refactor(ops): Move clbot secret into agenix

Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09

ops/machines/whitby/default.nix

@@ -203,9 +203,13 @@ in {
   };
 
   # Configure secrets for services that need them.
-  age.secrets = {
-    gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age";
-  };
+  age.secrets =
+    let
+      secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age";
+    in {
+      clbot.file = secretFile "clbot";
+      gerrit-queue.file = secretFile "gerrit-queue";
+    };
 
   # Automatically collect garbage from the Nix store.
   services.depot.automatic-gc = {

ops/modules/clbot.nix

@@ -37,7 +37,7 @@ let
 
       serviceConfig = {
         User = "clbot";
-        EnvironmentFile = "/etc/secrets/clbot";
+        EnvironmentFile = cfg.secretsFile;
         Restart = "always";
       };
     };
@@ -55,6 +55,12 @@ in {
       type = with types; listOf str;
       description = "Channels in which to post (generates one unit per channel)";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      description = "EnvironmentFile from which to load secrets";
+      default = "/run/agenix/clbot";
+    };
   };
 
   config = mkIf cfg.enable {

ops/secrets/clbot.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw C9pIPqWBPvZXOoR1UfOXyrdpLOXNeYKhJ2gMZsskwAs
+brPt1M5Qctpbhb/uWvZgvBQSCI9ZXdtT+5YUM45fGhg
+-> ssh-ed25519 OkGqLg M32cq8ZL03DHvPs+Virh1D2NnGahOet2BwmxRzonYw0
+sr8bU7EQeta01VG1vmy6blon6bEEpZtbZVhtgNbsS8o
+-> 9!s-grease 'MtvzqH] O3mD + W,i<Q+
+oQjwvQE2RFj3vSgU3yxmRqX2hMxBU2yS3X8uzJ8
+--- 3mNJwPxtEqcJ2Bj93u0ljorCdidA7geojpQrFWP5pLc
+•·<EFBFBD>VJ<02>E–püØᆅ½À8
+ S݈¹m(îlT­ä«ä	Jc:oHmÈ…µèüCÛœ¤ÐðúQ±ó1œpƒºuëúƒfô¿T

ops/secrets/secrets.nix

@@ -10,4 +10,5 @@ let
 in {
   "besadii.age" = default;
   "gerrit-queue.age" = default;
+  "clbot.age" = default;
 }