Add option to mark host as untrusted

This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.
This commit is contained in:
Simon Bruder 2021-09-08 20:01:15 +02:00
parent 65aff69a90
commit b1f4b8b4b5
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 9 additions and 6 deletions

View file

@ -11,6 +11,7 @@
'';
default = true;
};
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
gui.enable = lib.mkEnableOption "gui";
};

View file

@ -20,11 +20,13 @@ let
};
in
{
sops.secrets.binary-cache-secret-key = { };
sops.secrets.nix-netrc = {
sops.secrets = lib.mkIf config.sbruder.trusted {
binary-cache-secret-key = { };
nix-netrc = {
group = "wheel";
mode = "0440";
};
};
nix = {
# nix with flake support
@ -52,11 +54,11 @@ in
# On-the-fly optimisation of nix store
autoOptimiseStore = true;
extraOptions = ''
experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.trusted ''
# Binary cache upload
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
netrc-file = ${config.sops.secrets.nix-netrc.path}
experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.full ''
# Keep output of derivations with gc root
keep-outputs = true