From 150089a583823e1d641495d1330fec209c57db5c Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 6 May 2025 13:05:11 +0200 Subject: [PATCH] {common,home}/nix: finegrained tokens --- home/programs/nix.nix | 29 +++++++++++++++++++++++------ hosts/common/nix.nix | 25 +++++++++++++++++++++---- secrets/common.yaml | 6 ++++-- 3 files changed, 48 insertions(+), 12 deletions(-) diff --git a/home/programs/nix.nix b/home/programs/nix.nix index b9775c4..c40f325 100644 --- a/home/programs/nix.nix +++ b/home/programs/nix.nix @@ -1,15 +1,32 @@ -{ config, ... }: +{ config, lib, ... }: { sops = { secrets = { - "nix/access-tokens/github" = { sopsFile = ../../secrets/common.yaml; }; - "nix/access-tokens/pvv-git" = { sopsFile = ../../secrets/common.yaml; }; + "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; }; + + "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; }; + + "nix/access-tokens/github-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; }; + "nix/access-tokens/bitbucket-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; }; }; templates."nix-access-tokens.conf".content = let inherit (config.sops) placeholder; - in '' - access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"} - ''; + + tokens = { + "github.com" = placeholder."nix/access-tokens/github"; + + "git.pvv.ntnu.no" = placeholder."nix/access-tokens/pvv-git"; + + "bitbucket.nordicsemi.no" = placeholder."nix/access-tokens/bitbucket-nordicsemi"; + "github.com/NordicPlayground" = placeholder."nix/access-tokens/github-nordicsemi"; + "github.com/NordicSemiconductor" = placeholder."nix/access-tokens/github-nordicsemi"; + }; + in "access-tokens = ${lib.pipe tokens [ + lib.attrsToList + (builtins.sort (p: q: p.name > q.name)) + (map ({ name, value }: "${name}=${value}")) + (builtins.concatStringsSep " ") + ]}"; }; nix = { diff --git a/hosts/common/nix.nix b/hosts/common/nix.nix index 8be1d52..3007611 100644 --- a/hosts/common/nix.nix +++ b/hosts/common/nix.nix @@ -1,4 +1,4 @@ -{ config, unstable-pkgs, ... }: +{ config, lib, unstable-pkgs, ... }: { imports = [ ./nix-builders/bob.nix @@ -9,13 +9,30 @@ sops = { secrets = { "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; }; + "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; }; + + "nix/access-tokens/github-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; }; + "nix/access-tokens/bitbucket-nordicsemi" = { sopsFile = ./../../secrets/common.yaml; }; }; templates."nix-access-tokens.conf".content = let inherit (config.sops) placeholder; - in '' - access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"} - ''; + + tokens = { + "github.com" = placeholder."nix/access-tokens/github"; + + "git.pvv.ntnu.no" = placeholder."nix/access-tokens/pvv-git"; + + "bitbucket.nordicsemi.no" = placeholder."nix/access-tokens/bitbucket-nordicsemi"; + "github.com/NordicPlayground" = placeholder."nix/access-tokens/github-nordicsemi"; + "github.com/NordicSemiconductor" = placeholder."nix/access-tokens/github-nordicsemi"; + }; + in "access-tokens = ${lib.pipe tokens [ + lib.attrsToList + (builtins.sort (p: q: p.name > q.name)) + (map ({ name, value }: "${name}=${value}")) + (builtins.concatStringsSep " ") + ]}"; }; nix = { diff --git a/secrets/common.yaml b/secrets/common.yaml index 5ea2a96..6a8dda6 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -2,6 +2,8 @@ nix: access-tokens: github: ENC[AES256_GCM,data:reARhNXlxTugP0dRS+PjMUOIYUDzlD7CW7If4F26uM9PEO+6N+KvT0MyuI/eSMaX+bEKWfi+HaZ/SyLw1Pjvretzot9lVqFWG7OrLE4iT+1WCccmwtvbc5Ppl+i2,iv:9pCveUmjl4nKCaLzo+Ybfi6rpzKCxGNRbyRUWUpTNkg=,tag:LT9zUc5C4hqcsVQE+Bfnjw==,type:str] pvv-git: ENC[AES256_GCM,data:fp8utMv7PLrz8LkDvvG7GVY4SiDFOgX8YF1M/hpZyGj9H6pDDvtOTw==,iv:FJmw6Tq81IECxQaJZc9u5gxIWse3OvCF7x7dmJ+m4pg=,tag:hdrsJtFhaj5W5PYTUDRx+g==,type:str] + github-nordicsemi: ENC[AES256_GCM,data:tq3XWh2KwLfU3Xwoc3d90cZ34UrM//HyJdbdzJXJstldHE8jIp54Cg==,iv:L4OYYjfWvsQ8LrzE6KAwDmQTXY1gWmtvJrEIa+HEnyE=,tag:jrwtyoA6ORbATXP124OfRg==,type:str] + bitbucket-nordicsemi: ENC[AES256_GCM,data:WAJCMJtzuY2Nf2AbutmOu+lz9s337XNiEWjxG3Rdu42asom8hwv0sowA5aI=,iv:0j4DL1ICcl/6vSEh0mKNiYPo0e2PG2tOtWfDktBPZ5U=,tag:jWivhDFFXOic0YGrkMSppg==,type:str] wstunnel: http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str] ssh: @@ -85,8 +87,8 @@ sops: WHNjUGdPc1VKNDVoeGVLOUpRcW9JakEKxUfhyC9vhXMkkJwlrV1u9SuxThhmka0E tMbzyqHxFxT4cZScaIDxAl5P8W6mpqmpaN+l/RT+ozeS5FY6+iMVKA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-13T14:05:53Z" - mac: ENC[AES256_GCM,data:ftoKk3mBVdRn16HGEq5kklw0/RTWpyjneBT2PJUUaGy4u0fWJy8ZfcIcoG+2WekiSFwWBab4kcFHr5KfXX+XEn1Y2brdcirCXr2PdrmccGxyvSiEy/C6OUrB9KiFqpf4tmx3IbYimlxBSE5uQStQATdGWu7cM+hsrW9j5wzWlUU=,iv:jmJHVMZqyf7xTFry76ywN2Yt++2sG/mWsBvaLONGoM4=,tag:19C+PS8tTRVUaqrlQnoDeQ==,type:str] + lastmodified: "2025-05-06T09:19:20Z" + mac: ENC[AES256_GCM,data:u4JVYXJtPUNzByhLlKnVDic47G68r6mtd8RvPeuktrAXsid/DdHLU51yDbGCSizcePxstpQi83m4r/9ZvkYEGkyv4DFG4I+gLr2mqlqEUm9AMjYt4rk0nrZVWzvob8D47MAy2zc3N8ojMgJuEy4xRQKbJvsBdXrQjj0BC7TnuuY=,iv:cMoV4lBOcPgG5iE4ht/Y9ZRpH5TGRDvIbGKCrCrBeGc=,tag:TwJpFt0oAEQ+Oc8+mGnVwg==,type:str] pgp: - created_at: "2025-04-02T10:09:05Z" enc: |-