From 1cc8b6b70ae13c0916c4df06d732589f6cd179ec Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Wed, 1 Oct 2025 19:36:53 +0200
Subject: [PATCH] restrict nix remote builder ssh to nix daemon

Snippet taken from SrvOS
---
 modules/remote-builder.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/remote-builder.nix b/modules/remote-builder.nix
index 04b32a6..6c74f92 100644
--- a/modules/remote-builder.nix
+++ b/modules/remote-builder.nix
@@ -39,7 +39,9 @@ in
       isSystemUser = true;
       group = cfg.group;
       useDefaultShell = true;
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = map (
+        key: ''restrict,command="nix-daemon --stdio" ${key}''
+      ) cfg.authorizedKeys;
     };
 
     users.groups.${cfg.user} = { };