Merge remote-tracking branch 'refs/remotes/origin/main'

flake.lock

@@ -544,17 +544,14 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1740942589,
-        "narHash": "sha256-ND33Zox6hj7DrcjtIEMuAZ7zwToy1iC3hmRjiWQclK4=",
-        "ref": "refs/heads/main",
-        "rev": "764a6753bc3e24df936060f7314e9da9a29b06e5",
-        "revCount": 7,
-        "type": "git",
-        "url": "ssh://gitea@gitea.linerds.us/unexplrd/nix-secrets"
+        "lastModified": 1740938100,
+        "narHash": "sha256-MjcA5IFJq5B7uBO+Bj676txMlsR3NraI13hJ4B9Fz/E=",
+        "path": "/home/user/nix-secrets",
+        "type": "path"
       },
       "original": {
-        "type": "git",
-        "url": "ssh://gitea@gitea.linerds.us/unexplrd/nix-secrets"
+        "path": "/home/user/nix-secrets",
+        "type": "path"
       }
     },
     "neve": {

hosts/dunamis/builder.nix

@@ -0,0 +1,5 @@
+{
+  nix.settings = {
+    secret-key-files = /var/nix/cache-priv-key.pem;
+  };
+}

hosts/dunamis/users.nix

@@ -7,7 +7,10 @@
   sopSec = config.sops.secrets;
   secrets = inputs.mysecrets;
 in {
-  nix.settings.trusted-users = ["user"];
+  nix.settings.trusted-users = [
+    "user"
+    "remotebuild"
+  ];
   users.mutableUsers = false;
   users.users = {
     user = {
@@ -21,10 +24,14 @@ in {
         "${secrets}/ssh/id_ed25519_eldrid_user.pub"
       ];
     };
-    # work = {
-    #   isNormalUser = true;
-    #   extraGroups = ["video"];
-    #   shell = pkgs.nushell;
-    # };
+    remotebuild = {
+      isNormalUser = true;
+      createHome = false;
+      group = "remotebuild";
+      openssh.authorizedKeys.keyFiles = [
+        "${secrets}/ssh/id_ed25519_eldrid_rmbuild.pub"
+      ];
+    };
   };
+  users.groups.remotebuild = {};
 }