gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: nix gh token

Browse source
This commit is contained in:
arcnmx 2024-03-07 09:49:48 -08:00
parent 68c2b0ff3f
commit ff935b70de
2 changed files with 146 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

75
nixos/base/nix.nix
View file

@ -1,43 +1,56 @@
{ config, lib, pkgs, inputs, ... }:
{
boot.loader.grub.configurationLimit = 8;
boot.loader.systemd-boot.configurationLimit = 8;
nix = {
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nur=${inputs.nur}"
"arc=${inputs.arcexprs}"
"ci=${inputs.ci}"
];
registry = {
nixpkgs.flake = inputs.nixpkgs;
nur.flake = inputs.nur;
arc.flake = inputs.arcexprs;
ci.flake = inputs.ci;
{ config, options, lib, inputs, ... }: let
inherit (lib.modules) mkIf mkDefault;
hasSops = options ? sops;
in {
config = {
boot.loader = {
grub.configurationLimit = 8;
systemd-boot.configurationLimit = 8;
};
settings = {
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"
"https://arc.cachix.org" "https://kittywitch.cachix.org"
"https://nix-community.cachix.org"
nix = {
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nur=${inputs.nur}"
"arc=${inputs.arcexprs}"
"ci=${inputs.ci}"
];
trusted-public-keys = [
registry = {
nixpkgs.flake = inputs.nixpkgs;
nur.flake = inputs.nur;
arc.flake = inputs.arcexprs;
ci.flake = inputs.ci;
};
settings = {
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"
"https://arc.cachix.org" "https://kittywitch.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"gensokyo-infrastructure.cachix.org-1:CY6ChfQ8KTUdwWoMbo8ZWr2QCLMXUQspHAxywnS2FyI="
"arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="
"kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
];
auto-optimise-store = true;
trusted-users = [ "root" "@wheel" ];
auto-optimise-store = true;
trusted-users = [ "root" "@wheel" ];
};
extraOptions = mkIf hasSops ''
!include ${config.sops.secrets.github-access-token-public.path}
'';
gc = {
automatic = mkDefault true;
dates = mkDefault "weekly";
options = mkDefault "--delete-older-than 7d";
};
};
gc = {
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 7d";
${if hasSops then "sops" else null}.secrets.github-access-token-public = {
sopsFile = mkDefault ../secrets/nix.yaml;
group = mkDefault "users";
mode = mkDefault "0644";
};
};
}

