nix: add access-token for github

2026-02-18 23:58:24 +01:00 · 2026-02-18 23:58:24 +01:00 · 1aab156439
commit 1aab156439
parent c9486641cc
5 changed files with 54 additions and 49 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1406,8 +1406,12 @@
    },
    "nixos-images": {
      "inputs": {
-        "nixos-stable": "nixos-stable",
-        "nixos-unstable": "nixos-unstable"
+        "nixos-stable": [
+          "nixpkgs-rpi"
+        ],
+        "nixos-unstable": [
+          "nixpkgs-rpi"
+        ]
      },
      "locked": {
        "lastModified": 1747747741,
@ -1474,40 +1478,6 @@
        "type": "github"
      }
    },
-    "nixos-stable": {
-      "locked": {
-        "lastModified": 1746957726,
-        "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=",
-        "ref": "nixos-24.11",
-        "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94",
-        "shallow": true,
-        "type": "git",
-        "url": "https://github.com/NixOS/nixpkgs"
-      },
-      "original": {
-        "ref": "nixos-24.11",
-        "shallow": true,
-        "type": "git",
-        "url": "https://github.com/NixOS/nixpkgs"
-      }
-    },
-    "nixos-unstable": {
-      "locked": {
-        "lastModified": 1747060738,
-        "narHash": "sha256-ByfPRQuqj+nhtVV0koinEpmJw0KLzNbgcgi9EF+NVow=",
-        "ref": "nixpkgs-unstable",
-        "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
-        "shallow": true,
-        "type": "git",
-        "url": "https://github.com/NixOS/nixpkgs"
-      },
-      "original": {
-        "ref": "nixpkgs-unstable",
-        "shallow": true,
-        "type": "git",
-        "url": "https://github.com/NixOS/nixpkgs"
-      }
-    },
    "nixos-wsl": {
      "inputs": {
        "flake-compat": "flake-compat_5",
@ -1547,11 +1517,11 @@
    },
    "nixpkgs-latest-factorio": {
      "locked": {
-        "lastModified": 1771449080,
-        "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=",
+        "lastModified": 1771455027,
+        "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d",
+        "rev": "1720090b48306293c69ec01af7ee7f416a81d534",
        "type": "github"
      },
      "original": {
@ -1563,11 +1533,11 @@
    },
    "nixpkgs-latest-minecraft": {
      "locked": {
-        "lastModified": 1771449080,
-        "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=",
+        "lastModified": 1771455027,
+        "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d",
+        "rev": "1720090b48306293c69ec01af7ee7f416a81d534",
        "type": "github"
      },
      "original": {
@ -1609,11 +1579,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1771449080,
-        "narHash": "sha256-gMHK6Mt1TgU1WoRSbEH8I6xQYi5GcYf6Dx4Ft91sohw=",
+        "lastModified": 1771455027,
+        "narHash": "sha256-cTx+FXH4iq6nil753azcwgs7H6F16CLz26RPIRKuGCM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ff37ee0d7279ca4ce555ee5bc94fcb0f58b60b1d",
+        "rev": "1720090b48306293c69ec01af7ee7f416a81d534",
        "type": "github"
      },
      "original": {
@ -1623,6 +1593,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-rpi": {
+      "locked": {
+        "lastModified": 1770234462,
+        "narHash": "sha256-Ab6VqbckLApCrZlj8+HXJkPhMiquUP84osaSOZzA3HI=",
+        "owner": "nvmd",
+        "repo": "nixpkgs",
+        "rev": "071e76e7df3520f30f8a213b37f2f3f4cd96e937",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nvmd",
+        "ref": "modules-with-keys-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1771208521,
@ -1875,6 +1861,7 @@
        "nixpkgs-latest-factorio": "nixpkgs-latest-factorio",
        "nixpkgs-latest-minecraft": "nixpkgs-latest-minecraft",
        "nixpkgs-master": "nixpkgs-master",
+        "nixpkgs-rpi": "nixpkgs-rpi",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "simple-nixos-mailserver": "simple-nixos-mailserver",
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@ -59,7 +59,6 @@
          ];

          sops = {
-            defaultSopsFile = ../../../secrets/secrets.yaml;
            defaultSopsFormat = "yaml";

            age = {
--- a/modules/base/system/nixdaemon.nix
+++ b/modules/base/system/nixdaemon.nix
@ -34,9 +34,25 @@
        clean.extraArgs = "--keep-since 7d --keep 5";
      };

