Added domain option. Maybe fixed binary cache signing.

config/nix.nix

@@ -11,7 +11,7 @@
     '';
     sshServe.enable = if config.services.hydra.enable then true else false;
     sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
-    binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else [];
+    binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ];
     trustedBinaryCaches = [
       "https://cache.nixos.org"
       "https://cache.ophanim.de"

config/users.nix

@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
 
+with lib;
+
 {
   users = {
     mutableUsers = false;
@@ -9,13 +11,16 @@
       createHome = true;
       description = "";
       group = "derped";
-      extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
+      extraGroups = [ "audio" "wheel" "network" ]
+        ++ (if config.services.xserver.enable then [ "input" ] else [])
+        ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
+        ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
       uid = 1337;
       shell = "/run/current-system/sw/bin/zsh";
       passwordFile = "/secret/derped";
-      openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
+      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else [];
     };
-    
+
     groups.derped = {
       name = "derped";
       gid = 1337;