From 27b7b2abf269706a2001707a82d1fbf8a88fca14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= <janezic.mj@gmail.com>
Date: Mon, 30 Mar 2026 00:21:37 +0200
Subject: [PATCH] feat: add nix store signing for remote deploys

---
 hosts/tower/configuration.nix |  5 +++++
 nix.nix                       |  4 ++++
 secrets/tower.yaml            | 28 ++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 secrets/tower.yaml

diff --git a/hosts/tower/configuration.nix b/hosts/tower/configuration.nix
index 411f772..617831c 100644
--- a/hosts/tower/configuration.nix
+++ b/hosts/tower/configuration.nix
@@ -1,4 +1,5 @@
 {
+  config,
   lib,
   inputs,
   userKeys,
@@ -10,6 +11,10 @@
     inputs.lanzaboote.nixosModules.lanzaboote
   ];
 
+  # nix store signing
+  sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
+  nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
+
   localisation = {
     timeZone = "Europe/Ljubljana";
     defaultLocale = "en_US.UTF-8";
diff --git a/nix.nix b/nix.nix
index f7602fe..148835b 100644
--- a/nix.nix
+++ b/nix.nix
@@ -7,6 +7,10 @@
       ];
       download-buffer-size = 2 * 1024 * 1024 * 1024;
       warn-dirty = false;
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
+      ];
     };
 
     gc = {
diff --git a/secrets/tower.yaml b/secrets/tower.yaml
new file mode 100644
index 0000000..4290c91
--- /dev/null
+++ b/secrets/tower.yaml
@@ -0,0 +1,28 @@
+nix-signing-key: ENC[AES256_GCM,data:V/mFaYQazqn3KkbDSt5Fnrl/IFvS9kEe10uhkPHeBluZGjFphKD+2dFCQrPPcXreX0UWklQA9Dokd2cGQBGZIUihJE9o9lH+Q6nrmqk3xsi1fzPS5l8zbn4RITmL3rNkmycXBw==,iv:g/jbUS88IBXnb9e6jGiWYHGfCZtdgI1X167hNmzUQEY=,tag:vO5kiN01FzU7s5jOCGW3Fg==,type:str]
+sops:
+    age:
+        - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbkdXUW5YSTA4c3MyZzdi
+            ZlF0L2FQZmttbFBaVmlaWWppaXUxUVdYZEZZCmJHT25IZVBESHVqUWE2bnBYWXQ5
+            UTFLeXg3eUpyWngxc1FXUzhXRCs3R2MKLS0tIGxkbzFMaEUycCtpOC9mTitpVEZh
+            c0pROVJpMjJ6bHd1aEQ2QVE5MUUwdnMK/3tXEStP8JF/2c5nAJ19uA+P1cMG1X+v
+            H5b49uBJ+0UUGMzUpCLgMKz8bq+L8Se0b92iMW5bGW1Fdg/zwJWXOw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-29T21:47:29Z"
+    mac: ENC[AES256_GCM,data:573t4NH/764zZKzhhpVbzNzpN4QrBjwesIBMyHe7aB47ptGceLhnm+cHOhty3J89VBgn8jgHv5WCBzXFER0LDuQUMFPg6snJ0DK+IgRwuAwNbZdKdSR6VnjqOSBnaijU/Wx93kd/gcMqerYo6rEOLNjVadKgs+NYPLKC/dY4sVs=,iv:kOTr9CIvp6haV8BxTpQfdndYTjZRcmyg+7yjPjHRNLU=,tag:1odj8DYHSnOatRnqyZAcgg==,type:str]
+    pgp:
+        - created_at: "2026-03-29T21:46:47Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DPaEEpDtHdk8SAQdA4NO+XFIyWa8YNV24yrosJKMQ60rmiEWYLjFdIkPrKz8w
+            cj1x62iDXeO6DYvyCZnw2h0WstIrXziX6PySveTVnCri90QdLl3jsolIW+V13b8V
+            0lEB5LFvx7OdZJPzrs32qiPv+ofleSMKAokPEhSTKccFI2GbyUiIw7ge2vHSjNpT
+            T9E3tA7HOglyopKTjFw/ujEhKDSRGXwdD2VEYH426Dt8JjU=
+            =E3fO
+            -----END PGP MESSAGE-----
+          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1