From 46ab3dbab32a5eba4ffa647477e83aa9dffa5aad Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 8 Sep 2021 20:01:15 +0200
Subject: [PATCH] Add option to mark host as untrusted

This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.
---
 modules/default.nix |  1 +
 modules/nix.nix     | 14 ++++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/default.nix b/modules/default.nix
index 8162d85..d350683 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -11,6 +11,7 @@
       '';
       default = true;
     };
+    trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
     gui.enable = lib.mkEnableOption "gui";
   };
 
diff --git a/modules/nix.nix b/modules/nix.nix
index 27a259f..28cf19c 100644
--- a/modules/nix.nix
+++ b/modules/nix.nix
@@ -20,10 +20,12 @@ let
   };
 in
 {
-  sops.secrets.binary-cache-secret-key = { };
-  sops.secrets.nix-netrc = {
-    group = "wheel";
-    mode = "0440";
+  sops.secrets = lib.mkIf config.sbruder.trusted {
+    binary-cache-secret-key = { };
+    nix-netrc = {
+      group = "wheel";
+      mode = "0440";
+    };
   };
 
   nix = {
@@ -52,11 +54,11 @@ in
     # On-the-fly optimisation of nix store
     autoOptimiseStore = true;
     extraOptions = ''
+      experimental-features = nix-command flakes
+    '' + lib.optionalString config.sbruder.trusted ''
       # Binary cache upload
       secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
       netrc-file = ${config.sops.secrets.nix-netrc.path}
-
-      experimental-features = nix-command flakes
     '' + lib.optionalString config.sbruder.full ''
       # Keep output of derivations with gc root
       keep-outputs = true