system.nix: add github token support

2024-10-23 06:18:52 +08:00 · 2024-05-24 11:41:09 +08:00 · 2024-05-24 11:41:09 +08:00 · d00729a7bf
commit d00729a7bf
parent 0743dc3255
5 changed files with 24 additions and 5 deletions
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@ -51,6 +51,7 @@ inputs:
            "alderlake"
          ];
          remote.master = { enable = true; hosts = [ "xmupc1" "xmupc2" ]; };
+          githubToken.enable = true;
        };
        nixpkgs =
          { march = "znver4"; cuda = { enable = true; capabilities = [ "8.9" ]; forwardCompat = false; }; };
--- a/devices/pc/secrets/default.yaml
+++ b/devices/pc/secrets/default.yaml
@ -20,6 +20,8 @@ mariadb:
    slurm: ENC[AES256_GCM,data:fGvNMmqk7Cee28VJ1QoBVrBbgIUbj/F1W0SRjdP8N4K/M8Wx4AVm1kAr0IAhPWyDLXlIjM1NUvuEV5BpYDBdjg==,iv:rFTMJ4x2kgENQUA8ftSaLjdOc25i5mWR3UYbdq54vjs=,tag:6feD0eCSv7bcHWBveLNJwg==,type:str]
 nix:
    remote: ENC[AES256_GCM,data:uosYkxTCB0wiY+Uufk//OcBZFN3EzbZoQGZ95M9eZMjQ5AobAZqosi4laE+EMcZL1CqYqlWXaSoEUOB8biUaZPseo+1AX1TlmUgZ7QpkfOX0VKZu01C6C+lVyqVqMFq6z1BFyX/oeITMIfnd4a/2KwJCHLAZ4hMkJ5p+aJwByKGa3N/2m41HH/1S3z7pYQWj7YJxunTPPG6WNSiRncQki11rvmddwnXmsBF89+jW1Phge8U295haC57T5oIGPxR645IeTK4ZUlL8eVuZ+BhsnwbkYcaxvjSwe+DOIVPupR8GW+gis7KxwE89kqvnQhinamexcPUz4lGHlqO/Xn6jrJx6T/wXF+19epAzeHapYte3dTWNsdPwPLPJihT16YT5fwrLnH3zq8kexWz1crmnCGUoaBs4S2tHWHLgv2lTv0IHLx5F6ijpDBj/Avg9YILIURzdeea+rBxdycHasUDTVlJtYKRH5J+WbAKWI+oJ5qmXjIRUYL+O9xIUfOGO+1b3xs8MYxRWuvDV2P88N8vN,iv:yQQp5wjbSVn1oia5yL7d6GF9Vo704G0iOQRGMbzQHzg=,tag:bpBag5y5n+7ojOa8QOcDvA==,type:str]
+github:
+    token: ENC[AES256_GCM,data:59z1zSofzUyv2Qfn8oS7dZplzJDtOD/zxhPm07MLbVLHt8mE57IGcw==,iv:nZ4JmIE1h496RN6BChvqo7XWHjur76jP4HMgqGBbMJQ=,tag:pUSGsofG7hvkvJxCRwkg1Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -44,8 +46,8 @@ sops:
            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-10T08:52:21Z"
-    mac: ENC[AES256_GCM,data:TMh3ec147fws+lwh2Q7YpZOvvLjQFuUZYcNZO1/1eVuYx7ST+E+pqxVq3IotMfPw8UW7nSGJCDWkpb/ApK1XNV4gguDaYzHPCr+IQlm6oNEsTqbdiPo+wESfWHOc749xqrXugBuROrk7paDenj4WtsePPfT0jDjNbvvKNmgV4Dg=,iv:2HKZ7Kf3XHiIPf9Z2vtHQjFmqFYno4K0L4H6y8tbQSY=,tag:WrOE+aiQiDDjjFH4oyhwow==,type:str]
+    lastmodified: "2024-05-24T03:34:07Z"
+    mac: ENC[AES256_GCM,data:+nJ/wuO5G6pEsCiBNEHOYrbiYyGXXIHu3ZUgEVwqLQ10W94EOGLUto61IGtkapk4xmaHYAVmUlq76g2hRGrndLVlUthGnEc5QoQKZoUmrxK7ux1R2ubv0s1k+l2HpRerr/I8X+hHyV0fdxT6ivkpq6OsEzHDnxgewDvYNZGQS4k=,iv:TuzO1Yo0MPms5RrG8+GbwSCOILp9BF7Jsv5JvcAPwFw=,tag:fUNc+ccQDE/jcMLuQ4thCQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@ -30,7 +30,7 @@ inputs:
        };
        nixpkgs.march = "skylake";
        grub.installDevice = "efi";
-        nix.substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
