feat(nix): sign nix store packages

2022-05-16 09:19:06 -04:00 · 2022-05-16 09:19:06 -04:00 · b8b0ae34c6
commit b8b0ae34c6
parent cc6c5c50b5
5 changed files with 14 additions and 5 deletions
--- a/modules/devos/cachix/ssh.nix
+++ b/modules/devos/cachix/ssh.nix
@ -1,7 +1,12 @@
 { config, lib, ... }:
 {
-  nix.settings.substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home)
-    ((if config.info.loc.home then (lib.mkOrder 300) else lib.mkAfter) [
-      "ssh://infini-desktop"
-    ]);
+  nix.settings = {
+    substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home)
+      ((if config.info.loc.home then (lib.mkOrder 300) else lib.mkAfter) [
+        "ssh://infini-desktop"
+      ]);
+    trusted-public-keys = [
+      "infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk="
+    ];
+  };
 }
--- a/modules/devos/nix.nix
+++ b/modules/devos/nix.nix
@ -29,7 +29,9 @@ with lib;
      keep-outputs = true
      keep-derivations = true
      fallback = true
-    '';
+    '' + (if config.modules.secrets.enable then ''
+      secret-key-files = ${config.secrets.binary-cache-private-key}
+    '' else "");

    # nixPath = [
    #   "nixpkgs=${channel.input}"
--- a/secrets/binary-cache-private-key.age
+++ b/secrets/binary-cache-private-key.age
--- a/secrets/binary-cache-public-key
+++ b/secrets/binary-cache-public-key
@ -0,0 +1 @@
+infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -20,4 +20,5 @@ in
  "wireless.age".publicKeys = allKeys;
  "infinidoge-password.age".publicKeys = allKeys;
  "root-password.age".publicKeys = allKeys;
+  "binary-cache-private-key.age".publicKeys = allKeys;
 }
				`@ -0,0 +1 @@`
				`infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=`