From 1badc42a60823c67e8c021c718c518a8ca442185 Mon Sep 17 00:00:00 2001
From: Fabian Hauser <fabian@fh2.ch>
Date: Wed, 26 Mar 2025 15:53:34 +0200
Subject: [PATCH] Clean up subsitutors for builds

---
 nixos-modules/git-ci-runner/default.nix | 35 +++++++++++++++++++++++++
 nixos-modules/system/default.nix        |  6 ++---
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/nixos-modules/git-ci-runner/default.nix b/nixos-modules/git-ci-runner/default.nix
index a4efc69..7f6e9b6 100644
--- a/nixos-modules/git-ci-runner/default.nix
+++ b/nixos-modules/git-ci-runner/default.nix
@@ -25,6 +25,35 @@ with lib;
       default = 10;
       description = "How many nix runner instances to start";
     };
+
+    trustedSubstituters = mkOption {
+      type = types.listOf types.str;
+      default = [
+        # General substitutors (also elsewhere defined defaults, but without priority params)
+        "https://cache.nixos.org"
+        "https://${config.qois.nixpkgs-cache.hostname}"
+        "https://cache.garnix.io"
+
+        # Project builds
+        "https://attic.qo.is/qois-infrastructure" # https://git.qo.is/qo.is/infrastructure
+        "https://attic.qo.is/dotfiles" # https://git.qo.is/fabianhauser/dotfiles
+      ];
+      description = "Substitutors that are trusted by the host.";
+    };
+
+    trustedPublicKeys = mkOption {
+      type = types.listOf types.str;
+      default = [
+        # General subsitutors
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+
+        # Project builds
+        "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" # https://git.qo.is/qo.is/infrastructure
+        "dotfiles:KpLi0qe5O5rb8E8N8vntZWBDqFwG3Ksx4AFGizYCLoU=" # https://git.qo.is/fabianhauser/dotfiles
+      ];
+      description = "Substitutor public keys that are trusted by the host.";
+    };
   };
 
   config = mkIf cfg.enable (mkMerge [
@@ -34,6 +63,12 @@ with lib;
         "gitea-runner-${defaultInstanceName}.service"
       ] ++ (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances);
 
+      nix.settings = {
+        trusted-substituters = cfg.trustedSubstituters;
+        trusted-public-keys = cfg.trustedPublicKeys;
+
+      };
+
       virtualisation.podman = {
         enable = true;
         dockerCompat = true;
diff --git a/nixos-modules/system/default.nix b/nixos-modules/system/default.nix
index 8c04f1b..53fe41e 100644
--- a/nixos-modules/system/default.nix
+++ b/nixos-modules/system/default.nix
@@ -55,9 +55,9 @@
     settings =
       let
         substituters = [
-          "https://${config.qois.nixpkgs-cache.hostname}?priority=39"
+          "https://${config.qois.nixpkgs-cache.hostname}?priority=30"
+          "https://attic.qo.is/qois-infrastructure?priority=32"
           "https://cache.nixos.org?priority=40"
-          "https://attic.qo.is/qois-infrastructure"
         ];
       in
       {
@@ -69,7 +69,7 @@
           "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
           "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
         ];
-        trusted-substituters = substituters; # For hosts that limit the subst list
+        trusted-substituters = substituters;
         inherit substituters;
       };
     gc = {