System: Add github access token secret to nix config

2025-07-12 18:03:05 +02:00
parent 41e9e9e946
commit ff6710a349
3 changed files with 27 additions and 6 deletions
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -302,7 +302,10 @@
        # Because we can't access the absolute path /run/secrets/... we have to symlink.
        # This will create a chain of links leading to /run/secrets/... without /nix/store
        # containing the secret contents.
-        ".ssh/id_ed25519".source = config.lib.file.mkOutOfStoreSymlink "${nixosConfig.sops.secrets.ssh-private-key.path}";
+        ".ssh/id_ed25519".source =
+          config.lib.file.mkOutOfStoreSymlink
+          nixosConfig.sops.secrets.ssh-private-key.path;
+
        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";

        ".secrets/age/age.pub".text = "${publicKeys.${username}.age}";
@ -317,6 +320,10 @@
                - age:
                  - *${username}
        '';
+
+        ".config/nix/nix.conf".source =
+          config.lib.file.mkOutOfStoreSymlink
+          nixosConfig.sops.templates."nix.conf".path;
      }
      (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
        ".config/xdg-desktop-portal-termfilechooser/config".text = ''
--- a/system/default.nix
+++ b/system/default.nix
@ -96,11 +96,21 @@ with mylib.networking; {
    ];

    sops-nix.secrets.${username} = [
-      "docker-password"
      "ssh-private-key"
+      "nix-github-token"
+      "docker-password"
    ];
  };

+  # Write the nix user config file here so we have secrets access
+  sops.templates."nix.conf" = {
+    owner = config.users.users.${username}.name;
+    group = config.users.users.${username}.group;
+    content = ''
+      access-tokens = github.com=${config.sops.placeholder.nix-github-token}
+    '';
+  };
+
  # Enable flakes
  nix = {
    package = pkgs.nixVersions.stable;
@ -111,7 +121,7 @@ with mylib.networking; {
    settings.trusted-users = ["root" "${username}"];

    # Auto garbage-collect and optimize store
-    # gc.automatic = true; # NOTE: Disabled for "nh clean"
+    gc.automatic = true;
    gc.options = "--delete-older-than 5d";
    settings.auto-optimise-store = true;
    optimise.automatic = true;
@ -122,7 +132,10 @@ with mylib.networking; {
    registry = lib.mapAttrs' (n: v: lib.nameValuePair n {flake = v;}) inputs;

    # Set NIX_PATH to find nixpgks
-    nixPath = ["nixpkgs=${inputs.nixpkgs.outPath}" "home-manager=${inputs.home-manager.outPath}"];
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs.outPath}"
+      "home-manager=${inputs.home-manager.outPath}"
+    ];
  };

  # Bootloader/Kernel stuff
--- a/system/modules/sops-nix/secrets.yaml
+++ b/system/modules/sops-nix/secrets.yaml
@ -3,6 +3,7 @@
 #
 user-password: ENC[AES256_GCM,data:okgvaTTesCDwriI8PxhNdHZF8XgzB4yxapuFl2/CK8x4WNYxGFjuZqGKcu7pqfnBofNcF2ByuM+HLH9FKxpK0dMCoHD/laR1IA==,iv:ltExELuM7g7ydSAMj8ioF9Nb7N4xe5enhDQrVJ+k2jQ=,tag:AV165m5yKnX+uJnMyC3mxA==,type:str]
 ssh-private-key: ENC[AES256_GCM,data:JrRarfeS3y6b9gxg4Za5GIc5Ci3aGR+OyZxQybj4dcv2mzxXmT/bm7KOwM1zkz1PFl1xW5X82T5jte+XQOKx0+6m4ovjUgUmQUMP4E/yosp8XSdi0+YlUKBEHEJx6HqCZy+v6qx5kfp9JC6fZqCbL1J6FIqWqAoKTFXoiou1YnhmBa2fM17Q++i6TflDWiVrUS7X9xjuZFq1hz1aQXS303uvJEUOEpXdqPyJvUKJWzVsFrAwpa9FG+reO70SSc+1hBbqdw1QjrzNWh3eNnztwZURauJtVFBYUZ5ozHmWBr4aVFjYvqz+t6G1SAunmBRbVqbH4bjBv9jXXjHAB4U0wanvkJN2C+EY1zxwjyx2fWckMdhoLr9gtC1FJKMbV49UFHJ3iXWNczKj1t7LrctehEKXJa0Eb3UogYuaRxbVYbC++kD8LvL4AY8ertgc9/pxQQZmogdINJmIxKN4HTlGbX8kSDLbohZLheOfzZ5ycTlrbOjfJ1EBMLo+mJcMUW0qhFySl1aamPqTeII7lvgTOE3xV/d/9VAQTFKsftWPNkfhAJIym51bYrrMPV8AVeFQnLhSid3d3zK4w20zIQKSYnq9A8zcNhM0keddiv4XC+M=,iv:7HP7VCFpMRZXRD6GD/zFzDSBO02V/DyxKLmuDCLXTLU=,tag:Ugx81JwCP8HmhtflYoevLg==,type:str]
+nix-github-token: ENC[AES256_GCM,data:AXV0ODLhfa4M6+7clulfIKm0qCOeo3lQ+66iYgoDeR12RxZOV19UtA==,iv:1XECVKyzH3NumKwRSPKNlUwJMLFwptcG8DQ09U4LrGk=,tag:QdtvJNV8BttWjhH4v0RtRQ==,type:str]
 docker-password: ENC[AES256_GCM,data:mK5YWEQPKWBtVCgRBZvwWTdVAi8MEGbLnLeP7hfDkcc=,iv:Az8+eAK6R6xssmmbhuEsDbLU+ks8lS+qzc4L33WfefA=,tag:NSXvRhbIuRZZqRR28Tu0PQ==,type:str]
 #
 #ENC[AES256_GCM,data:y5dlZFhK38dR+Q==,iv:1JYizUeyWeMR4KUblkj7kVSHPCL5l8mFpaQdo774BcM=,tag:kUTnBZb46KYQyi8bgIYSOQ==,type:comment]
@ -33,7 +34,7 @@ sops:
            SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h
            FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-12T14:59:23Z"
-    mac: ENC[AES256_GCM,data:+qMojkbBDisMKDCZrHCZyWyD+JNGtzUwSdIDwuslcQrmVN0AiWKm93SczVapsFiLbZ+QlALdck/oV53ASjuLfiMSi1bgsRIfWe4+ZdRz8t2Tn/PMjS5utiYgGGxpghXY4/fn1UQhLSf5WeGaCNFLFDX2DVJ4bZv9xEkPQY0eN+k=,iv:7Cw/tTTb4FSMk3SstSD67nJ5hqkLqVyBnFR/udu3feU=,tag:gYjPj+GilOp3MzdptG2QXg==,type:str]
+    lastmodified: "2025-07-12T15:50:53Z"
+    mac: ENC[AES256_GCM,data:hfO7iaF3oYsbgvzJpu0rcQyh7ywJsowbxCgQ+BqUQHF4sz+m6OZu4nHoVJi0LFqzZA1stJtfdRS+SaWOx5hFitXQ+VKmOXWABxUOzEWeDYPzPyoseG6XUna2L6gtdy9dLlOtiXvDCOWfv2+bs5FzsC29x2QcP1KEW0tVEoUCKIg=,iv:PE8674LhIpAAGCjn0UqEAGqI6l4XiG/73iThZWJIIrY=,tag:XmF1AYu9hlIrvwWt/EiLzw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2