From 82a885a750cfe3bdf282a19a37f91842f374b24c Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 10 Dec 2021 16:11:19 +0300 Subject: [PATCH] refactor(ops): Use besadii configuration from agenix We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62 --- ops/machines/whitby/default.nix | 17 +++++++++++++++++ ops/modules/monorepo-gerrit.nix | 2 +- ops/modules/tvl-buildkite.nix | 2 +- ops/secrets/buildkite-graphql-token.age | 9 +++++++++ ops/secrets/secrets.nix | 1 + 5 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 ops/secrets/buildkite-graphql-token.age diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 88c0aa9d0..572417fea 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -219,6 +219,23 @@ in { group = "buildkite-agents"; }; + buildkite-graphql-token = { + file = secretFile "buildkite-graphql-token"; + mode = "0440"; + group = "buildkite-agent"; + }; + + buildkite-besadii-config = { + file = secretFile "besadii"; + mode = "0440"; + group = "buildkite-agent"; + }; + + gerrit-besadii-config = { + file = secretFile "besadii"; + owner = "git"; + }; + clbot-ssh = { file = secretFile "clbot-ssh"; owner = "clbot"; diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix index 57f2edc84..30caa984d 100644 --- a/ops/modules/monorepo-gerrit.nix +++ b/ops/modules/monorepo-gerrit.nix @@ -5,7 +5,7 @@ let cfg = config.services.gerrit; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/gerrit-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 38709c3cd..f7d7223a0 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -7,7 +7,7 @@ let description = "Buildkite agents for TVL"; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/buildkite-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age new file mode 100644 index 000000000..5a571f511 --- /dev/null +++ b/ops/secrets/buildkite-graphql-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k ++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc +-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE +THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM +-> 62T-grease 7 RH''g X +4zRtTUAapv8 +--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g +i'`/햏(qciYfҜ"+s0X; 35΂ӄK?d%;v[ \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 66176c3b9..9dae76d15 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -14,6 +14,7 @@ let in { "besadii.age" = default; "buildkite-agent-token.age" = default; + "buildkite-graphql-token.age" = default; "clbot-ssh.age" = default; "clbot.age" = default; "gerrit-queue.age" = default;