added keys so nodens can sign builds

2025-06-20 19:54:43 +02:00 · 2025-06-20 19:54:43 +02:00 · 5a64d39621
commit 5a64d39621
parent 6bf5b1db73
4 changed files with 78 additions and 0 deletions
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -30,6 +30,16 @@

  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

+  # additional trusted keys for substituters for every machine
+  # right now it is only nodens so nodens can build system configs
+  # and we can deploy them from nodens.
+  # For security reasons we might want to move this to the vm part, as
+  # someone who can get controll of nodens and get hold of the build process
+  # can gain control of the other machines. While this is very handy
+  # and a step towards CI, we might not want this for backups.
+  # (This is a tradeof between security and convinience)
+  nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
+
  environment = {
    systemPackages = builtins.attrValues {
      inherit