feat(ci): implement signed commit verification and update security policy

Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.
feat(security): implement metadata redaction and sops-nix migration
2026-03-17 18:37:21 +01:00 · 2026-03-17 18:32:36 +01:00
2 changed files with 3 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -75,9 +75,7 @@
        '';
      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);

-      checks = (builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib) // {
-        integration-test = import ./test/vm-test.nix { inherit self nixpkgs system; };
-      };
+      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;

      outputsBuilder = channels: {
        formatter = channels.nixpkgs.alejandra;
--- a/test/vm-test.nix
+++ b/test/vm-test.nix
@ -1,6 +1,7 @@
-{ self, nixpkgs, system, ... }:
+{ self, nixpkgs, ... }:

 let
+  system = "x86_64-linux";
  pkgs = nixpkgs.legacyPackages.${system};
 in
 pkgs.nixosTest {
Author	SHA1	Message	Date
Tibo De Peuter	5c94a11c37	feat(ci): implement signed commit verification and update security policy Some checks failed Check / check (push) Failing after 1s Details Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.	2026-03-17 18:37:21 +01:00
Tibo De Peuter	3e37c44157	feat(security): implement metadata redaction and sops-nix migration Some checks are pending Build / Determining hosts to build (push) Waiting to run Details Build / build (Development) (push) Blocked by required conditions Details Build / build (Testing) (push) Blocked by required conditions Details Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.	2026-03-17 18:32:36 +01:00