feat(calcite): sign locally build paths in nix store

flake.lock

@@ -174,16 +174,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1720768451,
-        "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=",
-        "owner": "nixos",
+        "lastModified": 1721187324,
+        "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=",
+        "owner": "xinyangli",
         "repo": "nixpkgs",
-        "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9",
+        "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
+        "owner": "xinyangli",
+        "ref": "deploy",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -120,7 +120,6 @@
             nixpkgs = import nixpkgs {
               system = "x86_64-linux";
             };
-            machinesFile = ./nixbuild.net;
             specialArgs = {
               inherit inputs;
             };
@@ -194,7 +193,7 @@
       {
         devShells = {
           default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
+            packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ];
           };
         };
       }

home/xin/common/default.nix

@@ -20,9 +20,6 @@
     inetutils
   ];
 
+  # Required for standalone home configuration
   nix.package = lib.mkForce pkgs.nixVersions.latest;
-  nix.extraOptions = ''
-    extra-substituters = https://nix-community.cachix.org
-    extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
-  '';
 }

machines/calcite/configuration.nix

@@ -9,6 +9,13 @@
       ../sops.nix
     ];
 
+  commonSettings = {
+    nix = {
+      enableMirrors = true;
+      signing.enable = true;
+    };
+  };
+
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -229,23 +236,6 @@
 
   system.stateVersion = "22.05";
 
-  # Use mirror for binary cache
-  nix.settings.substituters = [
-    "https://mirrors.bfsu.edu.cn/nix-channels/store"
-    "https://mirrors.ustc.edu.cn/nix-channels/store"
-  ];
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-  nix.optimise.automatic = true;
-
-  nix.settings = {
-    experimental-features = [ "nix-command" "flakes" ];
-    auto-optimise-store = true;
-    trusted-users = [ "xin" "root" ];
-  };
   nix.extraOptions = ''
     !include "${config.sops.secrets.github_public_token.path}"
   '';

machines/dolomite/default.nix

@@ -79,10 +79,6 @@ in
       wheelNeedsPassword = false;
     };
 
-    nix.settings = {
-      trusted-users = [ "root" ];
-    };
-
     services.sing-box = let
       singTls = {
         enabled = true;

machines/massicot/default.nix

@@ -46,21 +46,6 @@
     git
   ];
 
-  nix.settings = {
-    experimental-features = [ "nix-command" "flakes" ];
-    substituters = "https://cache.garnix.io";
-    trusted-public-keys = "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=";
-  };
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 7d";
-  };
-  nix.optimise.automatic = true;
-  nix.settings.auto-optimise-store = true;
-
-
   system.stateVersion = "22.11";
   
   networking = {

machines/raspite/configuration.nix

@@ -4,6 +4,9 @@
   imports = [
     ./hass.nix
   ];
+
+  commonSettings.nix.enableMirrors = true;
+
   nixpkgs.overlays = [
     # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
     (final: super: {
@@ -18,13 +21,6 @@
     raspberrypi-eeprom
   ];
 
-  # Use mirror for binary cache
-  nix.settings.substituters = [
-    "https://mirrors.bfsu.edu.cn/nix-channels/store"
-    "https://mirrors.ustc.edu.cn/nix-channels/store"
-  ];
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
   system.stateVersion = "24.05";
   
   networking = {
@@ -51,10 +47,6 @@
     wheelNeedsPassword = false;
   };
 
-  nix.settings = {
-    trusted-users = [ "@wheel" ];
-  };
-
   # fileSystems."/".fsType = lib.mkForce "btrfs";
   boot.supportedFilesystems.zfs = lib.mkForce false;
 

modules/nixos/common-nix-conf.nix

@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+
+  cfg = config.commonSettings.nix;
+in
+{
+  options.commonSettings.nix = {
+    enable = mkOption {
+      default = true;
+      type = types.bool;
+    };
+    enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China";
+    signing = {
+      enable = mkEnableOption "Sign locally-built paths";
+      keyFile = mkOption {
+        default = "/etc/nix/key.private";
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nix.package = pkgs.nixVersions.latest;
+
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+
+    nix.optimise.automatic = true;
+
+    nix.settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+      trusted-users = [ "root" ];
+
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://cache.garnix.io"
+      ];
+
+      extra-substituters = mkIf cfg.enableMirrors [
+        "https://mirrors.bfsu.edu.cn/nix-channels/store"
+        "https://mirrors.ustc.edu.cn/nix-channels/store"
+      ];
+
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
+      ];
+
+      secret-key-files = mkIf cfg.signing.enable [
+        cfg.signing.keyFile
+      ];
+    };
+  };
+}
+

modules/nixos/default.nix

@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 {
   imports = [
+    ./common-nix-conf.nix
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus.nix