Use signed builds on substituter

build.sh

@@ -2,18 +2,9 @@
 set -euo pipefail
 set -x
 
-if [ -z "${NO_REMOTE:-}" ]
-then
-    remote_args="--builders ssh://charlotte@sunspear.vanpetegem.me --extra-substituters ssh://charlotte@sunspear.vanpetegem.me"
-else
-    remote_args=""
-fi
-
-
 nix-build \
     --no-out-link \
     --pure \
-    $remote_args \
     "${@}"
 
 exit 0

substituterbuild.sh

@@ -2,9 +2,9 @@
 set -euo pipefail
 set -x
 
-export NO_REMOTE=true
+BUILD_ARGS=("--secret-key-files" "/etc/nix/key.private")
 for machine in machines/*
 do
-    output=$(./build.sh $machine)
+    output=$(./build.sh "${BUILD_ARGS[@]}" "$machine")
     nix-env --set -p /nix/var/nix/profiles/per-user/charlotte/${machine#machines/} $output
 done

update.sh

@@ -4,6 +4,14 @@ set -x
 
 ./update-imports.sh
 
-result="$(./build.sh "./machines/$(hostname)")"
+BUILD_ARGS=(
+    "--builders"
+    "ssh://charlotte@sunspear.vanpetegem.me"
+    "--extra-substituters"
+    "ssh://charlotte@sunspear.vanpetegem.me"
+    "--trusted-public-keys"
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= sunspear-nix-cache:4mgL4qS7EweCug1gAFiZKgQK+xuoJMBYThIUE+kPX4s="
+)
+result="$(./build.sh "${BUILD_ARGS[@]}" "./machines/$(hostname)")"
 
 sudo bash -c "nix-env --set --profile /nix/var/nix/profiles/system/ ${result} && ${result}/bin/switch-to-configuration switch"