Hi all,
I would like to use NixOS’s system.autoUpgrade
feature to regularily pull updates from my personal flake via Git.
However, there is one obstacle to it: How can I trust that nixos-rebuild
is in fact applying my Flake and not some backdoored / untrusted configuration?
I’ve done a similar thing in the past without NixOS by signing my system configuration (Ansible playbooks) using Gits --sign-gpg
option.
Now I am wondering, how I could achieve the same in Nix?
I also think that its a more general question not only concerning system.autoUpgrade.flake
or nixos-rebuild
.
I thought about maybe extending the Git flake URI to include a set of PGP keys against which the commits must be signed in order for the flake URI to be valid?
Example: git+https://example.org/my/repo?signed-by=09BE3BAE8D55D4CD8579 285A9675EAC34897E6E2
I am curious how you trust into your or other peoples flakes.