From 48e6611f92e679aafb8fc88b5d36b2b0ac162732 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Wed, 19 Mar 2025 19:55:27 +0100
Subject: [PATCH] move nix remote builder to a module

---
 flake.nix                  |  1 +
 hosts/genepi/builder.nix   | 17 +++----------
 modules/default.nix        |  5 ++++
 modules/remote-builder.nix | 49 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 14 deletions(-)
 create mode 100644 modules/default.nix
 create mode 100644 modules/remote-builder.nix

diff --git a/flake.nix b/flake.nix
index fb23aa1..b6ad59c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,7 @@
               };
               modules = [
                 ./hosts/${hostname}
+                ./modules
                 ./system
               ];
             };
diff --git a/hosts/genepi/builder.nix b/hosts/genepi/builder.nix
index 2691486..cfd8db9 100644
--- a/hosts/genepi/builder.nix
+++ b/hosts/genepi/builder.nix
@@ -1,18 +1,7 @@
 { keys, ... }:
-let
-  username = "nixremote";
-in
 {
-  users.users."${username}" = {
-    createHome = true;
-    home = "/home/${username}";
-    isSystemUser = true;
-    group = username;
-    useDefaultShell = true;
-    openssh.authorizedKeys.keys = [ keys.hosts.haze ];
+  roles.remote-builder = {
+    enable = true;
+    authorizedKeys = [ keys.hosts.haze ];
   };
-
-  users.groups."${username}" = { };
-
-  nix.settings.trusted-users = [ username ];
 }
diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 0000000..1458053
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./remote-builder.nix
+  ];
+}
diff --git a/modules/remote-builder.nix b/modules/remote-builder.nix
new file mode 100644
index 0000000..04b32a6
--- /dev/null
+++ b/modules/remote-builder.nix
@@ -0,0 +1,49 @@
+{ config, lib, ... }:
+let
+  cfg = config.roles.remote-builder;
+in
+{
+  options = {
+    roles.remote-builder = {
+      enable = lib.mkEnableOption {
+        description = "Whether to allow remote building on this machine";
+      };
+
+      user = lib.mkOption {
+        type = lib.types.str;
+        default = "nixremote";
+        example = "remote-builder";
+        description = "The name of the user used to run the builds";
+      };
+
+      group = lib.mkOption {
+        type = lib.types.str;
+        default = "${cfg.user}";
+        example = "remote-builder";
+        description = "The group of the user used to run the builds";
+      };
+
+      authorizedKeys = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "ssh-ed25519 AAAA... user@host" ];
+        description = "List of SSH keys authorized to run builds on this machine";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users."${cfg.user}" = {
+      createHome = true;
+      home = "/home/${cfg.user}";
+      isSystemUser = true;
+      group = cfg.group;
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+
+    users.groups.${cfg.user} = { };
+
+    nix.settings.trusted-users = [ cfg.user ];
+  };
+}