users/builder.nix at main · soopy.moe/gensokyo

soopy.moe / gensokyo

nixos config

gensokyo / users / builder.nix

at main 665 B view raw

 1{
 2  inputs,
 3  config,
 4  lib,
 5  pkgs,
 6  ...
 7}:
 8lib.mkIf (!config.gensokyo.traits.sensitive) {
 9  users.users.builder = {
10    openssh = {
11      authorizedKeys.keyFiles = [
12        (inputs.self + "/creds/ssh/users/builder")
13      ];
14    };
15    isNormalUser = false;
16    isSystemUser = true;
17    # group = "nixbld";
18    # https://github.com/NixOS/nix/blob/946fd29422361e8478425d6aaf9ccae23d7ddffb/src/nix/daemon.cc#L266-L267
19    # https://discourse.nixos.org/t/strange-remote-build-issue/24387/4
20    group = "remote-builder";
21
22    # allow builders to actually access nix
23    # todo: harden this somehow
24    shell = pkgs.zsh;
25  };
26
27  users.groups.remote-builder = { };
28}