lets test it, remote-builders

profiles/remote-builders.nix

@@ -1,5 +1,3 @@
-{}
-/** /
 { config, lib, ... }:
 
 # TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
@@ -10,16 +8,17 @@ let
   inherit (builtins) map fromTOML readFile elem attrNames;
   inherit (lib) mkIf;
 
-  hosts' = fromTOML (readFile ../../hosts/known-hosts.toml); # eww
+  hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
   hosts = lib.pipe hosts' [
-    (lib.filterAttrs (name: host: name != "default"))
+    (lib.filterAttrs (name: host: name != "__default__"))
     (lib.mapAttrs (name: host:
-      lib.recursiveUpdate (hosts'."default" or {}) host
+      lib.recursiveUpdate (hosts'."__default__" or {}) host
     ))
   ];
   hostNames = attrNames hosts;
   thisHost = hosts.${config.networking.fqdn};
   thisHostIsBuilder = thisHost.maxJobs > 0;
+  thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach hosts (host: host.ssh.proxyJump or null));
 
   mkRemoteConfig = fqdn: let
     host = hosts.${fqdn};
@@ -29,37 +28,42 @@ let
       sshUser = host.ssh.listenUser;
     };
     isBuilder = host.maxJobs > 0;
-    isConsumer = host.ssh ? publicKeyUser && thisHostIsBuilder;
+    isConsumer = host.ssh ? userPublicKey && thisHostIsBuilder;
     isThis = fqdn == config.networking.fqdn;
-  in mkIf (!isThis) {
-
+  in mkIf (!isThis) ( lib.mkMerge [
     # out
-    nix.buildMachines = mkIf isBuilder [ buildMachine ];
-    programs.ssh.knownHosts.${fqdn}.publicKey = mkIf isBuilder host.ssh.listenPublicKey;
+    (lib.mkIf isBuilder {
 
-    # timeout is great when remote is unresponsive. nix doesn't care
-    programs.ssh.extraConfig = ''
-      Host ${fqdn}
-        ConnectTimeout 3
-        Port ${builtins.toString (host.ssh.listenPort or 22)}
-        ${lib.optionalString (host.ssh ? proxyJump) ''
-          ProxyJump ${host.ssh.proxyJump}
-        ''}
-    '';
+      nix.buildMachines = [ buildMachine ];
 
+    })
+    # out or jump
+    (lib.mkIf (host.ssh ? listenPublicKey) {
+      programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
+
+      # timeouts are great when remote is unresponsive. nix doesn't care
+      programs.ssh.extraConfig = ''
+        Host ${fqdn}
+          ConnectTimeout 3
+          Port ${builtins.toString host.ssh.listenPort}
+          ${lib.optionalString (host.ssh ? proxyJump) ''
+            ProxyJump ${host.ssh.proxyJump}
+          ''}
+      '';
+    })
     # in
-    users = mkIf isConsumer {
-      users.${thisHost.ssh.listenUser} = {
+    (mkIf (isConsumer && (thisHostIsBuilder || thisHostIsHopHost) ) {
+
+      nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
+      nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
+      users.users.${thisHost.ssh.listenUser} = {
         isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
-        openssh.authorizedKeys.keys = [
-          host.ssh.userPublicKey
-        ];
-        group = lib.mkDefault "nogroup";
+        openssh.authorizedKeys.keys = [ host.ssh.userPublicKey ];
+        group = lib.mkOptionDefault "nogroup";
       };
-    };
-    nix.settings.allowed-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
-    nix.settings.trusted-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
-  };
+
+    })
+  ]);
 
 in {
 
@@ -74,4 +78,3 @@ in {
   imports = lib.forEach hostNames mkRemoteConfig;
 
 }
-/**/