simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Add option to mark host as untrusted

Browse source 
This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.
This commit is contained in:
Simon Bruder 2021-09-08 20:01:15 +02:00
parent 65aff69a90
commit b1f4b8b4b5
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 9 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
modules/default.nix
View file

@ -11,6 +11,7 @@
'';
default = true;
};
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
gui.enable = lib.mkEnableOption "gui";
};

14
modules/nix.nix
View file

@ -20,10 +20,12 @@ let
};
in
{
sops.secrets.binary-cache-secret-key = { };
sops.secrets.nix-netrc = {
group = "wheel";
mode = "0440";
sops.secrets = lib.mkIf config.sbruder.trusted {
binary-cache-secret-key = { };
nix-netrc = {
group = "wheel";
mode = "0440";
};
};
nix = {
@ -52,11 +54,11 @@ in
# On-the-fly optimisation of nix store
autoOptimiseStore = true;
extraOptions = ''
experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.trusted ''
# Binary cache upload
secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
netrc-file = ${config.sops.secrets.nix-netrc.path}
experimental-features = nix-command flakes
'' + lib.optionalString config.sbruder.full ''
# Keep output of derivations with gc root
keep-outputs = true