feat(ops/secrets): Configure secrets for gerrit-queue

Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.

Change-Id: I25acf87764c26774045138402b8a417b6813ee8f

ops/machines/whitby/default.nix

@@ -40,6 +40,7 @@ in {
     "${depot.path}/ops/modules/www/tvl.fyi.nix"
     "${depot.path}/ops/modules/www/tvl.su.nix"
     "${depot.path}/ops/modules/www/wigglydonke.rs.nix"
+    "${depot.third_party.agenix.src}/modules/age.nix"
     "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix"
   ];
 
@@ -201,6 +202,11 @@ in {
     challengeResponseAuthentication = false;
   };
 
+  # Configure secrets for services that need them.
+  age.secrets = {
+    gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age";
+  };
+
   # Automatically collect garbage from the Nix store.
   services.depot.automatic-gc = {
     enable = true;

ops/secrets/gerrit-queue.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw XuDxJkTX3Tq8PRoHq29hYz/Qcz2uvud00BW5F8QvA0w
+zxl5HgqvDoB5WwB5NDCcuq0/hD2hDP0vIEJ6rs8hM9Y
+-> ssh-ed25519 OkGqLg K5Hsabm/iPD9tgNre6p6kbMnlnxmXi1ogG2+BdWX/BQ
+QCmy7rhSmkdmj50twwlqrtp7t0nfhRPVlC7Z79P64hY
+-> b-grease ouC0Z%'v Sx lOZ]`8 H
+XQjxJlepFUehbRQ
+--- NAKvcgfnmSJDWoG37cUVJ/uOcsYsie4QDeqKsVrSEME
+aqű÷ĺ8ĐăPŇÔ·ˇÍóń¨ç4*ĄÝě×0?»ÔA
‰ŮK‚‰I|x ^:Ů^`ă[<5B>e&}üżÓ±y6oČAőî4
‹W¦yř/PŤŰŹŽŁ=;ýÓŘd
‘ö´N>´ĂUšó4[~uÎ<75>A>k}ý<>/8iśĘ×FUąݢ)˝oQĹâfÍbâ§!„ý·)čöjĘ~żžĺ–®5	ŕ[yäĚ`‡iÔJą«

ops/secrets/secrets.nix

@@ -9,4 +9,5 @@ let
   default.publicKeys = tazjin ++ [ whitby ];
 in {
   "besadii.age" = default;
+  "gerrit-queue.age" = default;
 }