+        nix = { substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ]; githubToken.enable = true; };
        kernel = { variant = "xanmod-lts"; patches = [ "cjktty" "lantian" "surface" "hibernate-progress" ]; };
        networking.hostname = "surface";
        gui.enable = true;
--- a/devices/surface/secrets.yaml
+++ b/devices/surface/secrets.yaml
@ -2,6 +2,8 @@ xray-client:
    uuid: ENC[AES256_GCM,data:WEBAH3PQM5ahNpH/kvTtcjcJ2GllmmRlBR2oclG6AimGenSg,iv:TMp0WTOe9fuELSZoVGenl5XSZUFoiYUBEMWMn4NFv1g=,tag:GJTE0EELcZkrnGAKLYer1g==,type:str]
 wireguard:
    privateKey: ENC[AES256_GCM,data:P/tyZHaEAahZUBF22dJEZb6mACm/wmUunPDG0vS7SNW3sWbzxRSut0haR/g=,iv:8VMv5iotmDrYDLiszcOvJHkD8l6uE+SboPSILr6KuzU=,tag:U/FIBhvghwDTvFtUWEqr4g==,type:str]
+github:
+    token: ENC[AES256_GCM,data:SyqrpFfy+y7syReWs0Bi23651ew41Us8aqjImBTzkDanOtWQgIYC6g==,iv:H3Y/TuP3VvZv6MlRAdLOY0CiNUeoqGZRNg0s58ZSkQ8=,tag:rSf4E8Whvue/LZ+VlSqDDQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -26,8 +28,8 @@ sops:
            a2xybTRFUFZZN20zajZJTVNwVEpGcEEKglmFMk7z1q5IlZ+lZf9M0HtknmvcYt/P
            2/z5e8wLN1Hy0Zsbv0yIL/NmqwxAOGJOdzz7ElJszk/Y4kUr9aRasg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-16T14:25:17Z"
-    mac: ENC[AES256_GCM,data:lpZ+Jd5LF35ESBOmOoq7pbNHze7rJiQsiq8cOgf8+cWnAqVh1bccG0cFe7R8uBhmuKIqp7TwkORDFuD+KFCZW14cbR4SP3vndSoYzKxIBdKTObR95w2ETst+prUtQ3fvFeEtlJexeljikfprWf2pGo1OzPophAyocgT31z2iMjs=,iv:Bryz+kqRvXYPj6YuxeDhQfLsgYqHXrA+lHFX18m2GGE=,tag:A7mvmguWoOir2JoIprgL4A==,type:str]
+    lastmodified: "2024-05-24T03:36:38Z"
+    mac: ENC[AES256_GCM,data:Dv6WO5K0GFVm4Rt+GjXeE1vwqlPkP+kmRCGU41rbSR3YBcL8mkpBRQQXJiMU99cQQMK/rCGy+k91fhGnG5xFT/FdEZF8qUjRHPZ5MdWCjPOuY/LrXWnSnwwJa2neQLFH/ToUkNaGHCk/FngnZ/e0U43Rnwt3iHRDBG3io8oDY0M=,iv:Jf5EtkTuf/MFDq6UiOo8/31ev5zBiaP9WnlgsUgK5Y4=,tag:r6ql+UbXbG5A1vtbsGXnJQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/modules/system/nix.nix
+++ b/modules/system/nix.nix
@ -24,6 +24,7 @@ inputs:
        hosts = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
      };
    };
+    githubToken.enable = mkOption { type = types.bool; default = false; };
  };
  config = let inherit (inputs.config.nixos.system) nix; in inputs.lib.mkMerge
  [
@ -143,6 +144,19 @@ inputs:
      };
      sops.secrets."nix/remote" = {};
    })
+    (inputs.lib.mkIf nix.githubToken.enable
+    {
+      nix.extraOptions = "!include ${inputs.config.sops.templates."nix-github.conf".path}";
+      sops =
+      {
+        templates."nix-github.conf" =
+        {
+          content = "access-tokens = github.com=${inputs.config.sops.placeholder."github/token"}";
+          mode = "0444";
+        };
+        secrets."github/token" = {};
+      };
+    })
    # c++ include path
    # environment.pathsToLink = [ "/include" ];
    # environment.variables.CPATH = "/run/current-system/sw/include";