feat(nix): sign nix store packages

modules/devos/cachix/ssh.nix

@@ -1,7 +1,12 @@
 { config, lib, ... }:
 {
-  nix.settings.substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home)
+  nix.settings = {
+    substituters = lib.mkIf (config.networking.hostName != "Infini-DESKTOP" && config.info.loc.home)
       ((if config.info.loc.home then (lib.mkOrder 300) else lib.mkAfter) [
         "ssh://infini-desktop"
       ]);
+    trusted-public-keys = [
+      "infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk="
+    ];
+  };
 }

modules/devos/nix.nix

@@ -29,7 +29,9 @@ with lib;
       keep-outputs = true
       keep-derivations = true
       fallback = true
-    '';
+    '' + (if config.modules.secrets.enable then ''
+      secret-key-files = ${config.secrets.binary-cache-private-key}
+    '' else "");
 
     # nixPath = [
     #   "nixpkgs=${channel.input}"

secrets/binary-cache-public-key

@@ -0,0 +1 @@
+infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=

secrets/secrets.nix

@@ -20,4 +20,5 @@ in
   "wireless.age".publicKeys = allKeys;
   "infinidoge-password.age".publicKeys = allKeys;
   "root-password.age".publicKeys = allKeys;
+  "binary-cache-private-key.age".publicKeys = allKeys;
 }