modules: add darwin/nixos remote-builder

flake.nix

@@ -144,8 +144,8 @@
         flake.darwinModules = {
           common = ./modules/darwin/common;
 
-          builder = ./modules/darwin/builder.nix;
           hercules-ci = ./modules/darwin/hercules-ci;
+          remote-builder = ./modules/darwin/remote-builder.nix;
         };
 
         flake.nixosModules = {
@@ -158,10 +158,10 @@
           hydra = ./modules/nixos/hydra.nix;
           monitoring = ./modules/nixos/monitoring;
           nur-update = ./modules/nixos/nur-update.nix;
+          remote-builder = ./modules/nixos/remote-builder/default.nix;
           remote-builder-build04 = ./modules/nixos/remote-builder/build04.nix;
           remote-builder-darwin02 = ./modules/nixos/remote-builder/darwin02.nix;
           remote-builder-darwin03 = ./modules/nixos/remote-builder/darwin03.nix;
-          remote-builder-user = ./modules/nixos/remote-builder/user.nix;
           watch-store = ./modules/nixos/cachix/watch-store.nix;
           zfs = ./modules/nixos/zfs.nix;
         };

hosts/build04/configuration.nix

@@ -5,7 +5,7 @@
     ./hardware-configuration.nix
     inputs.self.nixosModules.common
     inputs.self.nixosModules.hercules-ci
-    inputs.self.nixosModules.remote-builder-user
+    inputs.self.nixosModules.remote-builder
   ];
 
   nixpkgs.system = "aarch64-linux";

hosts/darwin02/configuration.nix

@@ -3,8 +3,8 @@
 {
   imports = [
     inputs.self.darwinModules.common
-    inputs.self.darwinModules.builder
     inputs.self.darwinModules.hercules-ci
+    inputs.self.darwinModules.remote-builder
   ];
 
   nix.settings.sandbox = "relaxed";

hosts/darwin03/configuration.nix

@@ -3,8 +3,8 @@
 {
   imports = [
     inputs.self.darwinModules.common
-    inputs.self.darwinModules.builder
     inputs.self.darwinModules.hercules-ci
+    inputs.self.darwinModules.remote-builder
   ];
 
   nix.settings.sandbox = "relaxed";

modules/darwin/remote-builder.nix

@@ -1,4 +1,8 @@
 {
+  imports = [
+    ../shared/remote-builder.nix
+  ];
+
   users.knownUsers = [ "nix" ];
 
   users.users.nix = {
@@ -7,16 +11,10 @@
     home = "/Users/nix";
     createHome = true;
     shell = "/bin/zsh";
-    # if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"
-    ];
   };
 
   # add build user to group for ssh access
   system.activationScripts.postActivation.text = ''
     dseditgroup -o edit -a "nix" -t user com.apple.access_ssh
   '';
-
-  nix.settings.trusted-users = [ "nix" ];
 }

modules/nixos/remote-builder/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ../../shared/remote-builder.nix
+  ];
+
+  users.users.nix = {
+    isNormalUser = true;
+    group = "nix";
+    home = "/var/lib/nix";
+    createHome = true;
+  };
+  users.groups.nix = { };
+}

modules/nixos/remote-builder/user.nix

@@ -1,13 +0,0 @@
-{
-  users.users.nix = {
-    isNormalUser = true;
-    group = "nix";
-    home = "/var/lib/nix";
-    createHome = true;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"
-    ];
-  };
-  users.groups.nix = { };
-  nix.settings.trusted-users = [ "nix" ];
-}

modules/shared/remote-builder.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+let
+  # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
+in
+{
+  users.users.nix.openssh.authorizedKeys.keys = [
+    # use nix-store for hydra which doesn't support ssh-ng
+    ''command="${config.nix.package}/bin/nix-store --serve --write",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}''
+  ];
+
+  nix.settings.trusted-users = [ "nix" ];
+}