Clean up subsitutors for builds

2025-03-26 15:53:34 +02:00 · 2025-03-26 15:53:34 +02:00 · 1badc42a60
commit 1badc42a60
parent afd284a008
2 changed files with 38 additions and 3 deletions
--- a/nixos-modules/git-ci-runner/default.nix
+++ b/nixos-modules/git-ci-runner/default.nix
@ -25,6 +25,35 @@ with lib;
      default = 10;
      description = "How many nix runner instances to start";
    };
+
+    trustedSubstituters = mkOption {
+      type = types.listOf types.str;
+      default = [
+        # General substitutors (also elsewhere defined defaults, but without priority params)
+        "https://cache.nixos.org"
+        "https://${config.qois.nixpkgs-cache.hostname}"
+        "https://cache.garnix.io"
+
+        # Project builds
+        "https://attic.qo.is/qois-infrastructure" # https://git.qo.is/qo.is/infrastructure
+        "https://attic.qo.is/dotfiles" # https://git.qo.is/fabianhauser/dotfiles
+      ];
+      description = "Substitutors that are trusted by the host.";
+    };
+
+    trustedPublicKeys = mkOption {
+      type = types.listOf types.str;
+      default = [
+        # General subsitutors
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+
+        # Project builds
+        "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" # https://git.qo.is/qo.is/infrastructure
+        "dotfiles:KpLi0qe5O5rb8E8N8vntZWBDqFwG3Ksx4AFGizYCLoU=" # https://git.qo.is/fabianhauser/dotfiles
+      ];
+      description = "Substitutor public keys that are trusted by the host.";
+    };
  };

  config = mkIf cfg.enable (mkMerge [
@ -34,6 +63,12 @@ with lib;
        "gitea-runner-${defaultInstanceName}.service"
      ] ++ (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances);

+      nix.settings = {
+        trusted-substituters = cfg.trustedSubstituters;
+        trusted-public-keys = cfg.trustedPublicKeys;
+
+      };
+
      virtualisation.podman = {
        enable = true;
        dockerCompat = true;
--- a/nixos-modules/system/default.nix
+++ b/nixos-modules/system/default.nix
@ -55,9 +55,9 @@
    settings =
      let
        substituters = [
-          "https://${config.qois.nixpkgs-cache.hostname}?priority=39"
+          "https://${config.qois.nixpkgs-cache.hostname}?priority=30"
+          "https://attic.qo.is/qois-infrastructure?priority=32"
          "https://cache.nixos.org?priority=40"
-          "https://attic.qo.is/qois-infrastructure"
        ];
      in
      {
@ -69,7 +69,7 @@
          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
          "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
        ];
-        trusted-substituters = substituters; # For hosts that limit the subst list
+        trusted-substituters = substituters;
        inherit substituters;
      };
    gc = {