Add option to mark host as untrusted
This can be used to deploy a host that does not have access to the main sops secrets file, e.g. because it does not have an encrypted root partition.
This commit is contained in:
parent
65aff69a90
commit
b1f4b8b4b5
|
@ -11,6 +11,7 @@
|
|||
'';
|
||||
default = true;
|
||||
};
|
||||
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
|
||||
gui.enable = lib.mkEnableOption "gui";
|
||||
};
|
||||
|
||||
|
|
|
@ -20,11 +20,13 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
sops.secrets.binary-cache-secret-key = { };
|
||||
sops.secrets.nix-netrc = {
|
||||
sops.secrets = lib.mkIf config.sbruder.trusted {
|
||||
binary-cache-secret-key = { };
|
||||
nix-netrc = {
|
||||
group = "wheel";
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
|
||||
nix = {
|
||||
# nix with flake support
|
||||
|
@ -52,11 +54,11 @@ in
|
|||
# On-the-fly optimisation of nix store
|
||||
autoOptimiseStore = true;
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'' + lib.optionalString config.sbruder.trusted ''
|
||||
# Binary cache upload
|
||||
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
|
||||
netrc-file = ${config.sops.secrets.nix-netrc.path}
|
||||
|
||||
experimental-features = nix-command flakes
|
||||
'' + lib.optionalString config.sbruder.full ''
|
||||
# Keep output of derivations with gc root
|
||||
keep-outputs = true
|
||||
|
|
Loading…
Reference in a new issue