modules/shared/community-builder: add github token to nix.conf

nix-community · Oct 29, 2024 · 2ca7ec1 · 2ca7ec1
1 parent 065e315
commit 2ca7ec1
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/modules/shared/community-builder.nix b/modules/shared/community-builder.nix
@@ -1,4 +1,10 @@
-{ lib, pkgs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
 {
   options.nixCommunity.motd = lib.mkOption {
     type = lib.types.str;
@@ -20,6 +26,15 @@
 
     '';
 
+    age.secrets.community-builder-nix-access-tokens = {
+      file = "${inputs.self}/secrets/community-builder-nix-access-tokens.age";
+      mode = "444";
+    };
+
+    nix.extraOptions = ''
+      !include ${config.age.secrets.community-builder-nix-access-tokens.path}
+    '';
+
     # useful for people that want to test stuff
     environment.systemPackages = [
       pkgs.btop

diff --git a/secrets/community-builder-nix-access-tokens.age b/secrets/community-builder-nix-access-tokens.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -11,13 +11,20 @@ let
 
   inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
 
+  build01 = knownHosts.build01.publicKey;
   build02 = knownHosts.build02.publicKey;
   build03 = knownHosts.build03.publicKey;
   build04 = knownHosts.build04.publicKey;
+  darwin01 = knownHosts.darwin01.publicKey;
   darwin02 = knownHosts.darwin02.publicKey;
   web02 = knownHosts.web02.publicKey;
 
   secrets = {
+    # fine-grained, no permissions github token from `nix-infra-bot`, expires 2024-10-29
+    community-builder-nix-access-tokens = [
+      build01
+      darwin01
+    ];
     hercules-binary-caches = [
       build03
       build04