hosts/ahmed/remote-builder/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

{
  pkgs,
  metadata,
  ...
}: {
  # Create a user for remote builds.
  users.users.remotebuilder = {
    isNormalUser = true;
    createHome = false;
    group = "remotebuilder";

    # Allow SSH connections by the Nix client.
    # This is matched with the ssh config IdentityFile on the client-side.
    openssh.authorizedKeys.keys = [
      metadata.hosts.muhammed.sshPubKey
      metadata.hosts.omar.sshPubKey
    ];
  };
  users.groups.remotebuilder = {};

  # This is indirectly equivalent to giving root as it allows this user to
  # replace store artifacts.
  #
  # See: https://nix.dev/manual/nix/2.25/command-ref/conf-file?highlight=system-features#conf-trusted-users
  nix.settings.trusted-users = ["remotebuilder"];
}