NixOS first integration

[Ravenink]

No description provided.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/nix-integration.yml

Package	Version	License	Issue Type
DeterminateSystems/nix-installer-action	19.*.*	Null	Unknown License
actions/checkout	6.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/DeterminateSystems/nix-installer-action	19.*.*	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 9 11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/nix-integration.yml

[Copilot]

Pull request overview

This PR integrates NixOS deployment support alongside Docker Compose for the DecentraLabs Gateway. It introduces a Nix flake with a NixOS module for declarative service management, renames environment variables for clarity (consolidating access tokens), adds Lite mode for JWT delegation, and updates documentation to reflect these changes.

Changes:

• Added NixOS module and flake configuration for declarative deployment
• Renamed SECURITY_ACCESS_TOKEN to TREASURY_TOKEN and OPS_SECRET to LAB_MANAGER_TOKEN throughout the codebase
• Introduced Lite mode that syncs JWT public keys from external issuers and disables local auth/treasury endpoints

Reviewed changes

Copilot reviewed 49 out of 50 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
flake.nix	NixOS flake outputs with module and host configuration
nix/nixos-module.nix	NixOS service module for compose-managed deployment
nix/lab-gateway-docker.nix	Docker Compose wrapper script for Nix integration
nix/hosts/gateway.nix	Default host configuration for gateway deployments
openresty/init-ssl.sh	JWT key sync logic for Lite mode from external issuer
openresty/lua/init.lua	Lite mode detection and configuration
openresty/lua/treasury_access.lua	Renamed from internal_access.lua with Lite mode blocks
openresty/lua/admin_access.lua	Updated to use TREASURY_TOKEN only
openresty/lab_access.conf	Lite mode endpoint restrictions and mode detection endpoint
setup.sh / setup.bat	Updated token names and added Lite mode ISSUER prompt
docker-compose.yml	Environment variable renames for treasury and lab manager tokens
Various test files	Token name updates and new treasury/admin access specs
Documentation files	Installation guides, tutorials, and audit notes

Comments suppressed due to low confidence (1)

setup.sh:1

• The placeholder detection logic appears in both setup.sh and setup.bat. Consider documenting or consolidating the list of disallowed placeholder values to ensure consistency across both scripts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The script ends with a blank line after the exec command. While not harmful, the blank line after exec is unreachable code since exec replaces the current process. Consider removing line 403 for clarity.

Suggested change