hosts/hydra-1: Sign nix cache entries with multiple keys

2024-05-22 17:17:14 +02:00
parent d55dc35882
commit 37685080b9
5 changed files with 90 additions and 5 deletions
--- a/hosts/hydra-1/nix-cache.nix
+++ b/hosts/hydra-1/nix-cache.nix
@@ -5,7 +5,18 @@
  services.harmonia = {
    enable = true;
    settings.bind = "[::1]:5005";
-    signKeyPath = config.sops.secrets.nix-cache-key.path;
+  };
+
+  systemd.services.harmonia = {
+    environment = {
+      SIGN_KEY_PATHS = "%d/key1 %d/key2";
+    };
+    serviceConfig = {
+      LoadCredential = [
+        "key1:${config.sops.secrets."sign-key-nix-cache.clerie.de".path}"
+        "key2:${config.sops.secrets."sign-key-cache.nix.clerie.de".path}"
+      ];
+    };
  };

  services.nginx.virtualHosts = {