feat: sign store paths

2024-12-07 15:05:58 +01:00 · 2024-12-07 15:05:58 +01:00 · 1d499c5fc3
parent 048aa1cfc4
commit 1d499c5fc3
4 changed files with 43 additions and 1 deletions
--- a/config/basic/nix.nix
+++ b/config/basic/nix.nix
@ -1,4 +1,8 @@
-{ inputs, stateVersion, ... }:
+{
+  inputs,
+  stateVersion,
+  ...
+}:
 {
  nix = {
    channel.enable = false;
@ -25,6 +29,7 @@
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
        "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="
+        (builtins.readFile ../../secrets/nix-key.pub)
      ];
      cores = 0;
      max-jobs = "auto";
--- a/secrets/nix-key.age
+++ b/secrets/nix-key.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 ZSqhSMLNYE+Zuy7fviIS8WrGJ9s1v697QI09MBephxk
+ghtdboWmw743Q2/ZxO/wNb2nfWA/4SD5YIe/QJ/OLcU
+-> piv-p256 ZFgiIw A6hz4+nNIewj/lOuAFkq90pQGlRmLXjYC7/kzuqrDWfn
+5TegHKLn0xp6ZHOw2xPVgbILuWz66ommzGgvgegx8/4
+-> piv-p256 XTQkUA A3JpjyVeyfR9rTpda7PjN1KqLLUlHfjVFX4nEZi9RIk6
+gPK+N+tFlCQrdWuMk6Sch+ZO1Rm9y8C1HXpx4CelSIs
+-> piv-p256 ZFgiIw A1tUke9w5HVAzPNqbRWPff3jNamve/5Vx55wnSAATSXu
+x97X+GIa68umqbmTibcK29AfIvwkTrDpXHbYhLpexP4
+-> piv-p256 5vmPtQ AvdJ4kYYAONx3vrYR4tYY0HrR/EAjsTo7Guk32BhpsJN
+UWY49vwtTDrX/wgn4hbinadCp+7v7Qu8vJg+4yA2dGo
+-> `nceeU-grease nKj9l >n>
+dcVffNSdSw
+--- leA1O4oK5yJtoHRZLzFBTY8Hvvl96f/CdbAO6zL92Js
+0Ïû™çüÝ{rgØDÂ¨×Z€ qÖ<71>u"Y”á_œc©`65ÜE”fŸž|†×Ì<kCÔµ†ü›žôŠ!àk{ž€àá¿Æuú<75>,æ»ôî7ë¡Ù¯ãNþœ$þ²<hE£U®=Ñ.
¦ÀiOœ“uäep31ímeöîœ¸0¨B->qÈµ?÷ÀEÄ'
--- a/secrets/nix-key.pub
+++ b/secrets/nix-key.pub
@ -0,0 +1 @@
+patrickdag.lel.lol-1:MrJBnSnIfvBm/fUdrtXnKstu3yo0NfZa6hKgfDvnsFg=
--- a/users/patrick/dev.nix
+++ b/users/patrick/dev.nix
@ -7,6 +7,27 @@
  ...
 }:
 lib.optionalAttrs (!minimal) {
+  age.secrets.nix-key = {
+    rekeyFile = ../../secrets/nix-key.age;
+    generator.script =
+      {
+        pkgs,
+        file,
+        ...
+      }:
+      ''
+        priv=$(${lib.getExe pkgs.nix} key generate-secret --key-name patrickdag.lel.lol-1)
+        ${lib.getExe pkgs.nix} key convert-secret-to-public <<< "$priv" > ${
+          lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")
+        }
+        echo "$priv"
+      '';
+  };
+  nix.settings = {
+    secret-key-files = [
+      config.age.secrets.nix-key.path
+    ];
+  };
  environment.systemPackages = with pkgs; [
    python3
    jq
				`@ -0,0 +1 @@`
				`patrickdag.lel.lol-1:MrJBnSnIfvBm/fUdrtXnKstu3yo0NfZa6hKgfDvnsFg=`