feat(calcite): sign locally build paths in nix store

flake.nix

@@ -120,7 +120,6 @@
             nixpkgs = import nixpkgs {
               system = "x86_64-linux";
             };
-            machinesFile = ./nixbuild.net;
             specialArgs = {
               inherit inputs;
             };
@@ -194,7 +193,7 @@
       {
         devShells = {
           default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
+            packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ];
           };
         };
       }

machines/calcite/configuration.nix

@@ -10,7 +10,10 @@
     ];
 
   commonSettings = {
-    nix.enableMirrors = true;
+    nix = {
+      enableMirrors = true;
+      signing.enable = true;
+    };
   };
 
   # Bootloader.

modules/nixos/common-nix-conf.nix

@@ -12,6 +12,13 @@ in
       type = types.bool;
     };
     enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China";
+    signing = {
+      enable = mkEnableOption "Sign locally-built paths";
+      keyFile = mkOption {
+        default = "/etc/nix/key.private";
+        type = types.str;
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -41,9 +48,13 @@ in
       ];
 
       trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
         "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
+      ];
+
+      secret-key-files = mkIf cfg.signing.enable [
+        cfg.signing.keyFile
       ];
     };
   };