From 97894bc4466fae5563d181c0c6c5b20b88e3ff26 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Mon, 24 Jun 2024 20:54:42 +0200
Subject: [PATCH] bagel-container: provision a user with Nix store perms for
 remote builds

---
 modules/bagel-container.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/modules/bagel-container.nix b/modules/bagel-container.nix
index ad2d637..606f0cf 100644
--- a/modules/bagel-container.nix
+++ b/modules/bagel-container.nix
@@ -30,4 +30,17 @@
     networkConfig.Address = [ "172.16.100.1/24" ];
     networkConfig.IPMasquerade = true;
   };
+
+  # Configure a local Nix builder account, since getting sandboxing and KVM
+  # working inside the container will be tricky.
+  users.users.bagel-builder = {
+    isSystemUser = true;
+    group = "nogroup";
+    home = "/var/empty";
+    shell = "/bin/sh";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
+    ];
+  };
+  nix.settings.trusted-users = [ "bagel-builder" ];
 }