modules/shared/community-builder: add github token to nix.conf

2024-10-29 10:05:51 +10:00 · 2024-10-29 10:05:51 +10:00 · 0682c61186
commit 0682c61186
parent d56f267bdf
3 changed files with 24 additions and 1 deletions
--- a/modules/shared/community-builder.nix
+++ b/modules/shared/community-builder.nix
@ -1,4 +1,10 @@
-{ lib, pkgs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
 {
  options.nixCommunity.motd = lib.mkOption {
    type = lib.types.str;
@ -20,6 +26,15 @@

    '';

+    age.secrets.community-builder-nix-access-tokens = {
+      file = "${inputs.self}/secrets/community-builder-nix-access-tokens.age";
+      mode = "444";
+    };
+
+    nix.extraOptions = ''
+      !include ${config.age.secrets.community-builder-nix-access-tokens.path}
+    '';
+
    # useful for people that want to test stuff
    environment.systemPackages =
      [
--- a/secrets/community-builder-nix-access-tokens.age
+++ b/secrets/community-builder-nix-access-tokens.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,13 +11,21 @@ let

  inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;

+  build01 = knownHosts.build01.publicKey;
  build02 = knownHosts.build02.publicKey;
  build03 = knownHosts.build03.publicKey;
  build04 = knownHosts.build04.publicKey;
+  darwin01 = knownHosts.darwin01.publicKey;
  darwin02 = knownHosts.darwin02.publicKey;
  web02 = knownHosts.web02.publicKey;

  secrets = {
+    # fine-grained, no permissions github token, expires 2025-10-29
+    # from `nix-community-buildbot` (user account, not the github app)
+    community-builder-nix-access-tokens = [
+      build01
+      darwin01
+    ];
    grafana-client-secret = [ web02 ];
    hercules-binary-caches = [
      build03