From 861d4e81fc826b229c206bbe2a6f5f321f61b8d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Sun, 25 Feb 2024 20:04:21 +0200
Subject: [PATCH] remote-builder

---
 data.nix                                    |  2 ++
 hosts/fra1-a/configuration.nix              | 10 +++++++
 modules/services/default.nix                |  1 +
 modules/services/remote-builder/default.nix | 33 +++++++++++++++++++++
 4 files changed, 46 insertions(+)
 create mode 100644 modules/services/remote-builder/default.nix

diff --git a/data.nix b/data.nix
index 9b48af1..d61e38c 100644
--- a/data.nix
+++ b/data.nix
@@ -16,6 +16,8 @@ rec {
     jakstpub = 505;
 
     photoprism = 507;
+
+    remote-builder = 508;
   };
 
   ports = {
diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix
index ff3be6e..59dd765 100644
--- a/hosts/fra1-a/configuration.nix
+++ b/hosts/fra1-a/configuration.nix
@@ -70,6 +70,16 @@
       sshguard.enable = true;
       tailscale.enable = true;
 
+      remote-builder = {
+        enable = true;
+        uidgid = myData.uidgid.remote-builder;
+        sshAllowSubnet = myData.subnets.tailscale.sshPattern;
+        publicKeys = map (h: myData.hosts.${h}.publicKey) [
+          "vno1-oh2.servers.jakst"
+          "fwminex.motiejus.jakst"
+        ];
+      };
+
       postfix = {
         enable = true;
         saslPasswdPath = config.age.secrets.sasl-passwd.path;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 5e949ba..d32988b 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -11,6 +11,7 @@
     ./node_exporter
     ./nsd-acme
     ./postfix
+    ./remote-builder
     ./snmp_exporter
     ./sshguard
     ./syncthing
diff --git a/modules/services/remote-builder/default.nix b/modules/services/remote-builder/default.nix
new file mode 100644
index 0000000..91ecdfd
--- /dev/null
+++ b/modules/services/remote-builder/default.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.mj.services.remote-builder;
+in {
+  options.mj.services.remote-builder = with lib.types; {
+    enable = lib.mkEnableOption "Enable remote builder";
+    uidgid = lib.mkOption {type = int;};
+    sshAllowSubnet = lib.mkOption {type = str;};
+    publicKeys = lib.mkOption {type = listOf str;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.remote-builder = {
+      description = "Remote Builder";
+      home = "/var/lib/remote-builder";
+      shell = "/bin/sh";
+      group = "remote-builder";
+      isSystemUser = true;
+      createHome = true;
+      uid = cfg.uidgid;
+      openssh.authorizedKeys.keys =
+        map (
+          k: "from=\"${cfg.sshAllowSubnet}\" ${k}"
+        )
+        cfg.publicKeys;
+    };
+    users.groups.remote-builder.gid = cfg.uidgid;
+    nix.settings.trusted-users = ["remote-builder"];
+  };
+}