feat: add NATS NKey authentication support

Allow authentication to NATS using NKey seed files as an alternative to credentials files. NKeys use Ed25519 key pairs for authentication. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-09 00:32:23 +01:00
parent acfb142788
commit 5aa5f7275b
5 changed files with 23 additions and 3 deletions
--- a/collector/flake.go
+++ b/collector/flake.go
@@ -33,6 +33,7 @@ type FlakeCollectorConfig struct {
 	NATSURL             string
 	NATSSubject         string
 	NATSCredentialsFile string
+	NATSNkeySeedFile    string
 }

 // nixosVersionInfo holds the parsed output of nixos-version --json
@@ -107,7 +108,7 @@ func NewFlakeCollectorWithNATS(cfg FlakeCollectorConfig) (*FlakeCollector, error
 		c.natsEnabled = true
 		c.natsSubject = cfg.NATSSubject

-		if err := c.connectNATS(cfg.NATSURL, cfg.NATSCredentialsFile); err != nil {
+		if err := c.connectNATS(cfg.NATSURL, cfg.NATSCredentialsFile, cfg.NATSNkeySeedFile); err != nil {
 			// Log warning but continue without NATS
 			slog.Warn("Failed to connect to NATS, continuing without cache sharing", "error", err)
 		}
@@ -333,7 +334,7 @@ func getNixosVersionInfo() (*nixosVersionInfo, error) {
 }

 // connectNATS establishes connection to NATS server with auto-reconnect
-func (c *FlakeCollector) connectNATS(url, credentialsFile string) error {
+func (c *FlakeCollector) connectNATS(url, credentialsFile, nkeySeedFile string) error {
 	opts := []nats.Option{
 		nats.MaxReconnects(-1), // Infinite reconnects
 		nats.ReconnectWait(5 * time.Second),
@@ -363,6 +364,12 @@ func (c *FlakeCollector) connectNATS(url, credentialsFile string) error {

 	if credentialsFile != "" {
 		opts = append(opts, nats.UserCredentials(credentialsFile))
+	} else if nkeySeedFile != "" {
+		opt, err := nats.NkeyOptionFromSeed(nkeySeedFile)
+		if err != nil {
+			return fmt.Errorf("failed to load NKey seed file: %w", err)
+		}
+		opts = append(opts, opt)
 	}

 	nc, err := nats.Connect(url, opts...)