ahmed: Become remote x86_64-linux builder

author: Linnnus <[email protected]> 2024-12-06 12:26:50 +0100
committer: Linnnus <[email protected]> 2024-12-06 12:26:50 +0100
commit: 31ee8cdae15e12ed65add3211fd8a2d8cfa12442 (patch)
tree: 7722743a9ad525db948f0b8b004b95bf2c00023c
parent: 37e0e7010b2fde6adc38e0140828c6653af8c532 (diff)
2 files changed, 24 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 173d1c7..60ebf74 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -19,6 +19,7 @@
     ./ssh
     ./torrenting
     ./home
+    ./remote-builder
   ];
 
   # Create the main user.
diff --git a/hosts/ahmed/remote-builder/default.nix b/hosts/ahmed/remote-builder/default.nix
new file mode 100644
index 0000000..1432b11
--- /dev/null
+++ b/hosts/ahmed/remote-builder/default.nix
@@ -0,0 +1,23 @@
+{
+  pkgs,
+  metadata,
+  ...
+}: {
+  # Create a user for remote builds.
+  users.users.remotebuilder = {
+    isNormalUser = true;
+    createHome = false;
+    group = "remotebuilder";
+
+    # Allow SSH connections by the Nix client.
+    # This is matched with the ssh config IdentityFile on the client-side.
+    openssh.authorizedKeys.keys = [metadata.hosts.muhammed.sshPubKey];
+  };
+  users.groups.remotebuilder = {};
+
+  # This is indirectly equivalent to giving root as it allows this user to
+  # replace store artifacts.
+  #
+  # See: https://nix.dev/manual/nix/2.25/command-ref/conf-file?highlight=system-features#conf-trusted-users
+  nix.settings.trusted-users = ["remotebuilder"];
+}
author	Linnnus <[email protected]>	2024-12-06 12:26:50 +0100
committer	Linnnus <[email protected]>	2024-12-06 12:26:50 +0100
commit	31ee8cdae15e12ed65add3211fd8a2d8cfa12442 (patch)
tree	7722743a9ad525db948f0b8b004b95bf2c00023c
parent	37e0e7010b2fde6adc38e0140828c6653af8c532 (diff)