mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(ops): Use besadii configuration from agenix

Browse source 
We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
This commit is contained in:
Vincent Ambo 2021-12-10 16:11:19 +03:00 committed by clbot
parent b1108821a9
commit 82a885a750
5 changed files with 29 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
ops/machines/whitby/default.nix
View file

@ -219,6 +219,23 @@ in {
group = "buildkite-agents";
};
buildkite-graphql-token = {
file = secretFile "buildkite-graphql-token";
mode = "0440";
group = "buildkite-agent";
};
buildkite-besadii-config = {
file = secretFile "besadii";
mode = "0440";
group = "buildkite-agent";
};
gerrit-besadii-config = {
file = secretFile "besadii";
owner = "git";
};
clbot-ssh = {
file = secretFile "clbot-ssh";
owner = "clbot";

2
ops/modules/monorepo-gerrit.nix
View file

@ -5,7 +5,7 @@ let
cfg = config.services.gerrit;
besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
export BESADII_CONFIG=/etc/secrets/besadii.json
export BESADII_CONFIG=/run/agenix/gerrit-besadii-config
exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
'';

2
ops/modules/tvl-buildkite.nix
View file

@ -7,7 +7,7 @@ let
description = "Buildkite agents for TVL";
besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
export BESADII_CONFIG=/etc/secrets/besadii.json
export BESADII_CONFIG=/run/agenix/buildkite-besadii-config
exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
'';

9
ops/secrets/buildkite-graphql-token.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k
+nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc
-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE
THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM
-> 62T-grease 7 RH''g X
4zRtTUAapv8
--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g
i'©`äô/”¼í<C3AD>Ë(ºqÐciY”fÒœñ"€„¹+ás<C3A1>™ªÙ0XÌ; ¼™3šÓ„<C393>K?d%;vŽ[¨Æ

1
ops/secrets/secrets.nix
View file

@ -14,6 +14,7 @@ let
in {
"besadii.age" = default;
"buildkite-agent-token.age" = default;
"buildkite-graphql-token.age" = default;
"clbot-ssh.age" = default;
"clbot.age" = default;
"gerrit-queue.age" = default;