feat: remote builder

config/basic/nix.nix

@@ -6,6 +6,7 @@
       allowed-users = [ "@wheel" ];
       trusted-users = [
         "root"
+        "@nix-build"
       ];
       system-features = [
         "recursive-nix"
@@ -59,7 +60,4 @@
   };
   programs.nix-ld.enable = true;
   system.stateVersion = stateVersion;
-  hm-all.nixpkgs.config = {
-    allowUnfree = true;
-  };
 }

config/basic/users.nix

@@ -42,6 +42,9 @@
       paperless = uidGid 315;
       stalwart-mail = uidGid 316;
       build = uidGid 317;
+      nix-build = {
+        gid = 230;
+      };
       systemd-oom = uidGid 300;
       systemd-coredump = uidGid 301;
       patrick = uidGid 1000;

hosts/mailnix/default.nix

@@ -1,3 +1,4 @@
+{ config, pkgs, ... }:
 {
   imports = [
     ../../config/basic
@@ -24,4 +25,35 @@
     };
   };
   nixpkgs.hostPlatform = "aarch64-linux";
+  users.users.build = {
+    isSystemUser = true;
+    shell = pkgs.bash;
+    group = "build";
+    extraGroups = [ "nix-build" ];
+    createHome = false;
+    openssh.authorizedKeys.keyFiles = [
+      ./secrets/generated/buildSSHKey.pub
+    ];
+  };
+
+  age.secrets.buildSSHKey = {
+    generator.script =
+      {
+        lib,
+        name,
+        pkgs,
+        file,
+        ...
+      }:
+      ''
+        key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <<<y >/dev/null 2>&1; true)
+        (exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${
+          lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")
+        }
+        echo "$key"
+      '';
+    intermediary = true;
+  };
+  users.groups.build = { };
+  users.groups.nix-build = { };
 }

hosts/mailnix/secrets/generated/buildSSHKey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5PpLxcHVOES86RNuukcbIoRIlSDoBFEp3KPvPzwSZ7 mailnix:buildSSHKey

