50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.roles.remote-builder;
|
|
in
|
|
{
|
|
options = {
|
|
roles.remote-builder = {
|
|
enable = lib.mkEnableOption {
|
|
description = "Whether to allow remote building on this machine";
|
|
};
|
|
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "nixremote";
|
|
example = "remote-builder";
|
|
description = "The name of the user used to run the builds";
|
|
};
|
|
|
|
group = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "${cfg.user}";
|
|
example = "remote-builder";
|
|
description = "The group of the user used to run the builds";
|
|
};
|
|
|
|
authorizedKeys = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
example = [ "ssh-ed25519 AAAA... user@host" ];
|
|
description = "List of SSH keys authorized to run builds on this machine";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users.users."${cfg.user}" = {
|
|
createHome = true;
|
|
home = "/home/${cfg.user}";
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
useDefaultShell = true;
|
|
openssh.authorizedKeys.keys = cfg.authorizedKeys;
|
|
};
|
|
|
|
users.groups.${cfg.user} = { };
|
|
|
|
nix.settings.trusted-users = [ cfg.user ];
|
|
};
|
|
}
|