Specify access token via file

[Sohalt]

Is your feature request related to a problem? Please describe. I need to specify a github acess-token, if I want to include private repositories as flake inputs. I manage my /etc/nix/nix.conf declaratively on NixOS.

Describe the solution you'd like I would like to keep the access token in a separate file using something like agenix or sops, to not have it end up in the nix store and in version control. An option like acess-tokens-file = /run/secrets/access-tokens would be nice. Ideally I'd be able to specify different access tokens in different files, e.g. acess-tokens-files = github.com=/run/secrets/github-acess-token gitlab.com=/run/secrets/gitlab-acess-token

Describe alternatives you've considered

• Add access-token to ǹix.extraOptions`
  • the token ends up in the nix store (and version control)
• Add access-token to ~/.config/nix/nix.conf
  • This works, if I don't manage user config using home-manager, but it has the downside, that I have a separate secret to keep track of. It would be more convenient to be able to keep the secrets with all other secrets in agenix and use an access-tokens-files option in /etc/nix/nix.conf

[thufschmitt]

Rather than a separate option, we could adopt the same syntax as builders (builders = @/some/file). Maybe even make this a more generic thing

[Sohalt]

That works, if the token never starts with an ´@´. But if that's the case, I'd like the more generic solution.

I guess another option would be to use include /run/secrets/secret-config, although that way the file has to contain more than just the access token.

[colemickens]

I'd also very much like to be able to specify these as separate file references, I guess maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

Any idea how hard this would be to implement? I'd like to be able to throw sops-nix at this since I'm hitting GH rate limits frequently lately.

[thufschmitt]

maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

I guess that'd only work if the tokens can't start with an @, no idea whether that's possible or not. I'd rather go with access-token = @/run/secrets/github-acess-token @/run/secrets/gitlab-acess-token where each file contain the full key-value pair.

[rapenne-s]

I'd also very much like to be able to specify these as separate file references, I guess maybe something like this?

access-tokens = github.com=@/run/secrets/github-acess-token gitlab.com=@/run/secrets/gitlab-acess-token

Any idea how hard this would be to implement? I'd like to be able to throw sops-nix at this since I'm hitting GH rate limits frequently lately.

After thinking about this today, it would be a bad idea to add a semantic to include file content directly into the configuration file value.

However, this would require more work but I think would play a lot nicer with automation and a clear syntax would be to use attributes sets, in which .file would expect a path to read the content and assign to the value. But I have no idea if this is easily doable, nix.conf syntax doesn't seem to allow this easily at first glance.

access-tokens.github.com.file = /run/secrets/github-access-token

[jlesquembre]

It's possible to include other files in nix.conf with include, an example using sops-nix (extracted from my dotfiles):

{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
      !include ${config.sops.secrets.nixAccessTokens.path}
    '';
  };

  sops.secrets.nixAccessTokens = {
    mode = "0440";
    group = config.users.groups.keys.name;
  };
}

Notice the ! before the include. A missing file is an error without it. When you run nixos-rebuild switch, nix.conf is validated, but before sops-nix creates the secret file.

Also, notice that the user running the nix command needs read access to the secret file.

What is not possible with include is to have different tokens in different files, the last access-token declaration overwrites the previous ones.

[Kha]

What is not possible with include is to have different tokens in different files, the last access-token declaration overwrites the previous ones.

That's what extra-access-tokens is for, right?

[jlesquembre]

That's what extra-access-tokens is for, right?

:+1: Right, I missed the extra- part in nix.conf docs. Problem solved, thanks!

[SuperSandro2000]

That works, if the token never starts with an ´@´. But if that's the case, I'd like the more generic solution.

New github tokens always start with ghp_ and gh*_ for enterprise and old ones where alphadecimal IIRC.

It's possible to include other files in nix.conf with include, an example using sops-nix (extracted from my dotfiles):

Noise, trying that out right now.

[tomberek]

Somewhat related, would anyone be interested more specific url matching for the tokens?

[Freed-Wu]

Why not get access-token from other files like ~/.git-credentials or ~/.netrc?

~/.git-credentials

https://user_name:gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@github.com

~/.netrc

machine api.github.com
    login user_name
    password gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[doronbehar]

It would also be nice to be able to set access-tokens via an environment variable.

[terlar]

Technically you can already do that via NIX_CONFIG:

NIX_CONFIG="extra-access-tokens = github.com=github_pat_XYZ" nix ...

[CMCDragonkai]

Where is this extra-access-tokens documented?

[terlar]

It is not directly documented, but it is part of the extra- functionality:

https://nix.dev/manual/nix/stable/command-ref/conf-file#file-format

A configuration setting usually overrides any previous value. However, for settings that take a list of items, you can prefix the name of the setting by extra- to append to the previous value.

And then the option: https://nix.dev/manual/nix/stable/command-ref/conf-file#conf-access-tokens

[amfern]

I just put extra-access-token = github_pat_11AAI7F7Y0c..... into /etc/nix/nix.conf

[SuperSandro2000]

I would argue that https://github.com/NixOS/nix/issues/6536#issuecomment-1254858889 is enough and we don't need an extra feature for this.

[CMCDragonkai]

It's possible to include other files in nix.conf with include, an example using sops-nix (extracted from my dotfiles):

{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
      !include ${config.sops.secrets.nixAccessTokens.path}
    '';
  };

  sops.secrets.nixAccessTokens = {
    mode = "0440";
    group = config.users.groups.keys.name;
  };
}

Notice the ! before the include. A missing file is an error without it. When you run nixos-rebuild switch, nix.conf is validated, but before sops-nix creates the secret file.

Also, notice that the user running the nix command needs read access to the secret file.

What is not possible with include is to have different tokens in different files, the last access-token declaration overwrites the previous ones.

What exactly is:

config.sops.secrets.nixAccessTokens.path

Is that a secure path? I haven't used sops so is that in /run or something?

[Shawn8901]

sops-nix places secrets at /run/secrets and then the secrets name, so in that case /run/secrets/nixAccessToken. .path is pointing to the final secrets place.