Accept multiple signing keys

[auto-upgrade-with-pinch] / modules / auto-upgrade.nix

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 8bf21aaaf988c5d3b0b5d6648ca403785276d05f..66d857f74a1d1f9ce7e21750a7ba3f84abceafe2 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -28,7 +28,7 @@ let
         # Update channels
         (
           cd /etc/nixos
-          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+          ${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures
           ${pkgs.pinch}/bin/pinch update channels
         )
 
@@ -71,11 +71,12 @@ in {
         '';
       };
 
-      key = mkOption {
+      keys = mkOption {
         type = types.path;
         description = ''
-          GPG key that signs updates.  Updates are only merged if the commit
-          at the tip of the remote branch is signed with this key.
+          File containing GPG keys that sign updates.  Updates are only merged
+          if the commit at the tip of the remote branch is signed with one of
+          these keys.
         '';
       };