Add attic

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/common/configs/system/nix/default.nix

@@ -1,25 +1,54 @@
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   sops = {
-    secrets."git/credentials/github.com/tokens/public".sopsFile =
-      "${inputs.secrets}/domains/personal/secrets.yaml";
+    secrets = {
+      "git/credentials/github.com/tokens/public".sopsFile =
+        "${inputs.secrets}/domains/personal/secrets.yaml";
 
-    templates.nix-access-tokens = {
-      content = ''
-        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
-      '';
-      group = "users";
+      "nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+    };
+
+    templates = {
+      nix-access-tokens = {
+        content = ''
+          access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
+
+      nix-netrc = {
+        content = ''
+          machine nix.karaolidis.com
+          password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
     };
   };
 
   nix = {
     settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
       use-xdg-base-directories = true;
       experimental-features = [
         "nix-command"
         "flakes"
       ];
       download-buffer-size = 524288000;
+      substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
+      netrc-file = config.sops.templates.nix-netrc.path;
     };
 
     channel.enable = false;