hosts/mailnix/secrets/generated/idmail-mailbox-hash_catch-all.age

@@ -1,17 +1,17 @@
 age-encryption.org/v1
--> X25519 7NpA9hDsF1TwTVRvAKHpovHSUCr0Gg11mzsubZemyDs
+-> X25519 h8OLMwPUFKNXzJ1edlaA04bW2e01AKT5kHgOZ6cABWo
-3eE/PWJizZWIDMr3Dt6012F6db/nlmhpM8y06eLO48s
+nY7s2G16b9ekcsrTFttHtBs+jikOIUUkbzNz+8o4Rto
--> piv-p256 ZFgiIw Alb1ynSHX7YiSZkhDbId9MGoQeRacJJ9Mv4a64WVxXdE
+-> piv-p256 ZFgiIw A7eQWNtKe0sOTfroM+2M8FBHyKmdqMgCe9Gqi7ocqc5h
-gTRZ2XC+K6bZ9my7B28oXJGfQ2fvHFZHDTGWfjzQMdA
+fraNvIFfPFUUqam22DljaFuQkbH3BEdkhu4c1sqiI+8
--> piv-p256 XTQkUA AhrEyyEHX3BxETBIWDmbK5pfzmfcFCmTWX2psLAzGhYS
+-> piv-p256 XTQkUA A6n62U0qaztqqO8W7gf/qvM/rIyic4SSVrvaOxiIIThf
-XFR2JtZJikRDATiZ8eflzShfvrrUMLp00s2+0N54tiI
+5FFoMCzUCclVsZwTrrSZnZA117iI9/O1HDPSPfZ0dwQ
--> piv-p256 ZFgiIw A/MHWK7H85OTk0JLH8y0t7QHcG4xRNwYwEuWPuVBLojT
+-> piv-p256 ZFgiIw A51hnMPc7+zsnI7SI2YNaQY4ZT79BOdRrrL8eE+4Cj5G
-Vbwyekt8SwUfJzfyualAekCf/MGW+Igs/ZALTydd9Qc
+KmdNeq7ucj1LBVwMMsDw2hdMTjflgJ3MDptP5doA3Lk
--> piv-p256 5vmPtQ Av/BlH1sZh++RL4fh2NS2HN7yipM9nLfT90OiRh9Flbj
+-> piv-p256 5vmPtQ AvQFCl4sVuiTEHLdy0v+DzK6Czah1JJd2yUYHhW5+kDW
-kzi2VBRvIxbBbze4iBahMGROtnSOKznXzCNS0PR9TG0
+94MRzY0CXgS8R23xPlKT3MkZE/G/pYaCd7XPe5B5BIY
--> N"-grease p, Pb+NMCL ^
+-> 4:bi^-grease
-BeBdV3XQgNJVO309KZx1hphkECZLRrCqPmEoR3pEzB4I3L8Q6ur+4ALEy2mLjmSp
+nMsgcFv+J2d+auxMxq1ZrEp2YH8FnX2UAF9wLE8bf/n+Szkcb+ZZCM1r3yV2ooif
-Mir7Hdy3Pg
+KtY
---- Klvxozur3RYybVYWbakGVXiTymaTfOoFXcwnj7hsEAY
+--- mgyHpsqrpplGUIeksuwaT+ManchIcH65t2ZswkvWu8Y
-믰zéR¼õÍÅx-›rŽ@ß`Ö«? ka´L53<35>öܘ°}B<>Ê¡ü7 -6B»t¤h릂öá$<24>h·‡ò&ÐBƒ.™7O„ä„Þ.ßëk±g·m5Û
+Z<1F>‰0U>ÚÎĚ6‘v…zä๪h„Śé8Ť-`ďăÍ8Żt~1›_Şś•c粼Tá&ť ˛
GEŃ´Y
-¸PÚ<EFBFBD>kѱW<EFBFBD>‰4Ûâ1GyÔâ1%È<ù°ê›?z<>7êÿéfûXcgMaÝnn!
+¤’ĐđňĘÚíSrx÷n69˘q>\ĹŁCůŇGüÖEíĐÔś9ZŇŇńˇŐR˨/ľ–sLžRěJ‚‹EĆ1_±p¶<70>|mC’<43>1ĎŢÉą

