global/nix: allow adding extra users to remotebuild

2025-06-23 17:40:50 -04:00 · 2025-06-23 17:40:50 -04:00 · 725419bf74
commit 725419bf74
parent d481d06e6e
1 changed files with 14 additions and 1 deletions
--- a/modules/global/nix.nix
+++ b/modules/global/nix.nix
@ -12,6 +12,9 @@ let
    filterAttrs
    mapAttrs'
    ;
+
+  authorizedKeysFiles =
+    users: lib.concatStringsSep " " (map (u: "/etc/ssh/authorized_keys.d/${u}") users);
 in
 {
  nix = {
@ -152,11 +155,21 @@ in
    description = "Unprivledged user for Nix remote builds";
    isSystemUser = true;
    shell = pkgs.bashInteractive;
-    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
    group = "remotebuild";
  };
  users.groups.remotebuild = { };

+  services.openssh.extraConfig = ''
+    Match user remotebuild
+      AuthorizedKeysFile ${
+        authorizedKeysFiles [
+          "infinidoge"
+          "root"
+          "%u"
+        ]
+      }
+  '';
+
  nix.buildMachines = [
    {
      hostName = "infini-dl360";