bob

flake.lock

@@ -544,8 +544,8 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1740932567,
-        "narHash": "sha256-2PfJuyVEUh/4xGTx8MwPFNq3po/TTkDyWz3RJC3JfJc=",
+        "lastModified": 1740938100,
+        "narHash": "sha256-MjcA5IFJq5B7uBO+Bj676txMlsR3NraI13hJ4B9Fz/E=",
         "path": "/home/user/nix-secrets",
         "type": "path"
       },

hosts/dunamis/builder.nix

@@ -0,0 +1,5 @@
+{
+  nix.settings = {
+    secret-key-files = /var/nix/cache-priv-key.pem;
+  };
+}

hosts/dunamis/users.nix

@@ -7,7 +7,10 @@
   sopSec = config.sops.secrets;
   secrets = inputs.mysecrets;
 in {
-  nix.settings.trusted-users = ["user"];
+  nix.settings.trusted-users = [
+    "user"
+    "remotebuild"
+  ];
   users.mutableUsers = false;
   users.users = {
     user = {
@@ -21,10 +24,14 @@ in {
         "${secrets}/ssh/id_ed25519_eldrid_user.pub"
       ];
     };
-    # work = {
-    #   isNormalUser = true;
-    #   extraGroups = ["video"];
-    #   shell = pkgs.nushell;
-    # };
+    remotebuild = {
+      isNormalUser = true;
+      createHome = false;
+      group = "remotebuild";
+      openssh.authorizedKeys.keyFiles = [
+        "${secrets}/ssh/id_ed25519_eldrid_rmbuild.pub"
+      ];
+    };
   };
+  users.groups.remotebuild = {};
 }