feat: unlock script for remot builders

hosts/mailnix/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ../../config/basic
@@ -28,32 +28,9 @@
   users.users.build = {
     isSystemUser = true;
     shell = pkgs.bash;
-    group = "build";
+    group = "nogroup";
     extraGroups = [ "nix-build" ];
     createHome = false;
-    openssh.authorizedKeys.keyFiles = [
-      ./secrets/generated/buildSSHKey.pub
-    ];
   };
-
-  age.secrets.buildSSHKey = {
-    generator.script =
-      {
-        lib,
-        name,
-        pkgs,
-        file,
-        ...
-      }:
-      ''
-        key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <<<y >/dev/null 2>&1; true)
-        (exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${
-          lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")
-        }
-        echo "$key"
-      '';
-    intermediary = true;
-  };
-  users.groups.build = { };
   users.groups.nix-build = { };
 }

nix/devshell.nix

@@ -35,6 +35,10 @@
             package = pkgs.scripts.deploy;
             help = "deploy nix configurations";
           }
+          {
+            package = pkgs.scripts.unlock;
+            help = "build nix configurations";
+          }
           {
             package = pkgs.scripts.build;
             help = "build nix configurations";

pkgs/scripts/build.sh

@@ -1,5 +1,3 @@
-set -euo pipefail
-
 function die {
   echo "error: $*" >&2
   exit 1

pkgs/scripts/default.nix

@@ -11,6 +11,11 @@ _final: prev: {
       runtimeInputs = [ prev.nix-output-monitor ];
       text = builtins.readFile ./build.sh;
     };
+    unlock = prev.writeShellApplication {
+      name = "unlock-builders";
+      runtimeInputs = [ prev.nix-output-monitor ];
+      text = builtins.readFile ./unlock.sh;
+    };
     update = prev.writeShellApplication {
       name = "update";
       runtimeInputs = [ ];

pkgs/scripts/deploy.sh

@@ -1,5 +1,3 @@
-set -euo pipefail
-
 function die {
   echo "error: $*" >&2
   exit 1

pkgs/scripts/unlock.sh

@@ -0,0 +1,25 @@
+function die {
+	echo "error: $*" >&2
+	exit 1
+}
+
+while read -r -a i; do
+	path=${i[2]}
+	if [[ ! $path == /run/builder-unlock/* ]]; then
+		continue
+	fi
+	host=${i[0]#*'://'}
+	user=${host%'@'*}
+	host=${host#*'@'}
+	echo "Generating secret key for $user at $host"
+	dirname=$(dirname "$path")
+	pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ;
+		ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <<<y &>/dev/null ;
+		cat ${path@Q}.pub")
+	echo "Uploading public key: $pubkey"
+	path=$(sha256sum <(echo "$pubkey") | cut -d" " -f1)
+	a=(bash -c "mkdir -p /run/builder-unlock ;
+		echo 'restrict,command=\"nix-daemon --stdio\" '${pubkey@Q} > /run/builder-unlock/${path@Q} ;
+		ln -s -f /run/builder-unlock/${path@Q} /etc/ssh/authorized_keys.d/${user@Q}")
+	ssh -n root"@$host" -- "${a[*]@Q}"
+done </etc/nix/machines

users/patrick/dev.nix

@@ -36,10 +36,6 @@ lib.optionalAttrs (!minimal) {
     export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
     umask 077
   '';
-  age.secrets.mailnixSSHKey = {
-    inherit (nodes.mailnix.config.age.secrets.buildSSHKey) rekeyFile;
-    mode = "400";
-  };
   nix = {
     distributedBuilds = true;
     buildMachines = [
@@ -48,7 +44,7 @@ lib.optionalAttrs (!minimal) {
         protocol = "ssh-ng";
         sshUser = "build";
         system = "aarch64-linux";
-        sshKey = config.age.secrets.mailnixSSHKey.path;
+        sshKey = "/run/builder-unlock/mailnix";
         supportedFeatures = [
           "big-parallel"
           #"kvm"