diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 82b3bc37c..1f146c923 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -203,9 +203,13 @@ in { }; # Configure secrets for services that need them. - age.secrets = { - gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age"; - }; + age.secrets = + let + secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age"; + in { + clbot.file = secretFile "clbot"; + gerrit-queue.file = secretFile "gerrit-queue"; + }; # Automatically collect garbage from the Nix store. services.depot.automatic-gc = { diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index 71ff2fbc3..ef4c2ab23 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -37,7 +37,7 @@ let serviceConfig = { User = "clbot"; - EnvironmentFile = "/etc/secrets/clbot"; + EnvironmentFile = cfg.secretsFile; Restart = "always"; }; }; @@ -55,6 +55,12 @@ in { type = with types; listOf str; description = "Channels in which to post (generates one unit per channel)"; }; + + secretsFile = mkOption { + type = types.str; + description = "EnvironmentFile from which to load secrets"; + default = "/run/agenix/clbot"; + }; }; config = mkIf cfg.enable { diff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age new file mode 100644 index 000000000..a7378ee0a --- /dev/null +++ b/ops/secrets/clbot.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw C9pIPqWBPvZXOoR1UfOXyrdpLOXNeYKhJ2gMZsskwAs +brPt1M5Qctpbhb/uWvZgvBQSCI9ZXdtT+5YUM45fGhg +-> ssh-ed25519 OkGqLg M32cq8ZL03DHvPs+Virh1D2NnGahOet2BwmxRzonYw0 +sr8bU7EQeta01VG1vmy6blon6bEEpZtbZVhtgNbsS8o +-> 9!s-grease 'MtvzqH] O3mD + W,i