hosts/mailnix/secrets/generated/idmail-mailbox-pw_catch-all.age

@@ -1,18 +1,16 @@
 age-encryption.org/v1
--> X25519 Ud9UzEUeDmMIb90vOTWVkdDvIcebEwSzI4Ii8M5jAUI
+-> X25519 C9NITC3gtm5VFtiAkXSf7cyTJsQmVBI+4bFr0y3B+zM
-4rloQ7OzT0voyVboOaWLvOxvrlYxtcOY91dt1lq6wtg
+VSWfR2UuQgthDNllrgRvLhGRVScvgt+PX4QJ+3qVRgo
--> piv-p256 ZFgiIw Aro3d4Lv0WTRa1OiE1f0hROViqhes5elbt5a+uKCS0y7
+-> piv-p256 ZFgiIw A+3wjbiWaoMtjAp/27ibZGkSILthx+tW/zECzuoeLOHq
-UZFViBihW5si4+JbzN1OyzWDuWiFwWfoVls+EH+EUmk
+er2Cxn8kSKhtkMMRJCTCS7aniUmIVkzXg5dsDV/opJ0
--> piv-p256 XTQkUA A0mE5ni66UlnsafkVu3MK0N6aTX2UtV+jADROmg4M1aN
+-> piv-p256 XTQkUA A0G+RwWjo5MwYX64BW6beOePDKVjwP5znIBDvv05b++z
-cYqc/9CCT1PC3inzqfQvK59MCHHNEtIhpvOvqL7E2nA
+nQOGoVVgwTofjzVW0MkkpgGg4U+1F63TAsnluJbo4No
--> piv-p256 ZFgiIw AnFFxNY3lsY4fsze7Hm4vAmK7zZKGA4qEfSUH5aIkQ4j
+-> piv-p256 ZFgiIw AnneHrm3kpe8vWMjVB/JlTeFiiKUP+2vecNYEw+JiKu/
-1OwdPteTYQCWrt4IkRhflolMXJ+FUMm91n3p7icqnsc
+hUcdZSXo98byAsadmfWiB7UyudrOQZYVYR7ypRcY3b8
--> piv-p256 5vmPtQ Amg+62BwmCb9ZQmZ74PzT0/FheaK2OzfyGgbHYcyo5Cl
+-> piv-p256 5vmPtQ Aj9rtohDiMAJNy/aJL4+qeTpNjhMS1rrKOugGXNOAhhu
-OnlF+hKq6p91i3Jk+iwYQ2ByRTgmZX57mIAIpMRoCD8
+kVmfMupNBNV21RI4BTspu1xtdtyP73SUolmTZEyDs+k
--> >aAO.fE-grease ' 7nl% c#t R]j<n
+-> \@ma^t-grease ! YP$J4W ;Q d6YZ+f4X
-pC7HsBXeonXLPKBlbzkYZepNa2/RDKAwF9UvfnYPbw6ouLI6wuwmYO1moo2ERk4c
+eChvjZgQhd7isLuN+dOJ0xORqeT6UQmg7LnJgvALwonCax2NC1+rLR1cJKOskW9I
-D7yBUPkIdFKD
+/9H9s8EbAv5oasYmraBMDiOEn2WULSQ6a4VRCg
---- 9oExlogv7s/uU+7/UeLOrs0v26TpK6fW1E7Y4hT4umc
+--- 7CrdQczJS2Wdqjpac3oexXv4rogT8CGXmqVeCtuaL60
-G¥É¶ÒdMç*óùThrm¾÷®ÜPÙW{
+ºž­ÇÓ
Œu*`ðÇ‚/ƒ2ô<32>L‚kºÑÍyqÂ]*
ŸjrÆ’å F7/ù]f¬¡=y¸$;ðš@z˜Hc<48>	¥nlм|”°¦Ì§°:
-‘kŸÌ¦Z<áñ†h¡þ,¬nxnúE‹€
-Uoè¶QßÙï§S&õÇ·ÿ™ÓéÁ>w•

