nix icon indicating copy to clipboard operation
nix copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Specify access token via file

Open Sohalt opened this issue 3 years ago • 9 comments

Is your feature request related to a problem? Please describe. I need to specify a github acess-token, if I want to include private repositories as flake inputs. I manage my /etc/nix/nix.conf declaratively on NixOS.

Describe the solution you'd like I would like to keep the access token in a separate file using something like agenix or sops, to not have it end up in the nix store and in version control. An option like acess-tokens-file = /run/secrets/access-tokens would be nice. Ideally I'd be able to specify different access tokens in different files, e.g. acess-tokens-files = github.com=/run/secrets/github-acess-token gitlab.com=/run/secrets/gitlab-acess-token

Describe alternatives you've considered

  • Add access-token to ǹix.extraOptions`
    • the token ends up in the nix store (and version control)
  • Add access-token to ~/.config/nix/nix.conf
  • This works, if I don't manage user config using home-manager, but it has the downside, that I have a separate secret to keep track of. It would be more convenient to be able to keep the secrets with all other secrets in agenix and use an access-tokens-files option in /etc/nix/nix.conf

Sohalt avatar May 16 '22 13:05 Sohalt

Rather than a separate option, we could adopt the same syntax as builders (builders = @/some/file). Maybe even make this a more generic thing

thufschmitt avatar May 16 '22 15:05 thufschmitt

That works, if the token never starts with an ´@´. But if that's the case, I'd like the more generic solution.

I guess another option would be to use include /run/secrets/secret-config, although that way the file has to contain more than just the access token.

Sohalt avatar May 16 '22 15:05 Sohalt

I'd also very much like to be able to specify these as separate file references, I guess maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

Any idea how hard this would be to implement? I'd like to be able to throw sops-nix at this since I'm hitting GH rate limits frequently lately.

colemickens avatar Aug 10 '22 19:08 colemickens

maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

I guess that'd only work if the tokens can't start with an @, no idea whether that's possible or not. I'd rather go with access-token = @/run/secrets/github-acess-token @/run/secrets/gitlab-acess-token where each file contain the full key-value pair.

thufschmitt avatar Aug 11 '22 12:08 thufschmitt

I'd also very much like to be able to specify these as separate file references, I guess maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

Any idea how hard this would be to implement? I'd like to be able to throw sops-nix at this since I'm hitting GH rate limits frequently lately.

After thinking about this today, it would be a bad idea to add a semantic to include file content directly into the configuration file value.

However, this would require more work but I think would play a lot nicer with automation and a clear syntax would be to use attributes sets, in which .file would expect a path to read the content and assign to the value. But I have no idea if this is easily doable, nix.conf syntax doesn't seem to allow this easily at first glance.

access-tokens.github.com.file = /run/secrets/github-access-token

rapenne-s avatar Sep 22 '22 09:09 rapenne-s

It's possible to include other files in nix.conf with include, an example using sops-nix (extracted from my dotfiles):

{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
      !include ${config.sops.secrets.nixAccessTokens.path}
    '';
  };

  sops.secrets.nixAccessTokens = {
    mode = "0440";
    group = config.users.groups.keys.name;
  };
}

Notice the ! before the include. A missing file is an error without it. When you run nixos-rebuild switch, nix.conf is validated, but before sops-nix creates the secret file.

Also, notice that the user running the nix command needs read access to the secret file.

What is not possible with include is to have different tokens in different files, the last access-token declaration overwrites the previous ones.

jlesquembre avatar Sep 22 '22 10:09 jlesquembre

What is not possible with include is to have different tokens in different files, the last access-token declaration overwrites the previous ones.

That's what extra-access-tokens is for, right?

Kha avatar Sep 22 '22 11:09 Kha

That's what extra-access-tokens is for, right?

:+1: Right, I missed the extra- part in nix.conf docs. Problem solved, thanks!

jlesquembre avatar Sep 22 '22 11:09 jlesquembre

That works, if the token never starts with an ´@´. But if that's the case, I'd like the more generic solution.

New github tokens always start with ghp_ and gh*_ for enterprise and old ones where alphadecimal IIRC.

It's possible to include other files in nix.conf with include, an example using sops-nix (extracted from my dotfiles):

Noise, trying that out right now.

SuperSandro2000 avatar Sep 22 '22 12:09 SuperSandro2000

Somewhat related, would anyone be interested more specific url matching for the tokens?

tomberek avatar Dec 14 '22 02:12 tomberek

Why not get access-token from other files like ~/.git-credentials or ~/.netrc?

~/.git-credentials

https://user_name:[email protected]

~/.netrc

machine api.github.com
    login user_name
    password gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Freed-Wu avatar Jul 08 '23 14:07 Freed-Wu

It would also be nice to be able to set access-tokens via an environment variable.

doronbehar avatar Aug 05 '23 08:08 doronbehar

Technically you can already do that via NIX_CONFIG:

NIX_CONFIG="extra-access-tokens = github.com=github_pat_XYZ" nix ...

terlar avatar Oct 26 '23 08:10 terlar