`nix.conf`: Handle `access-tokens` expiring.
Lehmanator opened this issue · comments
Sam Lehman commented
Problems:
- When a token specified in
access-tokens
innix.conf
expires, updating NixOS configs to use the new token becomes a pain becausenixos-rebuild
wants to fetch data from the GitHub API using the expired token, which fails. - Tokens stored in secrets, so we can't read as string into Nix configs.
- Tokens secrets must be prefixed with
access-tokens = github.com=
Possible Solutions:
- Set environment variable before running
nixos-rebuild
nixos-rebuild
CLI flag/option to specify one of:- new token directly?
nix.conf
optionaccess-tokens
nix.conf
to run command with?
Module: nixosModules.git-tokens
- Specify tokens, with their expiration date
- Service to periodically test
access-tokens
for expiration/revocation before expiration date - Command/package to update
access-tokens
automatically. Terranix? - Activation script to warn user of upcoming expiration
Module: flakeModules.git-repo-self
- Specify upstream git repo for flake.
- Specify username on git forge.
- Add/use repo secrets on GitHub / git forges
- Wrap
nixosConfigurations
with configs to use the tokens/secrets.