feat(calcite): sign locally build paths in nix store

2024-07-18 11:44:09 +08:00 · 2024-07-18 11:44:09 +08:00 · 6c39724060
commit 6c39724060
parent e36875131b
3 changed files with 17 additions and 4 deletions
--- a/modules/nixos/common-nix-conf.nix
+++ b/modules/nixos/common-nix-conf.nix
@ -12,6 +12,13 @@ in
      type = types.bool;
    };
    enableMirrors = mkEnableOption "cache.nixos.org mirrors in Mainland China";
+    signing = {
+      enable = mkEnableOption "Sign locally-built paths";
+      keyFile = mkOption {
+        default = "/etc/nix/key.private";
+        type = types.str;
+      };
+    };
  };

  config = mkIf cfg.enable {
@ -41,9 +48,13 @@ in
      ];

      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
+      ];
+
+      secret-key-files = mkIf cfg.signing.enable [
+        cfg.signing.keyFile
      ];
    };
  };