hosts: *: sign remote builds and serve cache

2023-10-02 16:56:03 +02:00
parent 9d3d9d9a16
commit 501f70f730
19 changed files with 90 additions and 44 deletions
--- a/modules/hardware/remoteBuilder.nix
+++ b/modules/hardware/remoteBuilder.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:

 {
  users.users.nixremote = {                   # System User
@@ -11,7 +11,15 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"
    ];
  };
+
  nix.settings.trusted-users = [
    "nixremote"
  ];
+
+  services.nix-serve.secretKeyFile = config.age.secrets."keys/nixservepriv".path;
+
+  age.secrets."keys/nixservepriv" = {
+    file = ../../secrets/keys/nixservepriv.age;
+    owner = "nixremote";
+  };
 }
--- a/modules/hardware/remoteClient.nix
+++ b/modules/hardware/remoteClient.nix
@@ -15,6 +15,14 @@
      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
      protocol = "ssh-ng";
    } ];
+    settings = {
+      trusted-public-keys = [
+        "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
+      ];
+      substituters = [
+        "ssh-ng://hades"
+      ];
+    };
  };
  
  age.secrets."keys/nixremote" = {