hosts/mailnix/secrets/generated/resticpasswd.age

@@ -1,16 +1,15 @@
 age-encryption.org/v1
--> X25519 PdEHSeb3vou1ceHtkrlTbsu5BGWZ2onVCXPCwmW8znk
+-> X25519 3RgX2VmSDapxJiZK9X6FKJPgY0+KQv1/WTQjdLI3kx8
-q8UKSDCiI+oZp+iODHddauFYFbLdc82tEo+Bsu2bgbo
+LG5Rg/i6MxWETS9GlJEFmAjvFlnGgK6jzNyiK72KK/4
--> piv-p256 ZFgiIw AnZuTRltFip1RHFY1dr+uTJPGbAYFzWpU/HEiZYuMIgz
+-> piv-p256 ZFgiIw A0H0SIYntYF4+2mb2vxv0XwP71ucvywY5XVT+zU9tgqf
-r0nxJt1eZsXsnCnQ0Ls+kYqyz/PJCUjef9uvziqMqls
+auyYU2LhqeAq6kQWMQRZavgpY7+fCbUIl7EeGblHDzM
--> piv-p256 XTQkUA Au50Oa5SpTyUFjF4W6ETiofTruRqQItE94SmHRPzR4Y2
+-> piv-p256 XTQkUA AsmspPZL/5b34zkclSAIX/FIZZU2tE3/M2XswVg5CvmR
-T9m1cYYtJr8TQuZYquoJUM+uDeim8llDiMVk3N+kDqk
+gIV/00PSjr5pdIfLV9NqVBDX9hSAavB38RpW2RSrJ2s
--> piv-p256 ZFgiIw A/6WS2AnElPTKjwYT6K7CWnL8bolB6HNlQnuqjQ8lKt+
+-> piv-p256 ZFgiIw AhuPJgO/tKGP0HreiqFjFWalRgbll1fYGhWb5kK7a4hP
-/0StgIwLSpVT7NyOJLxsPJz9TtfAOZU+qWls8gYkkFE
+e9oJPqmGf58UdTTcd5DM7PtE/08x2HM3oMXYe/rQYRc
--> piv-p256 5vmPtQ A92v/hxaXEVRNqrsNhFuKCn5TllPrJCGk1e726IDBVo+
+-> piv-p256 5vmPtQ Aukw861aPJyok6rFAW/kuH4WI3swri9Vl8J4bD7Rr/gY
-+yCS8ZD3uO4UWwMhk9xqWSWZ3UGgmBkIAqAtBGKF8Nw
+4+/nC0yeI7vJdsFP8uWUcdx92agTs+9bkloIuQKutL8
--> a^_IFyLy-grease
+-> +4]A!-grease L#S
-smwxe0ZqF7Qc1wsp0rYM20J5FjFiTQV2UpYfUUgt3edM0+iMmBzHG9EPxKjGNmt9
+TdoI3ma07LkywQKU
-yogZ0dRKId6mKtaNJeLHUDaCMhIsYAcrhNVGDvG9JOPdhRx9Og0
+--- RmFBAPozJf5KlDygAiPTprVgM0CTL0oL7kV8WRjKn90
---- sG4CDChcMPfQS4gtEDGd+bH/WKNXi5ohWX4NTNkaAi0
+｡ﾂzUｼﾘﾕpｪBaﾐ1UｾXi橘#備sﾜｫ連:荏#Ny<4E>A`ｲｬHﾒｹ･咋I鯖QﾞﾘiPvxe惧ｿ€ｻ	)ｻ濫[俗d<E4BF97>s璃Et
-⹎¹Ö
