How to create hydra conf with sops secret

I want to configure the Codeberg token.

I already had some success with sops-nix but I am not really sure what would be the best way for this problem of creating secret containing files after rebuild.

The Codeberg token should be configured something like that from the documentation.

<github_authorization>
NixOS = Bearer gha-secret😱secret😱secret😱
</github_authorization>

This file needs to be build after the rebuild because in the configuration I can only specify the path to where this file is located:

{
  services.hydra.extraConfig = ''
    Include /path/to/secret/file
  '';
}

I have the path to the token available through config.sops.codeberg-token.path and I can configure who can read that file. But I am not sure about the best way to create the config file that can be included.

I was failing in writing a systemd service to create that file.

Now I am failing in using nix-sops templates

secrets = {
  codeberg-token = { };
};

templates = {
  "codeberg-hydra.conf" = {
    content = ''
      <gitea_authorization>
        username=${config.sops.secrets.codeberg-token}
      </gitea_authorization>
    '';
    group = "hydra";
  };
};

@Mic92 I am propably misunderstanding the templates functionality?

Can’t you just make the snippet itself the entire secret, and include that path from your Hydra configuration? That’s likely the path of least resistance here.

taken from the documentation:

{
  sops.templates."your-config-with-secrets.toml".content = ''
    password = "${config.sops.placeholder.your-secret}"
  '';
}

you want config.sops.placeholder.codeberg-token instead of what you have… that might put you one step closer

maybe… but sops templates are just so cool! it would be a shame to not use them in this scenario :laughing:

3 Likes

Thanks this is the solution

And you are right the sops templates feature is really cool and optimal for this usecase

1 Like