feat[client,server]: add remote builds, confLib

modules/nixos/server/ssh-builder.nix

@@ -0,0 +1,35 @@
+{ self, pkgs, lib, config, ... }:
+let
+  ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ";
+
+  wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" ''
+    case $SSH_ORIGINAL_COMMAND in
+      "nix-daemon --stdio")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio
+        ;;
+      "nix-store --serve --write")
+        exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write
+        ;;
+      *)
+        echo "Access only allowed for using the nix remote builder" 1>&2
+        exit
+    esac
+  '';
+in
+{
+  options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server";
+  config = lib.mkIf config.swarselmodules.server.ssh-builder {
+    users = {
+      groups.builder = { };
+      users.builder = {
+        useDefaultShell = true;
+        isSystemUser = true;
+        group = "builder";
+        openssh.authorizedKeys.keys = [
+          ''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
+        ];
+      };
+    };
+
+  };
+}