modules/system/builder: init remote-builder module

hosts/youko/default.nix

@@ -1,3 +1,17 @@
+{ config, lib, ... }:
+let
+  builderUsers = lib.fp.pipe [
+    (lib.attrs.filter (
+      name: _:
+      !builtins.elem name [
+        "youko"
+        "kazuki"
+        "ude"
+      ]
+    ))
+    builtins.attrValues
+  ] config.assets.sshKeys.system;
+in
 {
   config.systems.nixos.youko.module =
     {
@@ -31,6 +45,11 @@
         settei.desktop.enable = true;
       };
 
+      settei.remote-builder = {
+        enable = true;
+        sshKeys = builderUsers;
+      };
+
       services.udisks2.enable = true;
       settei.incus.enable = true;
       virtualisation.podman.enable = true;

modules/system/builder.nix

@@ -0,0 +1,49 @@
+{ isLinux }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.settei.remote-builder;
+
+  sharedConfig = {
+    users.users.${cfg.user} = {
+      shell = pkgs.bash;
+      openssh.authorizedKeys.keys = cfg.sshKeys;
+    };
+
+    nix.settings.trusted-users = [ cfg.user ];
+  };
+
+  linuxConfig = lib.optionalAttrs isLinux {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.user;
+    };
+    users.groups.${cfg.user} = { };
+  };
+
+  mergedConfig = lib.mkMerge [
+    sharedConfig
+    linuxConfig
+  ];
+in
+{
+  _file = ./builder.nix;
+
+  options.settei.remote-builder = {
+    enable = lib.mkEnableOption "configuring this machine as a remote builder";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "nixremote";
+    };
+    sshKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.singleLineStr;
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable mergedConfig;
+}

modules/system/default.nix

@@ -25,6 +25,7 @@
     (import ./github-runner.nix { inherit isLinux; })
     (import ./incus.nix { inherit isLinux; })
     (import ./monitoring.nix { inherit isLinux; })
+    (import ./builder.nix { inherit isLinux; })
   ];
 
   options.settei = with lib; {