From 31ee8cdae15e12ed65add3211fd8a2d8cfa12442 Mon Sep 17 00:00:00 2001
From: Linnnus <linnnus@users.noreply.github.com>
Date: Fri, 6 Dec 2024 12:26:50 +0100
Subject: ahmed: Become remote x86_64-linux builder

---
 hosts/ahmed/remote-builder/default.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 hosts/ahmed/remote-builder/default.nix

(limited to 'hosts/ahmed/remote-builder/default.nix')

diff --git a/hosts/ahmed/remote-builder/default.nix b/hosts/ahmed/remote-builder/default.nix
new file mode 100644
index 0000000..1432b11
--- /dev/null
+++ b/hosts/ahmed/remote-builder/default.nix
@@ -0,0 +1,23 @@
+{
+  pkgs,
+  metadata,
+  ...
+}: {
+  # Create a user for remote builds.
+  users.users.remotebuilder = {
+    isNormalUser = true;
+    createHome = false;
+    group = "remotebuilder";
+
+    # Allow SSH connections by the Nix client.
+    # This is matched with the ssh config IdentityFile on the client-side.
+    openssh.authorizedKeys.keys = [metadata.hosts.muhammed.sshPubKey];
+  };
+  users.groups.remotebuilder = {};
+
+  # This is indirectly equivalent to giving root as it allows this user to
+  # replace store artifacts.
+  #
+  # See: https://nix.dev/manual/nix/2.25/command-ref/conf-file?highlight=system-features#conf-trusted-users
+  nix.settings.trusted-users = ["remotebuilder"];
+}
-- 
cgit v1.2.3