From 1aab156439c171ee5895990e073e620f01e330a1 Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Wed, 18 Feb 2026 23:58:24 +0100 Subject: [PATCH] nix: add access-token for github --- flake.lock | 77 +++++++++++++------------------ modules/base/default.nix | 1 - modules/base/system/nixdaemon.nix | 17 +++++++ modules/users/cholli/default.nix | 2 +- secrets/secrets.yaml | 6 ++- 5 files changed, 54 insertions(+), 49 deletions(-) diff --git a/flake.lock b/flake.lock index d2b1d21..2d63d44 100644 --- a/flake.lock +++ b/flake.lock @@ -1406,8 +1406,12 @@ }, "nixos-images": { "inputs": { - "nixos-stable": "nixos-stable", - "nixos-unstable": "nixos-unstable" + "nixos-stable": [ + "nixpkgs-rpi" + ], + "nixos-unstable": [ + "nixpkgs-rpi" + ] }, "locked": { "lastModified": 1747747741, @@ -1474,40 +1478,6 @@ "type": "github" } }, - "nixos-stable": { - "locked": { - "lastModified": 1746957726, - "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", - "ref": "nixos-24.11", - "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", - "shallow": true, - "type": "git", - "url": "https://github.com/NixOS/nixpkgs" - }, - "original": { - "ref": "nixos-24.11", - "shallow": true, - "type": "git", - "url": "https://github.com/NixOS/nixpkgs" - } - }, - "nixos-unstable": { - "locked": { - "lastModified": 1747060738, - "narHash": "sha256-ByfPRQuqj+nhtVV0koinEpmJw0KLzNbgcgi9EF+NVow=", - "ref": "nixpkgs-unstable", - "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1", - "shallow": true, - "type": "git", - "url": "https://github.com/NixOS/nixpkgs" - }, - "original": { - "ref": "nixpkgs-unstable", - "shallow": true, - "type": "git", - "url": "https://github.com/NixOS/nixpkgs" - } - }, "nixos-wsl": { "inputs": { "flake-compat": "flake-compat_5", @@ -1547,11 +1517,11 @@ }, "nixpkgs-latest-factorio": { "locked": { - "lastModified": 1771449080, - "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=", + "lastModified": 1771455027, + "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d", + "rev": "1720090b48306293c69ec01af7ee7f416a81d534", "type": "github" }, "original": { @@ -1563,11 +1533,11 @@ }, "nixpkgs-latest-minecraft": { "locked": { - "lastModified": 1771449080, - "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=", + "lastModified": 1771455027, + "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d", + "rev": "1720090b48306293c69ec01af7ee7f416a81d534", "type": "github" }, "original": { @@ -1609,11 +1579,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1771449080, - "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=", + "lastModified": 1771455027, + "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d", + "rev": "1720090b48306293c69ec01af7ee7f416a81d534", "type": "github" }, "original": { @@ -1623,6 +1593,22 @@ "type": "github" } }, + "nixpkgs-rpi": { + "locked": { + "lastModified": 1770234462, + "narHash": "sha256-Ab6VqbckLApCrZlj8+HXJkPhMiquUP84osaSOZzA3HI=", + "owner": "nvmd", + "repo": "nixpkgs", + "rev": "071e76e7df3520f30f8a213b37f2f3f4cd96e937", + "type": "github" + }, + "original": { + "owner": "nvmd", + "ref": "modules-with-keys-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1771208521, @@ -1875,6 +1861,7 @@ "nixpkgs-latest-factorio": "nixpkgs-latest-factorio", "nixpkgs-latest-minecraft": "nixpkgs-latest-minecraft", "nixpkgs-master": "nixpkgs-master", + "nixpkgs-rpi": "nixpkgs-rpi", "nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-unstable": "nixpkgs-unstable", "simple-nixos-mailserver": "simple-nixos-mailserver", diff --git a/modules/base/default.nix b/modules/base/default.nix index 3e8ea4e..d441081 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -59,7 +59,6 @@ ]; sops = { - defaultSopsFile = ../../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; age = { diff --git a/modules/base/system/nixdaemon.nix b/modules/base/system/nixdaemon.nix index cec3d55..04d3847 100644 --- a/modules/base/system/nixdaemon.nix +++ b/modules/base/system/nixdaemon.nix @@ -34,9 +34,25 @@ clean.extraArgs = "--keep-since 7d --keep 5"; }; + sops = { + secrets."github/pat" = { + sopsFile = ../../../secrets/secrets.yaml; + }; + templates."access_tokens.conf" = { + content = '' + access-tokens = github.com=${config.sops.placeholder."github/pat"} + ''; + owner = "root"; + group = "secrets-access"; + mode = "0440"; + }; + }; + nix = { package = pkgs.lix; + extraOptions = "!include ${config.sops.templates."access_tokens.conf".path}"; + settings = let users = [ @@ -47,6 +63,7 @@ ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator"; in { + nix-path = "nixpkgs=flake:nixpkgs"; experimental-features = "nix-command flakes"; http-connections = 50; diff --git a/modules/users/cholli/default.nix b/modules/users/cholli/default.nix index 63ad6e9..7d8da18 100644 --- a/modules/users/cholli/default.nix +++ b/modules/users/cholli/default.nix @@ -47,7 +47,7 @@ topLevel: { sopsFile = ./../../../secrets/secrets.yaml; neededForUsers = true; }; - + users.groups.secrets-access.members = [ "cholli" ]; users.users.cholli = { description = topLevel.config.flake.meta.users.cholli.name; isNormalUser = true; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index b84d855..0946d5f 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,8 @@ passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str] samba: cholli: ENC[AES256_GCM,data:x2fZ8VcSAcelCj9/Tjp2I1KNeLo=,iv:66Je1+TL6jtnC+LZS3747yq/c6zI4FwlBXH1BjIFeDk=,tag:+vujtFcdKTcsyBisC/UyNA==,type:str] +github: + pat: ENC[AES256_GCM,data:HXps9ZUjTDjQDSQMdLXzXEvXsG55VgJaFD0zL87QnS3bDj4Ok8PeqA==,iv:OoY4AP3caKeES4P6qyQeGzX7fvp/Xz/Q65eYa1ZmOIU=,tag:71y7zxIlO8EmFAN8Eb/x5Q==,type:str] remotebuild: private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str] cholli: @@ -52,7 +54,7 @@ sops: SkVjdXVSR0h3bWtwazBpaTRUM0ZMS1kKG/zf54NMDxEkmzPtkOUN4wir5LKEE8Oh sV5/1sVu2+xaRDx4l0bIKrFWdLouY3ZsPZihreAIEB5qtzlfBx6CoA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-05T08:30:43Z" - mac: ENC[AES256_GCM,data:LTyEkbTw+SVqAqpB2Zl8slxMM18OOIY3R76iPySkhhtUfwnki7fMExjuniq7tsMJfT4Ssp2jvSsNERsxbhxs/96OnH/CQtDva7N64yW3AM7nn5Ha6vb82YeNWcq2+aEqt1l2AF1Kva6lFzBz4tWT6lfHpfEQonpAOdLxT55dspo=,iv:dTnvZOKZUPYYGKqWS6TbrQMOJnzSCrBcZ0Tul56Da2c=,tag:32HcHZhjLHvov+Rb+cNkcw==,type:str] + lastmodified: "2026-02-18T21:46:42Z" + mac: ENC[AES256_GCM,data:1F3VW7Fok4sr2JtrQYmBADzPZvmQ52zb2cV6ByZg2xwpjolzh2P87YVYOogpEDqbL1sRCEVh3caABNDEgXNRr7td+x4Ji8EPc5q6m9vGNG0KcY4bQJofnCj1XxRZ9EuaheoZ4MRlhA6h6Eah4Mkq5pE6kVn7FbiX4rAzxg7RMIQ=,iv:l4jRsio+2mdaNK9bgIw4r+qneLu+Vl1cxnb7AbWQvm0=,tag:qRuFRsI/Walnf7IgBwsUSQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0