od‡6îí?áõK<C3B5>ç¾|¤ë$ýØd(Ó@)Ó·îÑ<1B>ùèø#ëE©™qÈá(¼!jYš`ôhlL<>ñµÃ!›_§õ¥®

hosts/mailnix/secrets/generated/stalwart-admin-pw.age

@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> X25519 GPymk3LLzkZtbBTHtb5BryUrBoDLImS86IoNS78OqlE
+-> X25519 cAZnqaUIag6UnwLKnfF8EHwSzGt8sskaUyS8buWd3mw
-YrRCbTE595ZhRw6VxiBS9lTWB9yP4kijFqSFFdIiUpQ
+hOXAQzWEmpJhk8hA0DxPgVUBwBlCYaSOE+x1MpSZNhY
--> piv-p256 ZFgiIw AsaTyNrw7YuguAOnLv5BFyU2lW61yY++gJmgNq2M+0wq
+-> piv-p256 ZFgiIw A6ahySY+PyEWWW3DZCfaIYszijTLZp+uBn1EpKeTyllt
-VGtlEXVaKpzomsLzjEiBtFE3q0emFLHsiWdahPS/WJU
+u6Qe5KMHEwNQBygQg8pi8By+529Ln0aQBCWWuki2fQA
--> piv-p256 XTQkUA A+Jsj+fWxo26HKlA5TOM2nB5WggS6TVRyfhKzNFQxpI2
+-> piv-p256 XTQkUA AufkVYexxdoH90WE3WDfkMwOXh6qh0C3lXY9Rhb7g6mU
-RwQp5jlvHByeXPPsov5wMEuZ2pED/iFpVBVXVrKshH4
+dLHGSGhUS5FYQkO1MrlYGuljrKaaRDgtfpw+Gi6iQNg
--> piv-p256 ZFgiIw A6HBCYbgWEEBsBQpJfiRwu672I9QOI2JF9eSeCztlBKJ
+-> piv-p256 ZFgiIw ArZckrqQo0XEcSnhBOfbePBjWjcpaSKqnj4GTHCTd2KB
-LOcgLvCIGWvs9Vhc1VuvGlYWKbnkJdngVhBDbdoMSLs
+514eHJ1tOTYhD2mHRXCwDcuqFqFpU1nNsGoH0eEqn/w
--> piv-p256 5vmPtQ A1VVL35NHnMdTROSGAKYG6V32v2D7KVo9eHuRPqejzas
+-> piv-p256 5vmPtQ AggvfcieYkV5CNUGAHGVQYPS6ghcLwoOZA+ACnJk7SLL
-WvdUexTb/Di4mv5owD/3ug2nn8Le/TMgJ+hZYbuED6c
+soTSl5rsCYp1Q8dKryl0d7vQaLRVz1m3FiMvtROzVoc
--> M$iT~z2-grease SDOB\mE" Zxfxg kZ\' LB@$4
+-> N-grease v- 1"Wb wl6i> (\@7
-
+8VnJ
---- 2KhnAceJmwDjVhuEx3saTPzXbDOAjFcpp4DH2lgqsZE
+--- k/wLOK8Bm7WWVTEHFYSwWkYQsTYJX6vm9BPiIWOSc+U
-Q¿ÞIu{¦¶ôþº¿ÎʼEvé†Ý7ês°¸Þ^éeLÁ%A‰kiÆé¹çhµ_ïû$•÷Ôr"z0
AI‚¼ÝqÖ*¾½áS<C3A1>cL
+"śý‹Ňš-ä$×—s¸r\V§aűŘČŤĆ*˙ßćďštąą±­ś“¬ĎüŔ@dß ­ Ň×WëJu%ľ/ą&IšŤoČTąOv‹Ö¸în

