builders: direct buildbot to /mnt store via ForceCommand

services/baremetal-builder/default.nix

@@ -44,10 +44,20 @@ in
       ];
     };
     nix.settings = {
-      trusted-users = [ "builder" "buildbot" ];
       inherit ((import ./assignments.nix).${config.networking.hostName}) max-jobs cores;
     };
 
+    services.openssh.extraConfig = ''
+      Match User buildbot
+        AllowAgentForwarding no
+        AllowTcpForwarding no
+        PermitTTY no
+        PermitTunnel no
+        X11Forwarding no
+        ForceCommand ${config.nix.package.out}/bin/nix-daemon --store /mnt --stdio
+      Match All
+    '';
+
     nixpkgs.hostPlatform = "x86_64-linux";
     hardware.cpu.intel.updateMicrocode = true;