common/nix: use bagel-cache by default

common/nix.nix

@@ -11,4 +11,11 @@
     setNixPath = true;
     setFlakeRegistry = true;
   };
+
+  # Use our cache and trust its signing key. Still use cache.nixos.org as
+  # fallback.
+  nix.settings.substituters = [ "https://bagel-cache.s3-web.delroth.net/" ];
+  nix.settings.trusted-public-keys = [
+    "cache.forkos.org:xfXIUJO1yiEITJmYsVmNDa9BFSlgTh/YqZ+4ei1EhQg="
+  ];
 }

secrets.nix

@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-signing-priv = [ machines.bagel-box ];
     hydra-ssh-key-priv = [ machines.bagel-box ];
     netbox-environment = [ machines.meta01 ];
     mimir-environment = [ machines.meta01 ];

services/hydra/default.nix

@@ -48,6 +48,9 @@ in {
 
     age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
 
+    age.secrets.hydra-signing-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-signing-priv.file = ../../secrets/hydra-signing-priv.age;
+
     age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
     age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
 
@@ -59,7 +62,7 @@ in {
     # XXX: Otherwise services.hydra-dev overwrites it to only hydra-queue-runner...
     #
     # Can be removed once this is added to some common config template.
-    nix.settings.trusted-users = [ "root" "hydra" "@wheel" ];
+    nix.settings.trusted-users = [ "root" "hydra" "hydra-www" "@wheel" ];
 
     services.hydra-dev = {
       enable = true;
@@ -90,7 +93,7 @@ in {
           endpoint = "s3.delroth.net";
           region = "garage";
 
-          #secret-key = "TODO";
+          secret-key = config.age.secrets.hydra-signing-priv.path;
 
           compression = "zstd";
           log-compression = "br";