feat(calcite): sign locally build paths in nix store

2024-07-18 11:44:09 +08:00 · 2024-07-18 11:44:09 +08:00 · 6c39724060
commit 6c39724060
parent e36875131b
3 changed files with 17 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -120,7 +120,6 @@
            nixpkgs = import nixpkgs {
              system = "x86_64-linux";
            };
            machinesFile = ./nixbuild.net;
            specialArgs = {
              inherit inputs;
            };
@ -194,7 +193,7 @@
      {
        devShells = {
          default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
+            packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ];
          };
        };
      }
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -10,7 +10,10 @@
    ];
  commonSettings = {
-    nix.enableMirrors = true;
+    nix = {
      enableMirrors = true;
      signing.enable = true;
    };
  };
  # Bootloader.
--- a/modules/nixos/common-nix-conf.nix
+++ b/modules/nixos/common-nix-conf.nix
@ -12,6 +12,13 @@ in
      type = types.bool;
    };
    enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China";
    signing = {
      enable = mkEnableOption "Sign locally-built paths";
      keyFile = mkOption {
        default = "/etc/nix/key.private";
        type = types.str;
      };
    };
  };
  config = mkIf cfg.enable {
@ -41,9 +48,13 @@ in
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
        "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
      ];
      secret-key-files = mkIf cfg.signing.enable [
        cfg.signing.keyFile
      ];
    };
  };