From 8d36ac1d90ac0288f5aac38c5630ec344843be05 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <raito@lix.systems>
Date: Mon, 11 Mar 2024 23:20:58 +0100
Subject: [PATCH] feat: signing key

Signed-off-by: Raito Bezarius <raito@lix.systems>
---
 buildbot_nix/__init__.py | 2 +-
 nix/coordinator.nix      | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/buildbot_nix/__init__.py b/buildbot_nix/__init__.py
index a3e3b7c..93007be 100644
--- a/buildbot_nix/__init__.py
+++ b/buildbot_nix/__init__.py
@@ -541,7 +541,7 @@ def nix_build_config(
                     "nix",
                     "store",
                     "sign",
-                    "--keyfile",
+                    "--key-file",
                     signing_keyfile,
                     util.Interpolate(
                         "%(prop:drv_path)s^*"
diff --git a/nix/coordinator.nix b/nix/coordinator.nix
index 5e08d07..9863dc6 100644
--- a/nix/coordinator.nix
+++ b/nix/coordinator.nix
@@ -58,6 +58,13 @@ in
         example = "/var/www/buildbot/nix-outputs";
       };
 
+      signingKeyFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        description = "A path to a Nix signing key";
+        default = null;
+        example = "/run/agenix.d/signing-key";
+      };
+
       binaryCache = {
         enable = lib.mkEnableOption " binary cache upload to a S3 bucket";
         profileCredentialsFile = lib.mkOption {
@@ -125,6 +132,8 @@ in
               nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
               nix_supported_systems=${builtins.toJSON cfg.buildSystems},
               outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
+              # Signing key file must be available on the workers and readable.
+              signing_keyfile=${if cfg.signingKeyFile == null then "None" else builtins.toJSON cfg.signingKeyFile},
               binary_cache_config=${if (!cfg.binaryCache.enable) then "None" else builtins.toJSON {
                 inherit (cfg.binaryCache) bucket region endpoint;
                 profile = "default";