refactor(grfn/mugwump): Move buildkite secrets into age

Use agenix for the buildkite ssh key and agent token on mugwump, instead of storing stuff in /etc/secrets Change-Id: I56951587b949fc0854e56f5c4e33b601e9cd964e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5027 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2022-01-20 09:28:01 -05:00 · 2022-01-20 09:28:01 -05:00 · 7873806218
commit 7873806218
parent 8b63e0f8ce
4 changed files with 30 additions and 2 deletions
--- a/users/grfn/secrets/buildkite-ssh-key.age
+++ b/users/grfn/secrets/buildkite-ssh-key.age
--- a/users/grfn/secrets/buildkite-token.age
+++ b/users/grfn/secrets/buildkite-token.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 CpJBgQ tz7tudrJYQw2Ftnk7iNbSd/De2UJ0GAafFJjPwUo8xM
+bUBNO94Pjf79FErPxv92XnpXWFEgethREU+/U+xjWBc
+-> ssh-ed25519 LfBFbQ yPjXk6XlJoGyVaCWMcPzfNXzb1cBNZhjYy+wsQtMhTI
+qk6hZMl1oeKLniGb/bKIxSb6ocVRCQsmQPcwxnlYfno
+-> \'q-grease
+nYvpKokvFbVXfATzlQ7SPQa9Gw99E84SPRFdR7ey+HSCB705Q9uYwBpr9hjpiIod
+9PJIi88ENWf9/XAmm2d7daE+YPRYhln4U6w
+--- EuyCLA6GvtbGI+EoC1z2dbpfyxo4ebXX1nY+9rsgUVY
+û[°ó®ßÕhÖ¾Î©þÐªô`1<>?NCøÐÌ@Å™Šu³–BlÓ8*ÕˆÍs¥¦‰Z~P¯Ð<C2AF>¯ü?8þ
+
+ÕOÀ®~<7E>{G}ˆ0q.æõAŸ¥<C5B8>WÒÆ
--- a/users/grfn/secrets/secrets.nix
+++ b/users/grfn/secrets/secrets.nix
@ -8,4 +8,6 @@ in
  "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
  "cloudflare.age".publicKeys = [ grfn mugwump ];
  "ddclient-password.age".publicKeys = [ grfn mugwump ];
+  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ];
+  "buildkite-token.age".publicKeys = [ grfn mugwump ];
 }
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@ -72,6 +72,18 @@ with lib;
    bbbg.file = secret "bbbg";
    cloudflare.file = secret "cloudflare";
    ddclient-password.file = secret "ddclient-password";
+
+    buildkite-ssh-key = {
+      file = secret "buildkite-ssh-key";
+      group = "keys";
+      mode = "0440";
+    };
+
+    buildkite-token = {
+      file = secret "buildkite-token";
+      group = "keys";
+      mode = "0440";
+    };
  };

  services.depot.auto-deploy = {
@ -142,6 +154,8 @@ with lib;
    quiet = true;
  };

+  systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false;
+
  security.acme.certs."metrics.gws.fyi" = {
    dnsProvider = "cloudflare";
    credentialsFile = "/run/agenix/cloudflare";
@ -247,8 +261,8 @@ with lib;
    value = {
      inherit name;
      enable = true;
-      tokenPath = "/etc/secrets/buildkite-agent-token";
-      privateSshKeyPath = "/etc/secrets/buildkite-ssh-key";
+      tokenPath = "/run/agenix/buildkite-agent-token";
+      privateSshKeyPath = "/run/agenix/buildkite-ssh-key";
      runtimePackages = with pkgs; [
        docker
        nix