+      sops = {
+        secrets."github/pat" = {
+          sopsFile = ../../../secrets/secrets.yaml;
+        };
+        templates."access_tokens.conf" = {
+          content = ''
+            access-tokens = github.com=${config.sops.placeholder."github/pat"}
+          '';
+          owner = "root";
+          group = "secrets-access";
+          mode = "0440";
+        };
+      };
+
      nix = {
        package = pkgs.lix;

+        extraOptions = "!include ${config.sops.templates."access_tokens.conf".path}";
+
        settings =
          let
            users = [
@ -47,6 +63,7 @@
            ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator";
          in
          {
+
            nix-path = "nixpkgs=flake:nixpkgs";
            experimental-features = "nix-command flakes";
            http-connections = 50;
--- a/modules/users/cholli/default.nix
+++ b/modules/users/cholli/default.nix
@ -47,7 +47,7 @@ topLevel: {
            sopsFile = ./../../../secrets/secrets.yaml;
            neededForUsers = true;
          };
-
+          users.groups.secrets-access.members = [ "cholli" ];
          users.users.cholli = {
            description = topLevel.config.flake.meta.users.cholli.name;
            isNormalUser = true;
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -1,6 +1,8 @@
 passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str]
 samba:
    cholli: ENC[AES256_GCM,data:x2fZ8VcSAcelCj9/Tjp2I1KNeLo=,iv:66Je1+TL6jtnC+LZS3747yq/c6zI4FwlBXH1BjIFeDk=,tag:+vujtFcdKTcsyBisC/UyNA==,type:str]
+github:
+    pat: ENC[AES256_GCM,data:HXps9ZUjTDjQDSQMdLXzXEvXsG55VgJaFD0zL87QnS3bDj4Ok8PeqA==,iv:OoY4AP3caKeES4P6qyQeGzX7fvp/Xz/Q65eYa1ZmOIU=,tag:71y7zxIlO8EmFAN8Eb/x5Q==,type:str]
 remotebuild:
    private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str]
 cholli:
@ -52,7 +54,7 @@ sops:
            SkVjdXVSR0h3bWtwazBpaTRUM0ZMS1kKG/zf54NMDxEkmzPtkOUN4wir5LKEE8Oh
            sV5/1sVu2+xaRDx4l0bIKrFWdLouY3ZsPZihreAIEB5qtzlfBx6CoA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-05T08:30:43Z"
-    mac: ENC[AES256_GCM,data:LTyEkbTw+SVqAqpB2Zl8slxMM18OOIY3R76iPySkhhtUfwnki7fMExjuniq7tsMJfT4Ssp2jvSsNERsxbhxs/96OnH/CQtDva7N64yW3AM7nn5Ha6vb82YeNWcq2+aEqt1l2AF1Kva6lFzBz4tWT6lfHpfEQonpAOdLxT55dspo=,iv:dTnvZOKZUPYYGKqWS6TbrQMOJnzSCrBcZ0Tul56Da2c=,tag:32HcHZhjLHvov+Rb+cNkcw==,type:str]
+    lastmodified: "2026-02-18T21:46:42Z"
+    mac: ENC[AES256_GCM,data:1F3VW7Fok4sr2JtrQYmBADzPZvmQ52zb2cV6ByZg2xwpjolzh2P87YVYOogpEDqbL1sRCEVh3caABNDEgXNRr7td+x4Ji8EPc5q6m9vGNG0KcY4bQJofnCj1XxRZ9EuaheoZ4MRlhA6h6Eah4Mkq5pE6kVn7FbiX4rAzxg7RMIQ=,iv:l4jRsio+2mdaNK9bgIw4r+qneLu+Vl1cxnb7AbWQvm0=,tag:qRuFRsI/Walnf7IgBwsUSQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0