diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 88c0aa9d0..572417fea 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -219,6 +219,23 @@ in { group = "buildkite-agents"; }; + buildkite-graphql-token = { + file = secretFile "buildkite-graphql-token"; + mode = "0440"; + group = "buildkite-agent"; + }; + + buildkite-besadii-config = { + file = secretFile "besadii"; + mode = "0440"; + group = "buildkite-agent"; + }; + + gerrit-besadii-config = { + file = secretFile "besadii"; + owner = "git"; + }; + clbot-ssh = { file = secretFile "clbot-ssh"; owner = "clbot"; diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix index 57f2edc84..30caa984d 100644 --- a/ops/modules/monorepo-gerrit.nix +++ b/ops/modules/monorepo-gerrit.nix @@ -5,7 +5,7 @@ let cfg = config.services.gerrit; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/gerrit-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 38709c3cd..f7d7223a0 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -7,7 +7,7 @@ let description = "Buildkite agents for TVL"; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/buildkite-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age new file mode 100644 index 000000000..5a571f511 --- /dev/null +++ b/ops/secrets/buildkite-graphql-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k ++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc +-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE +THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM +-> 62T-grease 7 RH''g X +4zRtTUAapv8 +--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g +i'`/햏(qciYfҜ"+s0X; 35΂ӄK?d%;v[ \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 66176c3b9..9dae76d15 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -14,6 +14,7 @@ let in { "besadii.age" = default; "buildkite-agent-token.age" = default; + "buildkite-graphql-token.age" = default; "clbot-ssh.age" = default; "clbot.age" = default; "gerrit-queue.age" = default;