hosts/mailnix/secrets/generated/stalwartHetznerSshKey.age

@@ -1,16 +1,18 @@
 age-encryption.org/v1
--> X25519 rLdYm0p5eFCwaK8u7dz/Qco//mCdnylMwhLo6nX28R4
+-> X25519 3JaB9SFo35zKLdSE+hZ7lMnkrP2lWmxyFnwVm6t0LlY
-0XcnRiSWtCyxn1YISgdt/zVIFKPBPbKOueh+L1f62Fc
+2xZW1OBjis7vxOMgfgoP9bdP100+3ygPN67Li8w9xS0
--> piv-p256 ZFgiIw A6fWtzhy3ylrbXZG4xjSGRh3Qrk7ZwMS7Fawt0XZvESm
+-> piv-p256 ZFgiIw A2sQisyYFMNlHr/R4qMk2M/u6PeX44Xm7j/zCzeVBc+j
-wAMOQQvRnMCJ5DriuLHRsc9zJe5UazJBVvNNy97jJos
+5m0H3afrYfe+Zb+u3n5cDVKeJi1dT4t2gVmRjRZ36/I
--> piv-p256 XTQkUA ArhoKZeRdRGXbHOcLiPcT1AruJEE7hckq7QiGKLfcm9d
+-> piv-p256 XTQkUA AjNbgb628e7O35YJ9LPCPekshCVX4rtmYoNpEHGf2ZGQ
-YXh4slVMY/U+DfCBW6V/4Uf60Zb8RPyd0PrAHHB8xDE
+EvXeSXWeH8VI1l60f6yeJX5DBNaAslwjXOGKlq2vYTU
--> piv-p256 ZFgiIw AsjeXhDC4x+6TPG902gZSlW9qFC0JVoznTVmnpQgip9f
+-> piv-p256 ZFgiIw AvCA/khyjqHaDqsUwDk+JO8COiO5cWuNAMiZfadcknt6
-ZxDSKVSBiGCGVE1w+8yZwEJx59DkdFy/6Iq1tbHQ41I
+Bmh/Sq49LGaVep6vmbSvIX1OtRClcLezyUYGcnqgzls
--> piv-p256 5vmPtQ AmlUti+62DpPs4k9HN+ZdKry9pwPjS1HAtnTq9xm1zT1
+-> piv-p256 5vmPtQ A6TitgQQUzNKUrjLgsU+6QkHP53f1kmx0ZGVPdN+xIiY
-zTmFw+xHDQSLkDyVXC8MtlxD5cw/tQ1yK5zlYoDKv8Y
+IpCyE/YV7HRYC+FRcVqLZmz0p8ueVErkl6zuAamRCXY
--> w0-grease /mVZ/4hd jq'R
+-> M+.N!SP|-grease sp lhrKY`> k75p`;=t bMkPFBx
-fvJoC6ucvHgsXQysHHQhXQQ3TMUhFIPpSHwOURHSHn/+9qFVd02Ey0DWl9LujA
+CDJYAj2yESkl0JqCjCC1Ud0fRO/wqE8ZdI39F90cKKWk+uu1VP5oNZK33aSu+tUb
---- 5VjQP6nmIwBXtA/0+zL+EQt9eZHtyp6oD6u5IPgW1s8
+kVnxDbFligk6kxPKTvzMWs4xtn0IidtsY10
-0ös¤(Âî(ÍÙ‰ñ·í’XÎÞ5UJ —³p›ÁŽ·‡ùÏ}:ÔyˆAr÷¨_ã6÷
+--- UoX3XKKRjOlgYFNaVwFBhsCl7bHgm0VMEkJxU05pQW0
-XDæ¬Fá9ÖŸ?1¿‡ä]ŒÐ4{½EhÆ<68>±ê”¿ë&~SÝAèÖ­S²	dVJËeÏSüˆ0/öWG½€ºèp^ßfÉŒ÷ú”‰<E2809D>Bê"^ìøÿÀÓ¶ÀÔ‚<C394>¯N×:ÒçEiBÞ·lK4I1<49>ï'ðˆK2à>^îìàݽ÷L)x¶§ë\«qè.Ýè#´¸.Yþ¢rÌ8‹sc‰NRQ66ºŠªxÍZ<C38D>)<29>¡Ø¹Bv)ÒíÊž<C38A>¥³4½¯–"$õK dØÏMp*=¯<>Ρ³åž«OØâsÁÅñ¼úä3CE#;¸!.Á.‘4ITäÄ÷{¢€f<E282AC>Tˆl”Ѻ ¥Ö{¶éÚëàÕ±™bxHn7^×Ë<C397>_%¡5Òfq¾ãPL‡lŒ`×Á0‰?-!ä½íuEJ™[•%bŽENWíÖùC,øE¹1´1a1ü€{EƸPcÇõã<C3B5>XÎTsB¸ ³m]RH"#v§aßóñXA(Œ‚Œóqœ­àcÀ`ÕŸ¹&<26>”OaÓÖù„p%º`‡½
+›úŠ•Ùvñ·!é7β€ÿòÚ´èq]ßP<*zõFb€AA³rÙî‘Îî.p벳С•ðâ¾²òWr<57>n6§ëv×1¾õO
Ñ<>ƒ-oóûxTµŠ]}—“ˆÍ®¶º9E<19>±O?ŽCohòûwL{í¡(¢‹k"´†¸;ñ’<â­!GÝA)vÿ¤<µ¹ÕŠ½Ä¢Ç-Ô^9R{Å/9þøîâ¡=°lbýËîÏÊ^ä"sqôŒ*ÄD
+pL–PwV¬pU<EFBFBD>3sÓ;¸·e\]Y3ka­@ÐÓ⃬ÿ\Ë'ºJ‘A_à“B¸ÜéËâjÜn[˜pô,€ÔöeµùЄRL#+R—ñ™Uƒ«<C692>³6<>*ïèåo–±‰éÏƶ<C386>b¬iÊ(̺Q›)ú±µ]?=ͳí%›‹8UçºìÄ®±WŠD !mÈÎqi‘±æ=Ô9¼5 t0\
ìîvEm8¶Š²ñÂûÀí£2(g`#¼Qîx¼~¸Éµhw)¡ 4'y|Gùˆ%ïVmV+—Ž›ˆ*öX7’¬uµ$ç–
+=ãëÊÑñœÝÚ®ŸÈ¸.xðUµö‘

pkgs/scripts/build.sh

@@ -10,7 +10,7 @@ function show_help() {
 }
 
 USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
-	die "Could not determine current directory"
+die "Could not determine current directory"
 
 cd "$USER_FLAKE_DIR"
 
