modules/shared/community-builder: add github token to nix.conf

modules/shared/community-builder.nix

@@ -1,4 +1,10 @@
-{ lib, pkgs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
 {
   options.nixCommunity.motd = lib.mkOption {
     type = lib.types.str;
@@ -20,6 +26,15 @@
 
     '';
 
+    age.secrets.community-builder-nix-access-tokens = {
+      file = "${inputs.self}/secrets/community-builder-nix-access-tokens.age";
+      mode = "444";
+    };
+
+    nix.extraOptions = ''
+      !include ${config.age.secrets.community-builder-nix-access-tokens.path}
+    '';
+
     # useful for people that want to test stuff
     environment.systemPackages =
       [

secrets/secrets.nix

@@ -11,13 +11,21 @@ let
 
   inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
 
+  build01 = knownHosts.build01.publicKey;
   build02 = knownHosts.build02.publicKey;
   build03 = knownHosts.build03.publicKey;
   build04 = knownHosts.build04.publicKey;
+  darwin01 = knownHosts.darwin01.publicKey;
   darwin02 = knownHosts.darwin02.publicKey;
   web02 = knownHosts.web02.publicKey;
 
   secrets = {
+    # fine-grained, no permissions github token, expires 2025-10-29
+    # from `nix-community-buildbot` (user account, not the github app)
+    community-builder-nix-access-tokens = [
+      build01
+      darwin01
+    ];
     grafana-client-secret = [ web02 ];
     hercules-binary-caches = [
       build03