feat: signing key

Signed-off-by: Raito Bezarius <raito@lix.systems>
2024-03-11 23:20:58 +01:00 · 2024-03-11 23:20:58 +01:00 · 8d36ac1d90
parent 6118daa0a4
commit 8d36ac1d90
2 changed files with 10 additions and 1 deletions
--- a/buildbot_nix/init.py
+++ b/buildbot_nix/init.py
@ -541,7 +541,7 @@ def nix_build_config(
                    "nix",
                    "store",
                    "sign",
-                    "--keyfile",
+                    "--key-file",
                    signing_keyfile,
                    util.Interpolate(
                        "%(prop:drv_path)s^*"
--- a/nix/coordinator.nix
+++ b/nix/coordinator.nix
@ -58,6 +58,13 @@ in
        example = "/var/www/buildbot/nix-outputs";
      };

+      signingKeyFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        description = "A path to a Nix signing key";
+        default = null;
+        example = "/run/agenix.d/signing-key";
+      };
+
      binaryCache = {
        enable = lib.mkEnableOption " binary cache upload to a S3 bucket";
        profileCredentialsFile = lib.mkOption {
@ -125,6 +132,8 @@ in
              nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
              nix_supported_systems=${builtins.toJSON cfg.buildSystems},
              outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
+              # Signing key file must be available on the workers and readable.
+              signing_keyfile=${if cfg.signingKeyFile == null then "None" else builtins.toJSON cfg.signingKeyFile},
              binary_cache_config=${if (!cfg.binaryCache.enable) then "None" else builtins.toJSON {
                inherit (cfg.binaryCache) bucket region endpoint;
                profile = "default";