@@ -38,9 +38,9 @@ while [[ $# -gt 0 ]]; do
 done
 
 [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
-	die "Missing argument: <hosts,...>"
+die "Missing argument: <hosts,...>"
 [[ ! ${#POSITIONAL_ARGS[@]} -gt 1 ]] ||
-	die "Too many arguments"
+die "Too many arguments"
 
 shopt -s lastpipe
 tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
@@ -52,4 +52,4 @@ done
 
 echo -e "Building toplevels for \033[0;32m${#HOSTS[*]} hosts\033[0m"
 nom build --print-out-paths --no-link "${OPTIONS[@]}" "${NIXOS_CONFIGS[@]}" ||
-	die "Failed building derivations"
+die "Failed building derivations"

pkgs/scripts/deploy.sh

@@ -20,7 +20,7 @@ function show_help() {
 }
 
 USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2>/dev/null || pwd) ||
-	die "Could not determine current directory"
+die "Could not determine current directory"
 
 cd "$USER_FLAKE_DIR"
 
@@ -48,9 +48,9 @@ while [[ $# -gt 0 ]]; do
 done
 
 [[ ! ${#POSITIONAL_ARGS[@]} -lt 1 ]] ||
-	die "Missing argument: <hosts,...>"
+die "Missing argument: <hosts,...>"
 [[ ! ${#POSITIONAL_ARGS[@]} -gt 2 ]] ||
-	die "Too many arguments"
+die "Too many arguments"
 
 shopt -s lastpipe
 tr , '\n' <<<"${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS

users/patrick/dev.nix

@@ -1,5 +1,7 @@
 {
   lib,
+  config,
+  nodes,
   minimal,
   pkgs,
   ...
@@ -22,6 +24,7 @@ lib.optionalAttrs (!minimal) {
     enableDebugInfo = true;
   };
   documentation = {
+    enable = true;
     dev.enable = true;
     doc.enable = false;
     man.enable = true;
@@ -33,4 +36,27 @@ lib.optionalAttrs (!minimal) {
     export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
     umask 077
   '';
+  age.secrets.mailnixSSHKey = {
+    inherit (nodes.mailnix.config.age.secrets.buildSSHKey) rekeyFile;
+    mode = "400";
+  };
+  nix = {
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = config.secrets.secrets.global.user.mailnix_ip;
+        protocol = "ssh-ng";
+        sshUser = "build";
+        system = "aarch64-linux";
+        sshKey = config.age.secrets.mailnixSSHKey.path;
+        supportedFeatures = [
+          "big-parallel"
+          #"kvm"
+        ];
+        publicHostKey = builtins.readFile "${pkgs.runCommand "base64HoseKey" { }
+          ''${pkgs.coreutils}/bin/base64 -w0 ${nodes.mailnix.config.node.secretsDir}/host.pub > $out''
+        }";
+      }
+    ];
+  };
 }

users/patrick/programs/gpg/default.nix

@@ -10,7 +10,7 @@
     group = "patrick";
     mode = "640";
   };
-  hm.programs.gpg.publicKeys = [
+  hm-all.programs.gpg.publicKeys = [
     {
       source = ./pubkey.gpg;
       trust = 5;
@@ -30,13 +30,13 @@
           lib.escapeShellArg config.age.secrets."my-gpg-yubikey-keygrip.tar".path
         } -C "$HOME/.gnupg/private-keys-v1.d/"
       '';
-  hm.services.gpg-agent = {
+  hm-all.services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
     pinentryPackage = pkgs.pinentry-gnome3;
   };
 
-  hm.programs.gpg = {
+  hm-all.programs.gpg = {
     enable = true;
     scdaemonSettings.disable-ccid = true;
     settings = {