feat: signing key

Signed-off-by: Raito Bezarius <raito@lix.systems>

buildbot_nix/__init__.py

@@ -541,7 +541,7 @@ def nix_build_config(
                     "nix",
                     "store",
                     "sign",
-                    "--keyfile",
+                    "--key-file",
                     signing_keyfile,
                     util.Interpolate(
                         "%(prop:drv_path)s^*"

nix/coordinator.nix

@@ -58,6 +58,13 @@ in
         example = "/var/www/buildbot/nix-outputs";
       };
 
+      signingKeyFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        description = "A path to a Nix signing key";
+        default = null;
+        example = "/run/agenix.d/signing-key";
+      };
+
       binaryCache = {
         enable = lib.mkEnableOption " binary cache upload to a S3 bucket";
         profileCredentialsFile = lib.mkOption {
@@ -125,6 +132,8 @@ in
               nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
               nix_supported_systems=${builtins.toJSON cfg.buildSystems},
               outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
+              # Signing key file must be available on the workers and readable.
+              signing_keyfile=${if cfg.signingKeyFile == null then "None" else builtins.toJSON cfg.signingKeyFile},
               binary_cache_config=${if (!cfg.binaryCache.enable) then "None" else builtins.toJSON {
                 inherit (cfg.binaryCache) bucket region endpoint;
                 profile = "default";