images/devops