NixBuilder : Use restricted user.

module/RemoteBuild.nix

@@ -15,8 +15,8 @@
 	nix.distributedBuilds = true;
 	nix.extraOptions = ''
 		builders-use-substitutes = true
-		extra-substituters = ssh-ng://home
-		extra-trusted-substituters = ssh-ng://home
-		extra-trusted-public-keys = home-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
+		extra-substituters = ssh-ng://nixbuilder
+		extra-trusted-substituters = ssh-ng://nixbuilder
+		extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
 	'';
 }

module/RemoteBuilder.nix

@@ -1,5 +1,5 @@
-{ pkgs, ... }: let
-	keyPath = "/root/.nixcache";
+{ pkgs, secret, lib, ... }: let
+	keyPath = "/root/.nixbuilder";
 in {
 	systemd.services.generate-nix-cache-key = {
 		wantedBy = [ "multi-user.target" ];
@@ -8,12 +8,25 @@ in {
 		script = ''
 			[[ -f "${keyPath}/private-key" ]] && exit
 			mkdir ${keyPath} || true
-			nix-store --generate-binary-cache-key "$HOSTNAME-1" "${keyPath}/private-key" "${keyPath}/public-key"
+			nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
 			nix store sign --all -k "${keyPath}/private-key"
 		'';
 	};
+
+	users.groups.nixbuilder = {};
+	users.users.nixbuilder = {
+		openssh.authorizedKeys.keys = secret.ssh.builderKeys;
+		description  = "Nix Remote Builder";
+		isNormalUser = true;
+		createHome   = lib.mkForce false;
+		uid          = 1234;
+		home         = "/";
+		group        = "nixbuilder";
+	};
+
 	# To apply: nix store sign --all -k /path/to/secret-key-file
 	nix.extraOptions = ''
+		trusted-users = nixbuilder
 		secret-key-files = ${keyPath}/private-key
 	'';
 }

module/common/Sshd.nix

@@ -11,7 +11,7 @@
 			}
 		];
 		settings = {
-			AllowUsers      = [ "root" ];
+			AllowUsers      = [ "root" "nixbuilder" ];
 			LoginGraceTime  = "1m";
 			# MaxAuthTries    = 1;
 			MaxSessions     = 10;

module/common/bash/module/Git.nix

@@ -195,9 +195,9 @@
 			open "''${url}"
 		}
 
-		# Resign the old commits. 0 to resign from root.
-		# Usage: git_resign [COMMIT_COUNT]
-		function git_resign() {
+		# Sign the old commits. 0 to resign from root.
+		# Usage: git_sign [COMMIT_COUNT]
+		function git_sign() {
 			local base="''${1}"
 
 			# Resign last commit by default.

module/common/ssh/Init.nix

@@ -25,6 +25,12 @@
 			User root
 			Port 22143
 
+		Host nixbuilder
+			HostName 192.168.1.2
+			User nixbuilder
+			StrictHostKeyChecking=accept-new
+			Port 22143
+
 		Host laptop
 			Hostname 192.168.1.9
 			User root

part/Secret.nix

@@ -1,14 +1,20 @@
 { ... }: {
-	ssh.trustedKeys = [
-		# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
-		# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
-		# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
-		# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
-		# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBL5NAm8S97EtfB/7DPf5Xl3Cqi3PlSO1V0m7fknNzz root@laptop"
+	ssh = {
+		trustedKeys = [
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone"
 			(builtins.readFile ./secret/public/Ssh.key)
 		];
 
+		builderKeys = [
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
+			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA+KKCkFOshUznJlXW/LDie0vZLd4b+KWodSm8N8vM+ root@laptop"
+			(builtins.readFile ./secret/public/Ssh.key)
+		];
+	};
+
 	crypto = {
 		sign = {
 			format  = "ssh";