From af8ff6a6a1cff56fe63de663745a48ce2c65a7ec Mon Sep 17 00:00:00 2001
From: emily <ek@kyouma.net>
Date: Thu, 5 Sep 2024 14:46:07 +0200
Subject: [PATCH 1/2] build-worker: Use sshServe

---
 config/profiles/builder.nix          | 11 +++++------
 config/services/hydra/nix-config.nix |  5 +----
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/config/profiles/builder.nix b/config/profiles/builder.nix
index b4da590..4f6e989 100644
--- a/config/profiles/builder.nix
+++ b/config/profiles/builder.nix
@@ -2,7 +2,7 @@
   kyouma.deployment.auto-upgrade.cache = "daemon";
   nix.gc.options = lib.mkForce "--delete-older-than 60d";
   nix.settings = {
-    trusted-users = [ "build" ];
+    trusted-users = [ "nix-ssh" ];
     #system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ lib.optionals pkgs.hostPlatform.isx86_64 [ "gccarch-x86-64-v3" ];
   };
   nix.extraOptions = ''
@@ -11,11 +11,10 @@
     max-substitution-jobs = 20
     max-silent-time = 14400
   '';
-  users.users.build = {
-    isNormalUser = true;
-    shell = pkgs.bash;
-    ignoreShellProgramCheck = true;
-    openssh.authorizedKeys.keys = [
+  nix.sshServe = {
+    enable = true;
+    write = true;
+    keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko"
diff --git a/config/services/hydra/nix-config.nix b/config/services/hydra/nix-config.nix
index 32a8333..73e47de 100644
--- a/config/services/hydra/nix-config.nix
+++ b/config/services/hydra/nix-config.nix
@@ -10,7 +10,7 @@
     }
     {
       hostName = "integra.kyouma.net";
-      sshUser = "build";
+      sshUser = "nix-ssh";
       maxJobs = 2;
       speedFactor = 4;
       systems = [ "aarch64-linux" ];
@@ -43,9 +43,6 @@
       "https://"
     ];
   };
-  users.users.hydra-queue-runner.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras"
-  ];
   programs.ssh = {
     knownHosts = {
       "build-worker-03.nyantec.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGqTY74c5g15DSNPNM2Wdr5jAwS7BFgX1XRnhtGOnJc";

From 6b0d6676635104a570e2c4173be056f058da83c7 Mon Sep 17 00:00:00 2001
From: Update Bot <update-nixfiles-bot@kyouma.net>
Date: Fri, 6 Sep 2024 04:21:21 +0200
Subject: [PATCH 2/2] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'attic':
    'github:zhaofengli/attic/f74cee00364a36e4db8d05dc9c98391e18d9b4f8' (2024-08-30)
  → 'github:zhaofengli/attic/bea72d75b6165dfb529ba0c39cc6c7e9c7f0d234' (2024-09-02)
• Updated input 'disko':
    'github:nix-community/disko/96073e6423623d4a8027e9739d2af86d6422ea7a' (2024-09-02)
  → 'github:nix-community/disko/e55f9a8678adc02024a4877c2a403e3f6daf24fe' (2024-09-03)
• Updated input 'fernglas':
    'github:wobcom/fernglas/25020466957dbe0e193f7857d827020f5c1aa996' (2024-02-07)
  → 'github:wobcom/fernglas/25e55f0275c369d66ccd847e7fc0f4cbd4ca4d26' (2024-09-03)
• Updated input 'fernglas/communities':
    'github:NLNOG/lg.ring.nlnog.net/20f9a9f3da8b1bc9d7046e88c62df4b41b4efb99' (2024-01-31)
  → 'github:NLNOG/lg.ring.nlnog.net/41cf616bae6fba597d074a484aabf1bee9002fb5' (2024-06-26)
• Updated input 'fernglas/nixpkgs':
    'github:NixOS/nixpkgs/faf912b086576fd1a15fca610166c98d47bc667e' (2024-02-05)
  → 'github:NixOS/nixpkgs/655a58a72a6601292512670343087c2d75d859c1' (2024-07-08)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef' (2024-08-28)
  → 'github:nixos/nixos-hardware/880be1ab837e1e9fe0449dae41ac4d034694d4ce' (2024-09-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/12228ff1752d7b7624a54e9c1af4b222b3c1073b' (2024-08-31)
  → 'github:nixos/nixpkgs/ad416d066ca1222956472ab7d0555a6946746a80' (2024-09-04)
• Updated input 'nixvim':
    'github:nix-community/nixvim/2b30ee87031fb40f0f894de00c23ea41714d940e' (2024-09-01)
  → 'github:nix-community/nixvim/84249a9dabdf930d968d248024c4d6240ee14548' (2024-09-05)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7' (2024-09-01)
  → 'github:Mic92/sops-nix/d9d781523a1463965cd1e1333a306e70d9feff07' (2024-09-05)
• Updated input 'stylix':
    'github:danth/stylix/3a4101c4f4abee41859c0cb98f6250f04c80d0f6' (2024-08-31)
  → 'github:danth/stylix/ef81ad9e85e60420cc83d4642619c14b57139d33' (2024-09-02)
---
 flake.lock | 60 +++++++++++++++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/flake.lock b/flake.lock
index dad0d75..2692e35 100644
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725048495,
-        "narHash": "sha256-vzmyW8Q6fG+QqlsYus+Xbo5s61ciXM4UpStZ2j5Pn54=",
