From dfd48f21797d9166989f2819e17729c7e829ae8b Mon Sep 17 00:00:00 2001
From: Yureka <yuka@yuka.dev>
Date: Tue, 6 Aug 2024 13:26:35 +0200
Subject: [PATCH] builders: direct buildbot to /mnt store via ForceCommand

---
 services/baremetal-builder/default.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix
index 0b9de91..5d54593 100644
--- a/services/baremetal-builder/default.nix
+++ b/services/baremetal-builder/default.nix
@@ -44,10 +44,20 @@ in
       ];
     };
     nix.settings = {
-      trusted-users = [ "builder" "buildbot" ];
       inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
     };
 
+    services.openssh.extraConfig = ''
+      Match User buildbot
+        AllowAgentForwarding no
+        AllowTcpForwarding no
+        PermitTTY no
+        PermitTunnel no
+        X11Forwarding no
+        ForceCommand ${config.nix.package.out}/bin/nix-daemon --store /mnt --stdio
+      Match All
+    '';
+
     nixpkgs.hostPlatform = "x86_64-linux";
     hardware.cpu.intel.updateMicrocode = true;