feat: signing key
Signed-off-by: Raito Bezarius <raito@lix.systems>
This commit is contained in:
parent
6118daa0a4
commit
8d36ac1d90
|
@ -541,7 +541,7 @@ def nix_build_config(
|
|||
"nix",
|
||||
"store",
|
||||
"sign",
|
||||
"--keyfile",
|
||||
"--key-file",
|
||||
signing_keyfile,
|
||||
util.Interpolate(
|
||||
"%(prop:drv_path)s^*"
|
||||
|
|
|
@ -58,6 +58,13 @@ in
|
|||
example = "/var/www/buildbot/nix-outputs";
|
||||
};
|
||||
|
||||
signingKeyFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
description = "A path to a Nix signing key";
|
||||
default = null;
|
||||
example = "/run/agenix.d/signing-key";
|
||||
};
|
||||
|
||||
binaryCache = {
|
||||
enable = lib.mkEnableOption " binary cache upload to a S3 bucket";
|
||||
profileCredentialsFile = lib.mkOption {
|
||||
|
@ -125,6 +132,8 @@ in
|
|||
nix_eval_worker_count=${if cfg.evalWorkerCount == null then "None" else builtins.toString cfg.evalWorkerCount},
|
||||
nix_supported_systems=${builtins.toJSON cfg.buildSystems},
|
||||
outputs_path=${if cfg.outputsPath == null then "None" else builtins.toJSON cfg.outputsPath},
|
||||
# Signing key file must be available on the workers and readable.
|
||||
signing_keyfile=${if cfg.signingKeyFile == null then "None" else builtins.toJSON cfg.signingKeyFile},
|
||||
binary_cache_config=${if (!cfg.binaryCache.enable) then "None" else builtins.toJSON {
|
||||
inherit (cfg.binaryCache) bucket region endpoint;
|
||||
profile = "default";
|
||||
|
|
Loading…
Reference in a new issue