{common,home}/nix: finegrained tokens

2025-05-06 13:05:11 +02:00
parent 045ca620ea
commit 150089a583
3 changed files with 48 additions and 12 deletions
--- a/home/programs/nix.nix
+++ b/home/programs/nix.nix
@@ -1,15 +1,32 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  sops = {
    secrets = {
-      "nix/access-tokens/github" = { sopsFile = ../../secrets/common.yaml; };
-      "nix/access-tokens/pvv-git" = { sopsFile = ../../secrets/common.yaml; };
+      "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; };
+
+      "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; };
+
+      "nix/access-tokens/github-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; };
+      "nix/access-tokens/bitbucket-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; };
    };
    templates."nix-access-tokens.conf".content = let
      inherit (config.sops) placeholder;
-    in ''
-      access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
-    '';
+
+      tokens = {
+        "github.com" = placeholder."nix/access-tokens/github";
+
+        "git.pvv.ntnu.no" = placeholder."nix/access-tokens/pvv-git";
+
+        "bitbucket.nordicsemi.no" = placeholder."nix/access-tokens/bitbucket-nordicsemi";
+        "github.com/NordicPlayground" = placeholder."nix/access-tokens/github-nordicsemi";
+        "github.com/NordicSemiconductor" = placeholder."nix/access-tokens/github-nordicsemi";
+      };
+    in "access-tokens = ${lib.pipe tokens [
+      lib.attrsToList
+      (builtins.sort (p: q: p.name > q.name))
+      (map ({ name, value }: "${name}=${value}"))
+      (builtins.concatStringsSep " ")
+    ]}";
  };

  nix = {
--- a/hosts/common/nix.nix
+++ b/hosts/common/nix.nix
@@ -1,4 +1,4 @@
-{ config, unstable-pkgs, ... }:
+{ config, lib, unstable-pkgs, ... }:
 {
  imports = [
    ./nix-builders/bob.nix
@@ -9,13 +9,30 @@
  sops = {
    secrets = {
      "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; };
+
      "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; };
+
+      "nix/access-tokens/github-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; };
+      "nix/access-tokens/bitbucket-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; };
    };
    templates."nix-access-tokens.conf".content = let
      inherit (config.sops) placeholder;
-    in ''
-      access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
-    '';
+
+      tokens = {
+        "github.com" = placeholder."nix/access-tokens/github";
+
+        "git.pvv.ntnu.no" = placeholder."nix/access-tokens/pvv-git";
+
+        "bitbucket.nordicsemi.no" = placeholder."nix/access-tokens/bitbucket-nordicsemi";
+        "github.com/NordicPlayground" = placeholder."nix/access-tokens/github-nordicsemi";
+        "github.com/NordicSemiconductor" = placeholder."nix/access-tokens/github-nordicsemi";
+      };
+    in "access-tokens = ${lib.pipe tokens [
+      lib.attrsToList
+      (builtins.sort (p: q: p.name > q.name))
+      (map ({ name, value }: "${name}=${value}"))
+      (builtins.concatStringsSep " ")
+    ]}";
  };

  nix = {
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -2,6 +2,8 @@ nix:
    access-tokens:
        github: ENC[AES256_GCM,data:reARhNXlxTugP0dRS+PjMUOIYUDzlD7CW7If4F26uM9PEO+6N+KvT0MyuI/eSMaX+bEKWfi+HaZ/SyLw1Pjvretzot9lVqFWG7OrLE4iT+1WCccmwtvbc5Ppl+i2,iv:9pCveUmjl4nKCaLzo+Ybfi6rpzKCxGNRbyRUWUpTNkg=,tag:LT9zUc5C4hqcsVQE+Bfnjw==,type:str]
        pvv-git: ENC[AES256_GCM,data:fp8utMv7PLrz8LkDvvG7GVY4SiDFOgX8YF1M/hpZyGj9H6pDDvtOTw==,iv:FJmw6Tq81IECxQaJZc9u5gxIWse3OvCF7x7dmJ+m4pg=,tag:hdrsJtFhaj5W5PYTUDRx+g==,type:str]
+        github-nordicsemi: ENC[AES256_GCM,data:tq3XWh2KwLfU3Xwoc3d90cZ34UrM//HyJdbdzJXJstldHE8jIp54Cg==,iv:L4OYYjfWvsQ8LrzE6KAwDmQTXY1gWmtvJrEIa+HEnyE=,tag:jrwtyoA6ORbATXP124OfRg==,type:str]
+        bitbucket-nordicsemi: ENC[AES256_GCM,data:WAJCMJtzuY2Nf2AbutmOu+lz9s337XNiEWjxG3Rdu42asom8hwv0sowA5aI=,iv:0j4DL1ICcl/6vSEh0mKNiYPo0e2PG2tOtWfDktBPZ5U=,tag:jWivhDFFXOic0YGrkMSppg==,type:str]
 wstunnel:
    http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str]
 ssh:
@@ -85,8 +87,8 @@ sops:
            WHNjUGdPc1VKNDVoeGVLOUpRcW9JakEKxUfhyC9vhXMkkJwlrV1u9SuxThhmka0E
            tMbzyqHxFxT4cZScaIDxAl5P8W6mpqmpaN+l/RT+ozeS5FY6+iMVKA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-13T14:05:53Z"
-    mac: ENC[AES256_GCM,data:ftoKk3mBVdRn16HGEq5kklw0/RTWpyjneBT2PJUUaGy4u0fWJy8ZfcIcoG+2WekiSFwWBab4kcFHr5KfXX+XEn1Y2brdcirCXr2PdrmccGxyvSiEy/C6OUrB9KiFqpf4tmx3IbYimlxBSE5uQStQATdGWu7cM+hsrW9j5wzWlUU=,iv:jmJHVMZqyf7xTFry76ywN2Yt++2sG/mWsBvaLONGoM4=,tag:19C+PS8tTRVUaqrlQnoDeQ==,type:str]
+    lastmodified: "2025-05-06T09:19:20Z"
+    mac: ENC[AES256_GCM,data:u4JVYXJtPUNzByhLlKnVDic47G68r6mtd8RvPeuktrAXsid/DdHLU51yDbGCSizcePxstpQi83m4r/9ZvkYEGkyv4DFG4I+gLr2mqlqEUm9AMjYt4rk0nrZVWzvob8D47MAy2zc3N8ojMgJuEy4xRQKbJvsBdXrQjj0BC7TnuuY=,iv:cMoV4lBOcPgG5iE4ht/Y9ZRpH5TGRDvIbGKCrCrBeGc=,tag:TwJpFt0oAEQ+Oc8+mGnVwg==,type:str]
    pgp:
        - created_at: "2025-04-02T10:09:05Z"
          enc: |-