From 6c39724060c204ae0668c88ba8bf158ce79eda00 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Thu, 18 Jul 2024 11:44:09 +0800
Subject: [PATCH] feat(calcite): sign locally build paths in nix store

---
 flake.nix                          |  3 +--
 machines/calcite/configuration.nix |  5 ++++-
 modules/nixos/common-nix-conf.nix  | 13 ++++++++++++-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/flake.nix b/flake.nix
index 879ae3e..422c338 100644
--- a/flake.nix
+++ b/flake.nix
@@ -120,7 +120,6 @@
             nixpkgs = import nixpkgs {
               system = "x86_64-linux";
             };
-            machinesFile = ./nixbuild.net;
             specialArgs = {
               inherit inputs;
             };
@@ -194,7 +193,7 @@
       {
         devShells = {
           default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
+            packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ];
           };
         };
       }
diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix
index d5a152f..4b35351 100644
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@@ -10,7 +10,10 @@
     ];
 
   commonSettings = {
-    nix.enableMirrors = true;
+    nix = {
+      enableMirrors = true;
+      signing.enable = true;
+    };
   };
 
   # Bootloader.
diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-nix-conf.nix
index 00929ce..9d7f31e 100644
--- a/modules/nixos/common-nix-conf.nix
+++ b/modules/nixos/common-nix-conf.nix
@@ -12,6 +12,13 @@ in
       type = types.bool;
     };
     enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China";
+    signing = {
+      enable = mkEnableOption "Sign locally-built paths";
+      keyFile = mkOption {
+        default = "/etc/nix/key.private";
+        type = types.str;
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -41,9 +48,13 @@ in
       ];
 
       trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
         "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
+      ];
+
+      secret-key-files = mkIf cfg.signing.enable [
+        cfg.signing.keyFile
       ];
     };
   };