feat: add nix store signing for remote deploys
This commit is contained in:
@@ -1,4 +1,5 @@
|
|||||||
{
|
{
|
||||||
|
config,
|
||||||
lib,
|
lib,
|
||||||
inputs,
|
inputs,
|
||||||
userKeys,
|
userKeys,
|
||||||
@@ -10,6 +11,10 @@
|
|||||||
inputs.lanzaboote.nixosModules.lanzaboote
|
inputs.lanzaboote.nixosModules.lanzaboote
|
||||||
];
|
];
|
||||||
|
|
||||||
|
# nix store signing
|
||||||
|
sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
|
||||||
|
nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
|
||||||
|
|
||||||
localisation = {
|
localisation = {
|
||||||
timeZone = "Europe/Ljubljana";
|
timeZone = "Europe/Ljubljana";
|
||||||
defaultLocale = "en_US.UTF-8";
|
defaultLocale = "en_US.UTF-8";
|
||||||
|
|||||||
4
nix.nix
4
nix.nix
@@ -7,6 +7,10 @@
|
|||||||
];
|
];
|
||||||
download-buffer-size = 2 * 1024 * 1024 * 1024;
|
download-buffer-size = 2 * 1024 * 1024 * 1024;
|
||||||
warn-dirty = false;
|
warn-dirty = false;
|
||||||
|
trusted-public-keys = [
|
||||||
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||||
|
"matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
gc = {
|
gc = {
|
||||||
|
|||||||
28
secrets/tower.yaml
Normal file
28
secrets/tower.yaml
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
nix-signing-key: ENC[AES256_GCM,data:V/mFaYQazqn3KkbDSt5Fnrl/IFvS9kEe10uhkPHeBluZGjFphKD+2dFCQrPPcXreX0UWklQA9Dokd2cGQBGZIUihJE9o9lH+Q6nrmqk3xsi1fzPS5l8zbn4RITmL3rNkmycXBw==,iv:g/jbUS88IBXnb9e6jGiWYHGfCZtdgI1X167hNmzUQEY=,tag:vO5kiN01FzU7s5jOCGW3Fg==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbkdXUW5YSTA4c3MyZzdi
|
||||||
|
ZlF0L2FQZmttbFBaVmlaWWppaXUxUVdYZEZZCmJHT25IZVBESHVqUWE2bnBYWXQ5
|
||||||
|
UTFLeXg3eUpyWngxc1FXUzhXRCs3R2MKLS0tIGxkbzFMaEUycCtpOC9mTitpVEZh
|
||||||
|
c0pROVJpMjJ6bHd1aEQ2QVE5MUUwdnMK/3tXEStP8JF/2c5nAJ19uA+P1cMG1X+v
|
||||||
|
H5b49uBJ+0UUGMzUpCLgMKz8bq+L8Se0b92iMW5bGW1Fdg/zwJWXOw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2026-03-29T21:47:29Z"
|
||||||
|
mac: ENC[AES256_GCM,data:573t4NH/764zZKzhhpVbzNzpN4QrBjwesIBMyHe7aB47ptGceLhnm+cHOhty3J89VBgn8jgHv5WCBzXFER0LDuQUMFPg6snJ0DK+IgRwuAwNbZdKdSR6VnjqOSBnaijU/Wx93kd/gcMqerYo6rEOLNjVadKgs+NYPLKC/dY4sVs=,iv:kOTr9CIvp6haV8BxTpQfdndYTjZRcmyg+7yjPjHRNLU=,tag:1odj8DYHSnOatRnqyZAcgg==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2026-03-29T21:46:47Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4DPaEEpDtHdk8SAQdA4NO+XFIyWa8YNV24yrosJKMQ60rmiEWYLjFdIkPrKz8w
|
||||||
|
cj1x62iDXeO6DYvyCZnw2h0WstIrXziX6PySveTVnCri90QdLl3jsolIW+V13b8V
|
||||||
|
0lEB5LFvx7OdZJPzrs32qiPv+ofleSMKAokPEhSTKccFI2GbyUiIw7ge2vHSjNpT
|
||||||
|
T9E3tA7HOglyopKTjFw/ujEhKDSRGXwdD2VEYH426Dt8JjU=
|
||||||
|
=E3fO
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.12.1
|
||||||
Reference in New Issue
Block a user