For this, I suggest adding a custom regen conf hook (should me named xx-yunohost_whatever, but the yunohost_ is the important part)
c.f. discussion in Configuration custom - aide pour création de hooks
I think in your case that’d look like:
#!/bin/bash
action=$1
[[ $action == "post" ]] || exit 0
# here, add your ACL commands
Zblerg yeah now you need to be in the ssh.main group. Or you can also add it to the admins group, that would work too.
But ideally it should indeed be converted to a regular yunohost user (if that makes sense).
Then to log using a private key, just add the key in the authorized_keys just like you would usually do. And you can usernmod -a -G sudo <the user> just like you would with any regular users I think ?