Added remote build user

modules/nixos/nix/default.nix

@@ -25,51 +25,77 @@ in
     };
 
     useSelfhostedCache = mkEnableOption "use self-hosted nix cache (currently hosted on gospel)";
+    remoteBuilder.enable = mkEnableOption "set up as a remote builder";
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (
-    environment.systemPackages = with pkgs; [
+    lib.mkMerge [
-      nix-prefetch
-      nixfmt-rfc-style
-    ];
-
-    nix =
-      let
-        users = [
-          "root"
-          config.aa.user.name
-        ];
-      in
       {
-        package = cfg.package;
+        environment.systemPackages = with pkgs; [
+          nix-prefetch
+          nixfmt-rfc-style
+        ];
 
-        settings = {
+        nix =
-          experimental-features = "nix-command flakes";
+          let
-          trusted-users = users;
+            users = [
-          allowed-users = users;
+              "root"
+              config.aa.user.name
+            ];
+          in
+          {
+            package = cfg.package;
 
-          builders-use-substitutes = cfg.useSelfhostedCache;
+            settings = {
-          substituters =
+              experimental-features = "nix-command flakes";
-            if cfg.useSelfhostedCache then
+              trusted-users = users;
-              [
+              allowed-users = users;
-                # TESTING
+
-                "https://minio.kilonull.com/nix-store"
+              builders-use-substitutes = cfg.useSelfhostedCache;
-                selfHostedCacheHost
+              substituters =
-              ]
+                if cfg.useSelfhostedCache then
-            else
+                  [
-              [ ];
+                    # TESTING
-          trusted-public-keys = mkIf cfg.useSelfhostedCache [
+                    "https://minio.kilonull.com/nix-store"
-            "gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc="
+                    selfHostedCacheHost
-          ];
+                  ]
+                else
+                  [ ];
+              trusted-public-keys = mkIf cfg.useSelfhostedCache [
+                "gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc="
+              ];
+            };
+
+            # TODO: Configure distributedBuilds and buildMachines?
+
+            gc = {
+              automatic = lib.mkDefault true;
+              dates = lib.mkDefault "weekly";
+              options = lib.mkDefault "--delete-older-than 30d";
+            };
+          };
+      }
+      (lib.mkIf cfg.remoteBuilder.enable {
+        users.users.remotebuild = {
+          isNormalUser = true;
+          createHome = false;
+          group = "remotebuild";
+
+          # All the keys from ./remote_client_keys should be trusted
+          openssh.authorizedKeys.keyFiles = (
+            let
+              publicKeys = builtins.readDir ./remote_client_keys;
+              fileNames = builtins.attrNames publicKeys;
+              filePaths = builtins.map (fileName: ./remote_client_keys + "/${fileName}") fileNames;
+            in
+            filePaths
+          );
         };
 
-        # TODO: Configure distributedBuilds and buildMachines?
+        users.groups.remotebuild = { };
 
-        gc = {
+        nix.settings.trusted-users = [ "remotebuild" ];
-          automatic = lib.mkDefault true;
+      })
-          dates = lib.mkDefault "weekly";
+    ]
-          options = lib.mkDefault "--delete-older-than 30d";
+  );
-        };
-      };
-  };
 }

modules/nixos/nix/remote_client_keys/carbon.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKy1MP/CjBPhcXac3XgTEnhATN6xpXRO6YDkHNhLQrkx root@carbon

systems/x86_64-linux/gospel/default.nix

@@ -14,6 +14,7 @@
 
   aa = {
     nix.enable = true;
+    nix.remoteBuilder.enable = true;
 
     archetypes = {
       workstation.enable = true;