feat(ci): implement signed commit verification and update security policy

Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.
feat(security): implement metadata redaction and sops-nix migration
2026-03-17 18:43:21 +01:00 · 2026-03-17 18:43:04 +01:00
2 changed files with 4 additions and 3 deletions
--- a/flake.nix
+++ b/flake.nix
@ -75,7 +75,9 @@
        '';
      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);

-      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
+      checks = (builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib) // {
+        integration-test = import ./test/vm-test.nix { inherit self nixpkgs system; };
+      };

      outputsBuilder = channels: {
        formatter = channels.nixpkgs.alejandra;
--- a/test/vm-test.nix
+++ b/test/vm-test.nix
@ -1,7 +1,6 @@
-{ self, nixpkgs, ... }:
+{ self, nixpkgs, system, ... }:

 let
-  system = "x86_64-linux";
  pkgs = nixpkgs.legacyPackages.${system};
 in
 pkgs.nixosTest {
Author	SHA1	Message	Date
Tibo De Peuter	c55843ffa7	feat(ci): implement signed commit verification and update security policy Some checks failed Check / check (push) Failing after 2s Details Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.	2026-03-17 18:43:21 +01:00
Tibo De Peuter	17c5d0ee48	feat(security): implement metadata redaction and sops-nix migration Some checks failed Build / Determining hosts to build (push) Failing after 10m8s Details Build / build (Development) (push) Has been cancelled Details Build / build (Testing) (push) Has been cancelled Details Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.	2026-03-17 18:43:04 +01:00