From d00729a7bfa49cbc28d1fbe686ce363833cc3fb1 Mon Sep 17 00:00:00 2001 From: chn Date: Fri, 24 May 2024 11:41:09 +0800 Subject: [PATCH] system.nix: add github token support --- devices/pc/default.nix | 1 + devices/pc/secrets/default.yaml | 6 ++++-- devices/surface/default.nix | 2 +- devices/surface/secrets.yaml | 6 ++++-- modules/system/nix.nix | 14 ++++++++++++++ 5 files changed, 24 insertions(+), 5 deletions(-) diff --git a/devices/pc/default.nix b/devices/pc/default.nix index 48f7ddc2..d689c2cb 100644 --- a/devices/pc/default.nix +++ b/devices/pc/default.nix @@ -51,6 +51,7 @@ inputs: "alderlake" ]; remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; }; + githubToken.enable = true; }; nixpkgs = { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; }; diff --git a/devices/pc/secrets/default.yaml b/devices/pc/secrets/default.yaml index 0abe141b..3ca68937 100644 --- a/devices/pc/secrets/default.yaml +++ b/devices/pc/secrets/default.yaml @@ -20,6 +20,8 @@ mariadb: slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str] nix: remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str] +github: + token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str] sops: kms: [] gcp_kms: [] @@ -44,8 +46,8 @@ sops: OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-10T08:52:21Z" - mac: ENC[AES256_GCM,data:TMh3ec147fws+lwh2Q7YpZOvvLjQFuUZYcNZO1/1eVuYx7ST+E+pqxVq3IotMfPw8UW7nSGJCDWkpb/ApK1XNV4gguDaYzHPCr+IQlm6oNEsTqbdiPo+wESfWHOc749xqrXugBuROrk7paDenj4WtsePPfT0jDjNbvvKNmgV4Dg=,iv:2HKZ7Kf3XHiIPf9Z2vtHQjFmqFYno4K0L4H6y8tbQSY=,tag:WrOE+aiQiDDjjFH4oyhwow==,type:str] + lastmodified: "2024-05-24T03:34:07Z" + mac: ENC[AES256_GCM,data:+nJ/wuO5G6pEsCiBNEHOYrbiYyGXXIHu3ZUgEVwqLQ10W94EOGLUto61IGtkapk4xmaHYAVmUlq76g2hRGrndLVlUthGnEc5QoQKZoUmrxK7ux1R2ubv0s1k+l2HpRerr/I8X+hHyV0fdxT6ivkpq6OsEzHDnxgewDvYNZGQS4k=,iv:TuzO1Yo0MPms5RrG8+GbwSCOILp9BF7Jsv5JvcAPwFw=,tag:fUNc+ccQDE/jcMLuQ4thCQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/devices/surface/default.nix b/devices/surface/default.nix index 2850776b..f6288f6e 100644 --- a/devices/surface/default.nix +++ b/devices/surface/default.nix @@ -30,7 +30,7 @@ inputs: }; nixpkgs.march = "skylake"; grub.installDevice = "efi"; - nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; + nix = { substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; githubToken.enable = true; }; kernel = { variant = "xanmod-lts"; patches = [ "cjktty" "lantian" "surface" "hibernate-progress" ]; }; networking.hostname = "surface"; gui.enable = true; diff --git a/devices/surface/secrets.yaml b/devices/surface/secrets.yaml index 59447b53..edb96457 100644 --- a/devices/surface/secrets.yaml +++ b/devices/surface/secrets.yaml @@ -2,6 +2,8 @@ xray-client: uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str] wireguard: privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str] +github: + token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +28,8 @@ sops: a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P 2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-16T14:25:17Z" - mac: ENC[AES256_GCM,data:lpZ+Jd5LF35ESBOmOoq7pbNHze7rJiQsiq8cOgf8+cWnAqVh1bccG0cFe7R8uBhmuKIqp7TwkORDFuD+KFCZW14cbR4SP3vndSoYzKxIBdKTObR95w2ETst+prUtQ3fvFeEtlJexeljikfprWf2pGo1OzPophAyocgT31z2iMjs=,iv:Bryz+kqRvXYPj6YuxeDhQfLsgYqHXrA+lHFX18m2GGE=,tag:A7mvmguWoOir2JoIprgL4A==,type:str] + lastmodified: "2024-05-24T03:36:38Z" + mac: ENC[AES256_GCM,data:Dv6WO5K0GFVm4Rt+GjXeE1vwqlPkP+kmRCGU41rbSR3YBcL8mkpBRQQXJiMU99cQQMK/rCGy+k91fhGnG5xFT/FdEZF8qUjRHPZ5MdWCjPOuY/LrXWnSnwwJa2neQLFH/ToUkNaGHCk/FngnZ/e0U43Rnwt3iHRDBG3io8oDY0M=,iv:Jf5EtkTuf/MFDq6UiOo8/31ev5zBiaP9WnlgsUgK5Y4=,tag:r6ql+UbXbG5A1vtbsGXnJQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/system/nix.nix b/modules/system/nix.nix index 8d9fd8ea..9495e188 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -24,6 +24,7 @@ inputs: hosts = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; }; }; + githubToken.enable = mkOption { type = types.bool; default = false; }; }; config = let inherit (inputs.config.nixos.system) nix; in inputs.lib.mkMerge [ @@ -143,6 +144,19 @@ inputs: }; sops.secrets."nix/remote" = {}; }) + (inputs.lib.mkIf nix.githubToken.enable + { + nix.extraOptions = "!include ${inputs.config.sops.templates."nix-github.conf".path}"; + sops = + { + templates."nix-github.conf" = + { + content = "access-tokens = github.com=${inputs.config.sops.placeholder."github/token"}"; + mode = "0444"; + }; + secrets."github/token" = {}; + }; + }) # c++ include path # environment.pathsToLink = [ "/include" ]; # environment.variables.CPATH = "/run/current-system/sw/include";