diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 81fabd1923f..f231998d8f4 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -41,6 +41,10 @@ let
build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
+ binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
+ ${optionalString cfg.requireSignedBinaryCaches ''
+ signed-binary-caches = *
+ ''}
$extraOptions
END
'';
@@ -244,6 +248,33 @@ in
'';
};
+ requireSignedBinaryCaches = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ If enabled, Nix will only download binaries from binary
+ caches if they are cryptographically signed with any of the
+ keys listed in
+ . If disabled (the
+ default), signatures are neither required nor checked, so
+ it's strongly recommended that you use only trustworthy
+ caches and https to prevent man-in-the-middle attacks.
+ '';
+ };
+
+ binaryCachePublicKeys = mkOption {
+ type = types.listOf types.str;
+ example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
+ description = ''
+ List of public keys used to sign binary caches. If
+ is enabled,
+ then Nix will use a binary from a binary cache if and only
+ if it is signed by any of the keys
+ listed here. By default, only the key for
+ cache.nixos.org is included.
+ '';
+ };
+
};
};
@@ -253,6 +284,8 @@ in
config = {
+ nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+
environment.etc."nix/nix.conf".source = nixConf;
# List of machines for distributed Nix builds in the format