From b8b0ae34c63d64fb1607b0b25a7c4d3628fadc6b Mon Sep 17 00:00:00 2001 From: Infinidoge Date: Mon, 16 May 2022 09:19:06 -0400 Subject: [PATCH] feat(nix): sign nix store packages --- modules/devos/cachix/ssh.nix | 13 +++++++++---- modules/devos/nix.nix | 4 +++- secrets/binary-cache-private-key.age | Bin 0 -> 1345 bytes secrets/binary-cache-public-key | 1 + secrets/secrets.nix | 1 + 5 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 secrets/binary-cache-private-key.age create mode 100644 secrets/binary-cache-public-key diff --git a/modules/devos/cachix/ssh.nix b/modules/devos/cachix/ssh.nix index b29d79e..50022d5 100644 --- a/modules/devos/cachix/ssh.nix +++ b/modules/devos/cachix/ssh.nix @@ -1,7 +1,12 @@ { config, lib, ... }: { - nix.settings.substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home) - ((if config.info.loc.home then (lib.mkOrder 300) else lib.mkAfter) [ - "ssh://infini-desktop" - ]); + nix.settings = { + substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home) + ((if config.info.loc.home then (lib.mkOrder 300) else lib.mkAfter) [ + "ssh://infini-desktop" + ]); + trusted-public-keys = [ + "infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=" + ]; + }; } diff --git a/modules/devos/nix.nix b/modules/devos/nix.nix index 972a511..f6682d3 100644 --- a/modules/devos/nix.nix +++ b/modules/devos/nix.nix @@ -29,7 +29,9 @@ with lib; keep-outputs = true keep-derivations = true fallback = true - ''; + '' + (if config.modules.secrets.enable then '' + secret-key-files = ${config.secrets.binary-cache-private-key} + '' else ""); # nixPath = [ # "nixpkgs=${channel.input}" diff --git a/secrets/binary-cache-private-key.age b/secrets/binary-cache-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..f7e61d239508f35ba475e9b910ba815297fbea9a GIT binary patch literal 1345 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bX4#OO7<}K z4ol3;Hg^fu&&jnkj!ZHRPYSOL$@0lFa51uo%5X0Y)h@RTP3I~!GcE86ba5(h%Jwaf zN=h>=b1_LTN;S+Xa`p5p^eQn3)6TWXa`#EA3`Dmr)3U%o>~!b6vP{FGf}-NUJnf34$f8`MF#WW$ zbWd-?L`QvkG%V zvc0_=ONt_V3O)RDjnla-LcG%5GQ3PpqbmH$0`>h(vJ`F z%-oBz-P6%+%XjpxEK64iNUsPCG;s|LE2=E;G&S(EbPIMbFe#|YFt!NFOLlSbbTP^) z_RFp+4KL^NHL5E0@-!a4Ai&uO!sq+GWPR#@x=(q zFi(%Hh;)UrtX#{);Rt>i;|M!h(Im_ zW3w!CN9U}Zh`b2ng38d!Y~Rc%9}9zmB+F9Ivb?+;lRWcMGw-}oV~kYd?quW}6{t{V z7Mc=i;OXR?nUk0v6rAQ%nIGg_Y#x#o7?~2}=AG;AQ&|>eke2A2;mDO1?(5-ep5vL3 zk?CTYYG#yD>Sk7+9_(k}UhJ0b#X8*%-DJc^3p#1uD1)mZm4VBpX+xS zM?WI5#K_wLYxZU)|wpJA?K9kuDmc<5@*vcYQo3lBpLC-G?sPG z`>Klg70Vd-+3O~o-|UdMy7%4sM6Vr*vnCbyR;-j`NNAg4c%pN+nU`q&y2Ga@IL1Xp hxaWrj1aOx79nooG+kaGk+Z9FS=^w7o_^A3g698=3x^(~m literal 0 HcmV?d00001 diff --git a/secrets/binary-cache-public-key b/secrets/binary-cache-public-key new file mode 100644 index 0000000..e223bde --- /dev/null +++ b/secrets/binary-cache-public-key @@ -0,0 +1 @@ +infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk= \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1c98e42..bdb8ad2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,4 +20,5 @@ in "wireless.age".publicKeys = allKeys; "infinidoge-password.age".publicKeys = allKeys; "root-password.age".publicKeys = allKeys; + "binary-cache-private-key.age".publicKeys = allKeys; }