Hydra integration without exposing authentication tokens to the nix store

Hi, I’d like to use hydra and integrate it with Gitea on my personal machine.

The Hydra manual has a section on exactly that! Unfortunately it recommends this:

  services.hydra-dev.extraConfig = ''

I don’t want to do this, since it will expose the token into the world-readable nix store, as well as be public in my git repository for the configuration. This is rather less ideal.

This is a common anti-pattern across nix modules that is slowly being phased out, so my question is, am I just missing something and there’s already a better way with hydra or should I raise an issue?

I intend to do a similar setup as you. I found this section on the docs:


This should work with agenix and as the docs says, it’s proven to work with Nixops.

1 Like

Ah, nice, thanks! I wonder if this is new.