102
nixos/secrets/nix.yaml Normal file
View file

@ -0,0 +1,102 @@
github-access-token-public: ENC[AES256_GCM,data:N1xzd5ULEYWgYNJkX5V4ofU4uFPTToPCank1jDjcd10LPIvJZZKry6eA0oWOpl6oPRyjTWoVi8JT2cmuuLoKz3FfV38dds1OuMxzvcfSLn6ukeQh9OMy4wLSkHWYRSH4vbF1bCHRJwlxv1zqNQ43fZLn3Ukgb8UHw9LeXUu+KiuQL9XtEKU/qK6HBOY3vxzorDuutL1CWWeD0csKWeA01UjJf1Ey5MmI0ZxFYeKZwQbbxlNN+t6ZaMg4tJ4dfQDTIKcs5/UdWLK/JLozXkaGDOTnIlvXtyKaLmjq8UTTsatguT31562OYUnLc0BuzaGDew==,iv:bZNOj/lhU35sKLgt9taowQJNlMoUpMoLZ76QyOK/HMM=,tag:VS2UxfRD6HF0waknya4kSA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMmlUVHF4cS8ycWhsK3pV
MWhBbXJjYzYrb2tWcWUyZnlZeTE2OGNjS1FnCkxVbTZVMURDclRQMERWZkxRRHRD
cXRXdW5va3h3SjFsckk5MlZmWVFzVG8KLS0tIFpGU3VoWFp5dGtjczdLK0c3ejRB
YlUwS251L1pwUGpPOGJxSnhPSTI2SFUK59ZaWOL/HI37B2BwrLK4BoDD10iWXi+m
/eOhNF1XzowvSU0G8lHGes3uMCPabs9SZ8dW0+T+eKZXH+5uDr2e2w==
-----END AGE ENCRYPTED FILE-----
- recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcTRHbDB4TXQ0bVlSejhu
dkpOVXBISnl3S3pjVmppZzl1c3VTMDQvbEM0CndvN0x2WGhoT0lLeTQ5ekc2OVpz
Uzh1Z1RrbGdaNVZOREtraGcvWHpLQWMKLS0tIDExd2ZWTjh4TWpaQ1M1M0t5VWZD
ZG45YkhlTng2bHhMbGp1ZS9ISzR2bHcK1suDXGZO9IP7NWLqImee7PZoXsY99j+6
+CoH2IAUvqnykTGhV6PdLrjfNuya3AypN6fw5HZBDMmWRVaHwFzsQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZnF6cG5BQXV5RGQ4aEJO
QzNmU09qSGlYY0wxQk13OXhxOU05cmZnM2lzClFVWklBVFUrMlVPa0MrYW1JekVn
dm8zQmlhWENQYkdhRmtpMCtiNG1ncVkKLS0tIDBrZlRyZlhLVTQycTRzaGp5UDJp
U1Q2cEJpSTlSYklZNDhFRDh3ekh6MUUK/+SANslFoRfZlCPNvJeabvWt5ZBrGqY7
F8uWbzGDSv4yByRIxJzrrQr2INgRHro/qOVccxErx876XK8keamdVw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRDArODY4Zit5Q2F3L0Jy
THZvNWtTMnNVVFpCOWVWSE9GQUFCT3QybFYwCndFVVFydDZvQ2drQkFEQ2x0R3Bn
UGlnamFsdllablRHNHpMemdLbllKWjAKLS0tIDFUNDdYaUxzWTJTUFgxT2FzaU5U
M042VWI3N0NleFFXbUxFSDFXaVJ4U0kKRO2eZ01r5JMVTvEgaAP0Vp3g4r+Ff7sx
0zD2dpvUwo6Ft10lFCfuIcmvmkTK7ClA1BslAJT3fwJGpxAFVczvJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZFlXVzV1N0ZTRlVLMXhz
MGFUV3drQVBTVTlvbWp1V2JaRytzdE44bVVrClJUVXBZN3VBLzJLZHZ5ZFY2U0Qz
WEtlWVd5OWJOODN2S29XSHRISkpMdTQKLS0tIFRqemVFWldXYTFtUVYwbkNQNGVZ
QlFic3RWYjJEUkZ6U0xrdkpmTndOTU0Kk/Om4gH4KvcJD2ktwVWlHi2a0Rx0arUm
W2PWZgsgjknWiPU9LGV47BfFo1aevbMsOYkdyiDyNwrUX3RKD5uehw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNXdocVYzTU9yNk41R1RB
UkdNNkI3T0szZ3BNY09EUVN0cUNBWDJ0VlRrCi9wNGpjcXR2ci9NQWYrdkxUd2lI
OG1RbHBoUlNHOHhlaGw3RWtwTTBQZzQKLS0tIEhWWjVxTkdOWFRDd1pnMjZ3bWVR
NitvR2lhMUZrQThRWFJLOVViSkM4eEEKi/aEGz+xaCnLdpA6byTHOU3ZTKg7MQBg
3tX22oDoRRnRGBj/t+/m5jVb/ejjDtli3T3VZQ1sCDPdjb2bpKwhPg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-07T17:38:57Z"
mac: ENC[AES256_GCM,data:bfEjoQIXO8/fUZBvb+vV6sEdh/Bd4yulVV63gJhDdZPIRTrSeuhRmKubqf39affw2KYkWDd9GD7+CKQGc3ivaWtyaBHOxjI2RUb330N3H4xIUbYltwLSeHwVZIMB2wiDb2DfN2EScTaMgktAQaVMjcj9w6UQ0XeAicfQdANKbus=,iv:8xJf8kOA2AuvcPaqbQ7wwoC+DMCLYAhBzusTJu0OjW0=,tag:wahF3zrdi/A1RUwNEQRhYw==,type:str]
pgp:
- created_at: "2024-03-07T17:28:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/8CW2ELfj/W5vLXTrxfmMAMt1SICVXk5/DCU/6fprp5hXk
qsZZzZ0R8TP/QmbwGGLxUAUryROCcXMNk1+x4/840ALuSEkO6JwI1iilDLzYW8xr
ZITNaY6s4btlvFH92lAJkCqtNL9d+cCwZooE0Rq6OQRe0OM4hXOA2M7T0wPEW6At
IqVzJ1GCJ2qcVv0jR9FVPHNHcyHa8Q2aKwLvfgKAkRFdy+f5GicKcdK6wFbuMRRk
I8jdcV7uabCnWcD+n9UUFlnJApWoOiOVsVZNOgp2CsbwlEJevEqaul1Aa12Z6OmP
Q0/oH06emZK/4hIUHBLGWCktaU98i3KKodYv+yOtgY7uG+k289r+JYCD8/HtV8OI
+YRpGzi5wMbJ/lE/zqaBVibv2e0MbqVVdzWkJ1YQ9zKGsQMEfbm3zHE3aooBNX8w
robzqbnW33Xe9/WYGJd6CIWAdnvC6p3GX9TXJbNtdB4weKWQat9FlxWdKt0z2A3F
h52Rv65jKAtsVaQsgJCQiUzURNH9mBUBoNZ7iQWHSNoaOTySZ0ZKvFyfa0vKg+F1
SKBMc+gDcxeC/dsGcs4Pcc3/xzRNvTHoCWzUqTt96LDWyKBZyb41wnJj+5SJ6U1E
gT4QoLeHejSOfncRHuM0lRyXvoQWL9cv4uZD4lZiI2YZMxKhmn5jQFYB0m4pc9TS
XgFp3pvlQzKLQ+mmNu4Hv4x92TQAKkT2QdvGeacxBxi2PL5zbe1XnKBDiQ7aq1YB
Td0ZSF/DqAUPd7Crr3s9DXx7LW1J7k0hDsI7r3/0qz7Z2yDs8f88tr3JgOfwVb4=
=f5zj
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-03-07T17:28:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAr8nG6rV8LxyTFYLJYuLv4K2jtJ7QMZiUMXcaLo50XHUp
1e17lmmHt9qByT0dXV7CR69BIw235i61xFyciaSbEb3bzHBh14EdPYZyV54GxQoM
qxZ4x48dBw/ECBOm8G8D3DFtrLJ7Ws8/EYW2eg7/la6/d1v57oU14iEMqxmX2iZH
kc7yDHT0IFe4kX4Tdb7DHLY8eG3ePn5u53Af8wF6Ic9mshlrpK8bi1V2yIgoWo1e
liGZoD380P/Fmdz7fgOnBmCL58lmR4vWHw9USjyVH+/v4D25XrhIWqjCACFhOF9m
iROwqHH9ViLPHJiHD9ZINKi4R8tB8q4qV4rcXI1ZKdJeAUSlqJkHYMvVcdMQdk5K
+VDySZohhnC0tLgQ23tcn3ZzlWBJ+IQ9fWarrjcdpVTVZdtaEwSsM7oR8q9dc+qP
3m4gyHzf1XR5UGE6+ttiT3o/nWxPtR2bDVTxAe8FWQ==
=D+dA
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1