From 3207f2e66edb1b582cbcc767f0df648a1cd95896 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 30 Jun 2024 15:42:29 +0200
Subject: [PATCH] darwin/trusted-nix-caches: port over from NixOS

---
 darwin/default.nix                   |  1 +
 darwin/mixins/trusted-nix-caches.nix | 14 ++++++++++++++
 docs/darwin/mixins.md                |  4 ++++
 3 files changed, 19 insertions(+)
 create mode 100644 darwin/mixins/trusted-nix-caches.nix

diff --git a/darwin/default.nix b/darwin/default.nix
index 0fdec3b..a2b371a 100644
--- a/darwin/default.nix
+++ b/darwin/default.nix
@@ -8,4 +8,5 @@ exposeModules ./. [
   ./mixins/nix-experimental.nix
   ./mixins/telegraf.nix
   ./mixins/terminfo.nix
+  ./mixins/trusted-nix-caches.nix
 ]
diff --git a/darwin/mixins/trusted-nix-caches.nix b/darwin/mixins/trusted-nix-caches.nix
new file mode 100644
index 0000000..54fa48d
--- /dev/null
+++ b/darwin/mixins/trusted-nix-caches.nix
@@ -0,0 +1,14 @@
+{
+  # Caches in trusted-substituters can be used by unprivileged users i.e. in
+  # flakes but are not enabled by default.
+  nix.settings.trusted-substituters = [
+    "https://nix-community.cachix.org"
+    "https://cache.garnix.io"
+    "https://numtide.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+    "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+  ];
+}
diff --git a/docs/darwin/mixins.md b/docs/darwin/mixins.md
index 8b51ba6..ef0a9a2 100644
--- a/docs/darwin/mixins.md
+++ b/docs/darwin/mixins.md
@@ -15,3 +15,7 @@ This is useful when connecting to a server via SSH.
 ### `darwinModules.mixins-nix-experimental`
 
 Enables all experimental features in nix, that are known safe to use (i.e. are only used when explicitly requested in a build).
+
+### `darwinModules.mixins-trusted-nix-caches`
+
+Add the common list of public nix binary caches that we trust.