From 3b57b4821e6cf6468649413d776c675751db3cb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sun, 23 Apr 2023 01:17:16 +0200
Subject: [PATCH] hydra: add restricted remote builder

---
 hosts/hydra/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix
index 7a4466b4..c781ed29 100644
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, libS, pkgs, ... }:
+{ config, lib, libS, pkgs, ssh-public-keys, ... }:
 
 let
   cachePort = 5000;
@@ -39,6 +39,12 @@ in
     daemonCPUSchedPolicy = "idle";
     daemonIOSchedClass = "idle";
     daemonIOSchedPriority = 7;
+    remoteBuilder = {
+      enable = true;
+      sshPublicKeys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+        /* "..." */
+      ];
+    };
     settings = {
       allowed-uris = "http:// https:// ssh://";
       auto-optimise-store = true;