feat: add secure github access token

flake.nix

@@ -30,7 +30,8 @@
     nixosConfigurations.rhea-laptop = nixpkgs.lib.nixosSystem {
       specialArgs = { 
         inherit inputs;
-        inherit spicetify-nix; 
+        inherit spicetify-nix;
+        inherit agenix;
       };
 
       system = "x86_64-linux";

home/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, inputs, spicetify-nix, ... }:
+{ config, pkgs, inputs, spicetify-nix, agenix, ... }:
 {
   imports = [
     inputs.home-manager.nixosModules.home-manager
@@ -12,6 +12,7 @@
 
     extraSpecialArgs = { 
       inherit spicetify-nix;
+      inherit agenix;
     };
 
     users.rhea = {
@@ -63,5 +64,14 @@
     shell = pkgs.zsh;
   };
 
+  # TODO: Get a token2 and set up https://github.com/oddlama/agenix-rekey
+  age.identityPaths = [ "/var/lib/persistent/host_id_ed25519" ];
+
+  age.secrets.access-tokens-github.file = ../secrets/gh.age;
+
+  nix.extraOptions = ''
+    !include ${config.age.secrets.access-tokens-github.path}
+  '';
+
   nix.settings.allowed-users = [ "rhea" ];
 }

home/packages.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, agenix, ... }:
 {
   home.packages = with pkgs; [
     # Desktop Applications
@@ -26,6 +26,7 @@
     nix-output-monitor
     nil
     nh
+    agenix.packages.${system}.default
 
     # Dev Things
     vscode

secrets/gh.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 7JS6dg I9bdNrtj0UzjlrVWOjgVomgWprX+KAaL4uITS9j163I
+8vEaIAqFwmUKXbBskafWr15tqYIfmWjKn9g61F4y6F8
+--- ToUNScc7K59kI8y+SR5e3RxTu16uGSsvd65tqomiOVc
+VoÓX˜¬ZÖζ»·<C2BB>ÁííÍG}úZüm…ˆ°Ó ®,ºåï*«àÛ³¬}ušþå8… \^I/¢T"us\¨¡CGÄ
§¿“h˜¥m>æÍÆ$–†]òÍÄ$H"<¼.tbÐOËÝü¿†žÖ± !j¹Ñƒ"°Ÿ³„@á­Õo=éØ«Ç_ÌoÜÌ—ô]ð÷zÍ9Ä~qO

secrets/secrets.nix

@@ -0,0 +1,7 @@
+let
+  rhea-laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJynM8SLRXRrfGRJd43T4wabsOHFcWeeuTym9h7vl7Io";
+  systems = [ rhea-laptop ];
+in
+{
+  "gh.age".publicKeys = [ rhea-laptop ];
+}