diff options
| author | Ilan Joselevich <personal@ilanjoselevich.com> | 2023-12-31 15:05:17 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-31 15:05:17 +0200 |
| commit | c144c799b2fcfdad250b9e1fc782daabf4a57600 (patch) | |
| tree | c61b634cc59e5a6375f0d13b2676a42e45bf9f23 /nixos | |
| parent | 32f63574c85fbc80e4ba1fbb932cde9619bad25e (diff) | |
| parent | dee2757f250745656e2446f52df5a3c860692a7a (diff) | |
Merge pull request #277803 from NixOS/backport-276294-to-release-23.11
[Backport release-23.11] cachix-watch-store: allow to set a signing key
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/system/cachix-watch-store.nix | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/services/system/cachix-watch-store.nix b/nixos/modules/services/system/cachix-watch-store.nix index 89157b460b9a4..ba1a4115a69a9 100644 --- a/nixos/modules/services/system/cachix-watch-store.nix +++ b/nixos/modules/services/system/cachix-watch-store.nix @@ -23,6 +23,14 @@ in ''; }; + signingKeyFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Optional file containing a self-managed signing key to sign uploaded store paths. + ''; + default = null; + }; + compressionLevel = mkOption { type = types.nullOr types.int; description = lib.mdDoc "The compression level for ZSTD compression (between 0 and 16)"; @@ -75,7 +83,8 @@ in DynamicUser = true; LoadCredential = [ "cachix-token:${toString cfg.cachixTokenFile}" - ]; + ] + ++ lib.optional (cfg.signingKeyFile != null) "signing-key:${toString cfg.signingKeyFile}"; }; script = let @@ -86,6 +95,7 @@ in in '' export CACHIX_AUTH_TOKEN="$(<"$CREDENTIALS_DIRECTORY/cachix-token")" + ${lib.optionalString (cfg.signingKeyFile != null) ''export CACHIX_SIGNING_KEY="$(<"$CREDENTIALS_DIRECTORY/signing-key")"''} ${lib.escapeShellArgs command} ''; }; |