I’m trying to figure out how to write my first flake. Unfortunately, I’ve now been rate limited by GitHub for trying to build too many times this hour: https://docs.github.com/en/rest/reference/rate-limit
Is there some way to provide nix with a GitHub API token to help with this? It looks like niv has this option, but I’m not seeing anything with nix (sorry if I’ve just missed it).
There is an option, personally I set it in my users options:
$ cat ~/.config/nix/nix.conf
access-tokens = github.com=***censored***
Documented in the nix manual - nix.conf
Excellent, thank you.
Is there a way to do this with an environment variable?
Maybe with this? Common Environment Variables - Nix Reference Manual
EDIT: NIX_CONFIG=access_tokens=... perhaps?
yes that should do it
It worked with NIX_CONFIG="access-tokens = github.com=ghp_***", thanks
Don’t put tokens in environment variables! Those are readable by any software that you run.
Here’s the solution I’m using:
age.secrets.nix-access-tokens-github.file =
"${self}/secrets/root.nix-access-tokens-github.age";
nix.extraOptions = ''
!include ${config.age.secrets.nix-access-tokens-github.path}
'';
Which would also result in a world readable token, as systems nix config has to be world readable as well.
Still, the environment is routinely scraped by “crash reporting” or other “usage metric” thingies.
Therefore the approach to load the token through the nix-config is much more safe and less prone to accidenteal leakage