{ inputs, ... }: { flake.nixosModules.sops = { config, lib, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; config = { nix = { settings = { builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey"); }; distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey"); buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [ { hostName = "esotericbytes.com"; sshUser = "remote-builder"; sshKey = config.sops.secrets."remoteBuildKey".path; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; systems = [ "x86_64-linux" "aarch64-linux" ]; } ]; }; users.users."remote-builder" = lib.mkIf (builtins.any (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) (builtins.attrNames config.sops.secrets) ) { isNormalUser = true; createHome = false; }; sops.templates."remote-builder" = lib.mkIf (builtins.any (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) (builtins.attrNames config.sops.secrets) ) { content = builtins.concatStringsSep ''''\n'' (builtins.map (y: config.sops.placeholder.${y}) (builtins.filter (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) (builtins.attrNames config.sops.secrets) ) ); path = "/etc/ssh/authorized_keys.d/remote-builder"; owner = "remote-builder"; }; }; }; }