Add option to mark host as untrusted

This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.

modules/default.nix

@@ -11,6 +11,7 @@
       '';
       default = true;
     };
+    trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
     gui.enable = lib.mkEnableOption "gui";
   };
 

modules/nix.nix

@@ -20,10 +20,12 @@ let
   };
 in
 {
-  sops.secrets.binary-cache-secret-key = { };
+  sops.secrets = lib.mkIf config.sbruder.trusted {
-  sops.secrets.nix-netrc = {
+    binary-cache-secret-key = { };
-    group = "wheel";
+    nix-netrc = {
-    mode = "0440";
+      group = "wheel";
+      mode = "0440";
+    };
   };
 
   nix = {
@@ -52,11 +54,11 @@ in
     # On-the-fly optimisation of nix store
     autoOptimiseStore = true;
     extraOptions = ''
+      experimental-features = nix-command flakes
+    '' + lib.optionalString config.sbruder.trusted ''
       # Binary cache upload
       secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
       netrc-file = ${config.sops.secrets.nix-netrc.path}
-
-      experimental-features = nix-command flakes
     '' + lib.optionalString config.sbruder.full ''
       # Keep output of derivations with gc root
       keep-outputs = true