+        "lastModified": 1725300620,
+        "narHash": "sha256-IdM+pZ6BnmD3o1fTJZ2BD43k7dwi1BbVfLDLpM1nE5s=",
         "owner": "zhaofengli",
         "repo": "attic",
-        "rev": "f74cee00364a36e4db8d05dc9c98391e18d9b4f8",
+        "rev": "bea72d75b6165dfb529ba0c39cc6c7e9c7f0d234",
         "type": "github"
       },
       "original": {
@@ -144,11 +144,11 @@
     "communities": {
       "flake": false,
       "locked": {
-        "lastModified": 1706695952,
-        "narHash": "sha256-FlbOBX/+/LLmoqMJLvu59XuHYmiohIhDc1VjkZu4Wzo=",
+        "lastModified": 1719412992,
+        "narHash": "sha256-WYcu4m9qytW5chFC8ZocDhvMflLIwsLkjz/z5ybjYlI=",
         "owner": "NLNOG",
         "repo": "lg.ring.nlnog.net",
-        "rev": "20f9a9f3da8b1bc9d7046e88c62df4b41b4efb99",
+        "rev": "41cf616bae6fba597d074a484aabf1bee9002fb5",
         "type": "github"
       },
       "original": {
@@ -206,11 +206,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725242307,
-        "narHash": "sha256-a2iTMBngegEZvaNAzzxq5Gc5Vp3UWoGUqWtK11Txbic=",
+        "lastModified": 1725377834,
+        "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "96073e6423623d4a8027e9739d2af86d6422ea7a",
+        "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe",
         "type": "github"
       },
       "original": {
@@ -251,11 +251,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1707317562,
-        "narHash": "sha256-0wj5AS8RLVr+S/QWWxCsMvmVjmXUWGfR9kPaZimJEss=",
+        "lastModified": 1725373953,
+        "narHash": "sha256-hkWPZTAQSDOaoTsdC3t4L8Rm65M3VYw6t4+8aghBPzA=",
         "owner": "wobcom",
         "repo": "fernglas",
-        "rev": "25020466957dbe0e193f7857d827020f5c1aa996",
+        "rev": "25e55f0275c369d66ccd847e7fc0f4cbd4ca4d26",
         "type": "github"
       },
       "original": {
@@ -794,11 +794,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1724878143,
-        "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
+        "lastModified": 1725477728,
+        "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
+        "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
         "type": "github"
       },
       "original": {
@@ -829,11 +829,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1707092692,
-        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
+        "lastModified": 1720418205,
+        "narHash": "sha256-cPJoFPXU44GlhWg4pUk9oUPqurPlCFZ11ZQPk21GTPU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
+        "rev": "655a58a72a6601292512670343087c2d75d859c1",
         "type": "github"
       },
       "original": {
@@ -925,11 +925,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1725103162,
-        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
+        "lastModified": 1725432240,
+        "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
+        "rev": "ad416d066ca1222956472ab7d0555a6946746a80",
         "type": "github"
       },
       "original": {
@@ -956,11 +956,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1725223906,
-        "narHash": "sha256-f6wliEr+oLzKxgJxgkf1bCebmDosq2l8RujIueQK3Qk=",
+        "lastModified": 1725563454,
+        "narHash": "sha256-RQ9aKwXmqNHMBFOlHEUVrAFo7YHJSVn4nBgi2rcaCY4=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "2b30ee87031fb40f0f894de00c23ea41714d940e",
+        "rev": "84249a9dabdf930d968d248024c4d6240ee14548",
         "type": "github"
       },
       "original": {
@@ -1036,11 +1036,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1725201042,
-        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+        "lastModified": 1725540166,
+        "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+        "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
         "type": "github"
       },
       "original": {
@@ -1070,11 +1070,11 @@
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1725126812,
-        "narHash": "sha256-E0CrYq8A/gdBjb9qC3PGKfH9lwSESyFX6sRZXJxq4JE=",
+        "lastModified": 1725290973,
+        "narHash": "sha256-+jwXF9KI0HfvDgpsoJGvOdfOGGSKOrID1wQB79zjUbo=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "3a4101c4f4abee41859c0cb98f6250f04c80d0f6",
+        "rev": "ef81ad9e85e60420cc83d4642619c14b57139d33",
         "type": "github"
       },
       "original": {