Merge pull request 'store signing keys for nodens' (#86) from nerf/nixConfig:nodens-deploy into main

Reviewed-on: Fachschaft/nixConfig#86 Reviewed-by: Gonne <gonne@noreply.localhost>
2025-06-22 18:39:10 +00:00 · 2025-06-22 18:39:10 +00:00 · 375c2a2e4d
commit 375c2a2e4d
parent 325d145b77 61d95f1b23
5 changed files with 82 additions and 0 deletions
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -30,6 +30,16 @@

  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

+  # additional trusted keys for substituters for every machine
+  # right now it is only nodens so nodens can build system configs
+  # and we can deploy them from nodens.
+  # For security reasons we might want to move this to the vm part, as
+  # someone who can get control of nodens and get hold of the build process
+  # can gain control of the other machines. While this is very handy
+  # and a step towards CI, we might not want this for backups.
+  # (This is a tradeof between security and convenience)
+  nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
+
  environment = {
    systemPackages = builtins.attrValues {
      inherit