From 3c33dd66ea59e9b01b05c515c22df11bcaf94194 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 27 Sep 2021 23:06:10 +0200
Subject: vidhar/sif: build-server/build-client

---
 system-profiles/build-server/default.nix | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 system-profiles/build-server/default.nix

(limited to 'system-profiles/build-server/default.nix')

diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix
new file mode 100644
index 00000000..9c821f64
--- /dev/null
+++ b/system-profiles/build-server/default.nix
@@ -0,0 +1,35 @@
+{ customUtils, flake, config, lib, ... }:
+
+{
+  imports = with flake.nixosModules.systemProfiles; [ openssh ];
+  
+  config = {
+    users.groups.nix-ssh-builder = {};
+    users.users.nix-ssh-builder = {
+      description = "Nix build server user";
+      useDefaultShell = true;
+      isSystemUser = true;
+      group = "nix-ssh-builder";
+    };
+
+    services.openssh = {
+      enable = true;
+      extraConfig = ''
+        Match User nix-ssh-builder
+          AllowAgentForwarding no
+          AllowTcpForwarding no
+          PermitTTY no
+          PermitTunnel no
+          X11Forwarding no
+          ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write
+        Match All
+      '';
+    };
+
+    users.users.nix-ssh-builder.openssh.authorizedKeys.keys =
+      let
+        importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir));
+        importKeys' = dir: host: builtins.readFile (dir + "/${host}/public");
+      in importKeys ./clients;
+  };
+}
-- 
cgit v1.2.3