feat: store access tokens in access-tokens.conf

Instead of updating the nix.conf file constantly, store the tokens in a
separate file, and use the !include feature to load it from the main
config file.

If access-tokens exist in nix.conf, the tool will automatically migrate
them to the separate access-tokens.conf file.

That will reduce the number of backups we have to do. Plus it allows the
main config file to retain 0644 mode while keeping the access-tokens
locked down further.

Author: zimbatm

README.md

@@ -10,7 +10,7 @@ to get those tokens in the right place.
 
 - OAuth device flow authentication when possible (no manual token creation needed)
 - Support for multiple providers (GitHub, GitHub Enterprise, GitLab, Gitea, and Forgejo)
-- Token storage in `~/.config/nix/nix.conf`
+- Secure token storage in separate `~/.config/nix/access-tokens.conf` file with restricted permissions
 - Token validation and status checking
 - Automatic backup creation before modifying configuration
 
@@ -86,7 +86,7 @@ The tool will:
 1. Display a one-time code
 2. Open your browser to the provider's device authorization page
 3. Wait for you to authorize the application
-4. Save the token to `~/.config/nix/nix.conf`
+4. Save the token to `~/.config/nix/access-tokens.conf` (with restricted 0600 permissions)
 
 **Note for self-hosted instances**:
 - **GitHub Enterprise**: You'll need to create an OAuth App and provide the client ID via `--client-id`
@@ -132,17 +132,26 @@ nix-auth logout --host github.company.com
 
 ## How It Works
 
-The tool manages the `access-tokens` configuration in your `~/.config/nix/nix.conf` file. This allows Nix to authenticate when fetching flake inputs from private repositories or builtins fetchers, and hitting rate limits.
+The tool manages access tokens in a secure, separate configuration file that is included by your main Nix configuration. This allows Nix to authenticate when fetching flake inputs from private repositories or builtins fetchers, and avoiding rate limits.
 
-Example configuration added by this tool:
-```
-access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxxx github.company.com=ghp_yyyyyyyy
-```
+The tool automatically:
+1. Creates `~/.config/nix/access-tokens.conf` with restricted permissions (0600)
+2. Adds an include directive to your `~/.config/nix/nix.conf`:
+   ```
+   !include access-tokens.conf
+   ```
+3. Stores tokens in the secure file:
+   ```
+   access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxxx
+   ```
+
+This separation ensures your tokens are stored with proper security permissions while keeping your main configuration readable.
 
 ## Security
 
-- Tokens are stored locally in your Nix configuration
+- Tokens are stored in a separate file (`access-tokens.conf`) with restricted permissions (0600)
 - The tool creates automatic backups before modifying your configuration
+- Automatically migrates existing tokens from `nix.conf` to the secure token file
 - Uses OAuth device flow for secure authentication
 - Minimal required permissions (only necessary scopes for accessing repositories)
 

cmd/login.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/numtide/nix-auth/internal/config"
+	"github.com/numtide/nix-auth/internal/nixconf"
 	"github.com/numtide/nix-auth/internal/provider"
 	"github.com/numtide/nix-auth/internal/ui"
 	"github.com/spf13/cobra"
@@ -94,7 +94,7 @@ func runLogin(_ *cobra.Command, args []string) error {
 	}
 
 	// Check if token already exists
-	cfg, err := config.New(configPath)
+	cfg, err := nixconf.New(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to initialize config: %w", err)
 	}

cmd/logout.go

@@ -5,7 +5,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/numtide/nix-auth/internal/config"
+	"github.com/numtide/nix-auth/internal/nixconf"
 	"github.com/numtide/nix-auth/internal/provider"
 	"github.com/numtide/nix-auth/internal/ui"
 	"github.com/spf13/cobra"
@@ -25,7 +25,7 @@ You can specify either a provider name (github, gitlab) or a full host.`,
 }
 
 func runLogout(_ *cobra.Command, args []string) error {
-	cfg, err := config.New(configPath)
+	cfg, err := nixconf.New(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to initialize config: %w", err)
 	}
@@ -48,7 +48,7 @@ func runLogout(_ *cobra.Command, args []string) error {
 }
 
 // logoutInteractive handles the interactive logout flow.
-func logoutInteractive(cfg *config.NixConfig) error {
+func logoutInteractive(cfg *nixconf.NixConfig) error {
 	hosts, err := cfg.ListTokens()
 	if err != nil {
 		return fmt.Errorf("failed to list tokens: %w", err)
@@ -84,7 +84,7 @@ func logoutInteractive(cfg *config.NixConfig) error {
 	return removeToken(cfg, hosts[choice-1])
 }
 
-func removeToken(cfg *config.NixConfig, host string) error {
+func removeToken(cfg *nixconf.NixConfig, host string) error {
 	fmt.Printf("Removing token for %s...\n", host)
 
 	if err := cfg.RemoveToken(host); err != nil {

cmd/root.go

@@ -3,7 +3,7 @@ package cmd
 import (
 	"fmt"
 
-	"github.com/numtide/nix-auth/internal/config"
+	"github.com/numtide/nix-auth/internal/nixconf"
 	"github.com/spf13/cobra"
 )
 
@@ -25,7 +25,7 @@ func Execute() error {
 
 func init() {
 	// Add persistent flag for config path
-	defaultPath := config.DefaultUserConfigPath()
+	defaultPath := nixconf.DefaultUserConfigPath()
 	flagDesc := fmt.Sprintf("Path to nix.conf file (default: %s)", defaultPath)
 	rootCmd.PersistentFlags().StringVar(&configPath, "config", "", flagDesc)
 

cmd/set_token.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/numtide/nix-auth/internal/config"
+	"github.com/numtide/nix-auth/internal/nixconf"
 	"github.com/numtide/nix-auth/internal/provider"
 	"github.com/numtide/nix-auth/internal/ui"
 	"github.com/spf13/cobra"
@@ -44,7 +44,7 @@ If a provider is specified or detected, the token will be validated before savin
 		host := args[0]
 
 		// Initialize config
-		cfg, err := config.New(configPath)
+		cfg, err := nixconf.New(configPath)
 		if err != nil {
 			return fmt.Errorf("failed to initialize config: %w", err)
 		}
@@ -139,7 +139,7 @@ If a provider is specified or detected, the token will be validated before savin
 
 		maskedToken := ui.MaskToken(token)
 		fmt.Printf("Successfully set token for %s: %s\n", host, maskedToken)
-		fmt.Printf("Config saved to: %s\n", cfg.GetPath())
+		fmt.Printf("Config saved to: %s\n", cfg.GetTokenFilePath())
 
 		return nil
 	},