added keys so nodens can sign builds
This commit is contained in:
parent
6bf5b1db73
commit
5c09cb3cdc
SSH key fingerprint:
SHA256:zvrU0EwwaNK65M+AqL9IOTRawFq0JZ8QXBASxxGpxmg
4 changed files with 78 additions and 0 deletions
|
|
@ -30,6 +30,16 @@
|
|||
|
||||
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||
|
||||
# additional trusted keys for substituters for every machine
|
||||
# right now it is only nodens so nodens can build system configs
|
||||
# and we can deploy them from nodens.
|
||||
# For security reasons we might want to move this to the vm part, as
|
||||
# someone who can get controll of nodens and get hold of the build process
|
||||
# can gain control of the other machines. While this is very handy
|
||||
# and a step towards CI, we might not want this for backups.
|
||||
# (This is a tradeof between security and convinience)
|
||||
nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
|
||||
|
||||
environment = {
|
||||
systemPackages = builtins.attrValues {
|
||||
inherit
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue