restrict nix remote builder ssh to nix daemon

Snippet taken from SrvOS
2025-10-01 19:36:53 +02:00
parent f2cf7d36de
commit 1cc8b6b70a
1 changed files with 3 additions and 1 deletions
--- a/modules/remote-builder.nix
+++ b/modules/remote-builder.nix
@@ -39,7 +39,9 @@ in
      isSystemUser = true;
      group = cfg.group;
      useDefaultShell = true;
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = map (
+        key: ''restrict,command="nix-daemon --stdio" ${key}''
+      ) cfg.authorizedKeys;
    };

    users.groups.${cfg.user} = { };