Hydra integration without exposing authentication tokens to the nix store

TLATER · May 16, 2021, 10:53pm

Hi, I’d like to use hydra and integrate it with Gitea on my personal machine.

The Hydra manual has a section on exactly that! Unfortunately it recommends this:

{
  services.hydra-dev.extraConfig = ''
    <gitea_authorization>
    your_username=your_token
    </gitea_authorization>
  '';
}

I don’t want to do this, since it will expose the token into the world-readable nix store, as well as be public in my git repository for the configuration. This is rather less ideal.

This is a common anti-pattern across nix modules that is slowly being phased out, so my question is, am I just missing something and there’s already a better way with hydra or should I raise an issue?

ratsclub · August 11, 2022, 2:24am

I intend to do a similar setup as you. I found this section on the docs:

https://hydra.nixos.org/build/186777326/download/1/hydra/configuration.html#including-files

This should work with agenix and as the docs says, it’s proven to work with Nixops.

TLATER · August 11, 2022, 9:44am

Ah, nice, thanks! I wonder if this is new.