From 645ad7d06228a5d7163ae74e7498f42f19d04712 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 10 Jul 2024 00:55:25 +0200
Subject: [PATCH] builders: add builder user

currently hardcoded to hydra's coordinator public key

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 services/baremetal-builder/default.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix
index b871482..5e4c51b 100644
--- a/services/baremetal-builder/default.nix
+++ b/services/baremetal-builder/default.nix
@@ -14,10 +14,23 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-
     boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
     boot.initrd.kernelModules = [ "dm-snapshot" ];
 
+    users.users.builder = {
+      isSystemUser = true;
+      group = "nogroup";
+      home = "/var/empty";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys = [
+        # Do not hardcode Hydra's public key, selectively
+        # add the keys of the coordinators that require us.
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
+      ];
+    };
+    nix.settings.trusted-users = [ "builder" ];
+
+
     nixpkgs.hostPlatform = "x86_64-linux";
     hardware.cpu.intel.updateMicrocode = true;