fix(signing): add signing to hydra

flake.nix

@@ -3,10 +3,10 @@
 
   nixConfig = {
     extra-substituters = [
-      "https://zackartz.cachix.org"
+      "https://hydra.zoeys.computer"
     ];
     extra-trusted-public-keys = [
-      "zackartz.cachix.org-1:nrEfVZF8MVX0Lnt73KwYzH2kwDzFuAoR5VPjuUd4R30="
+      "hydra.zoeys.computer-1:ssh-ed25519:0000000b7373682d65643235353139000000205f061b28bd7b23ff28347b79ac7719587c471904487cebc19172a682240256cc"
     ];
   };
 

modules/nixos/sites/hydra/default.nix

@@ -7,17 +7,31 @@
 with lib;
 with lib.custom; let
   cfg = config.sites.hydra;
+
+  sec = config.age.secrets;
 in {
   options.sites.hydra = with types; {
     enable = mkBoolOpt false "Enable Hydra";
   };
 
   config = mkIf cfg.enable {
+    age.secrets = {
+      hydra_key = {
+        owner = "hydra";
+        group = "hydra";
+        file = ./sec/hydra_key.age;
+      };
+    };
+
     services.hydra = {
       enable = true;
       hydraURL = "https://hydra.zoeys.computer";
       useSubstitutes = true;
       notificationSender = "hydra@localhost"; # e-mail of hydra service
+
+      extraConfig = ''
+        binary_cache_secret_key_file = ${sec.hydra_key.path}
+      '';
     };
 
     services.nginx.virtualHosts."hydra.zoeys.computer" = {
@@ -28,7 +42,10 @@ in {
       };
     };
 
-    nix.settings.allowed-uris = [
+    users.users.hydra.extraGroups = ["keys"];
+
+    nix = {
+      settings.allowed-uris = [
         "github:"
         "https://github.com"
         "git+https://github.com/"
@@ -36,8 +53,8 @@ in {
         "git+https://git.zoeys.computer/"
         "git+ssh://git.zoeys.computer/"
       ];
-
+      trustedUsers = ["hydra"]; # Ensure hydra user is trusted for nix
-    nix.buildMachines = [
+      buildMachines = [
         {
           hostName = "localhost";
           protocol = null;
@@ -47,4 +64,5 @@ in {
         }
       ];
     };
+  };
 }