feat: add locking script

nix/devshell.nix

@@ -36,7 +36,13 @@
             help = "deploy nix configurations";
           }
           {
-            package = pkgs.scripts.unlock;
+            package = pkgs.symlinkJoin {
+              name = "locker";
+              paths = [
+                pkgs.scripts.unlock
+                pkgs.scripts.lock
+              ];
+            };
             help = "build nix configurations";
           }
           {

pkgs/scripts/default.nix

@@ -13,9 +13,14 @@ _final: prev: {
     };
     unlock = prev.writeShellApplication {
       name = "unlock-builders";
-      runtimeInputs = [ prev.nix-output-monitor ];
+      runtimeInputs = [ ];
       text = builtins.readFile ./unlock.sh;
     };
+    lock = prev.writeShellApplication {
+      name = "lock-builders";
+      runtimeInputs = [ ];
+      text = builtins.readFile ./lock.sh;
+    };
     update = prev.writeShellApplication {
       name = "update";
       runtimeInputs = [ ];

pkgs/scripts/lock.sh

@@ -0,0 +1,17 @@
+function die {
+	echo "error: $*" >&2
+	exit 1
+}
+
+while read -r -a i; do
+	path=${i[2]}
+	if [[ ! $path == /run/builder-unlock/* ]]; then
+		continue
+	fi
+	host=${i[0]#*'://'}
+	user=${host%'@'*}
+	host=${host#*'@'}
+	echo "Deleting public key from: $host"
+	a=(bash -c "rm /etc/ssh/authorized_keys.d/${user@Q}")
+	ssh -n root"@$host" -- "${a[*]@Q}"
+done </etc/nix/machines

pkgs/scripts/unlock.sh

@@ -11,8 +11,8 @@ while read -r -a i; do
 	host=${i[0]#*'://'}
 	user=${host%'@'*}
 	host=${host#*'@'}
-	echo "Generating secret key for $user at $host"
 	dirname=$(dirname "$path")
+	echo "Generating secret key for $user at $host"
 	pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ;
 		ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <<<y &>/dev/null ;
 		cat ${path@Q}.pub")