diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix index 448dbba1f..5bfb1c3eb 100644 --- a/users/grfn/secrets/secrets.nix +++ b/users/grfn/secrets/secrets.nix @@ -11,4 +11,5 @@ in "ddclient-password.age".publicKeys = [ grfn mugwump ]; "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ]; "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ]; + "windtunnel-bot-github-token.age".publicKeys = [ grfn mugwump ogopogo ]; } diff --git a/users/grfn/secrets/windtunnel-bot-github-token.age b/users/grfn/secrets/windtunnel-bot-github-token.age new file mode 100644 index 000000000..daae99958 --- /dev/null +++ b/users/grfn/secrets/windtunnel-bot-github-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 CpJBgQ YaZ2VHyXofn2qnxRrOYO4yPPu77BEPFq/cbnfa+5WAA +VgJQoyJVxirvASD0aDsuzmbNJdIP0kpHa5b72Ri7kr8 +-> ssh-ed25519 LfBFbQ cXXW3kQzZL7sU4heujIJGzvfpbX0toL2AgsJl5AZPEg +mhkKn69c/QeCJhYAFgx/MsHrIrXim3OcjkZ/rrckVLs +-> ssh-ed25519 GeE7sQ /XcP3pWg+aKF1F0sPu6RpYv3Rfj2J/QI0yjg3Wgfjm0 +d+rsgbMlDJx0VrjD4/nO4UcM10hcrLxcPA3QlY1t7sQ +-> "0?-grease k}d?h6 |v +7mV6AFUdCMCrkmLVQaWJPQ +--- I9Ls9AWMkSFCKw7y4pLoTkeGw7h5iROwXLuUm0nfuj8 +~‚v‰8‚&‚ü£¹3\²Òý.»%$¼›Éº°³tòóˆØQ©ˆÀ¨á”Åé¼Íœ}ˆ—ó,BEÇh w96”çö?ÓU \ No newline at end of file diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index 5b3cf1204..3d4de5df1 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -96,6 +96,12 @@ with lib; group = "keys"; mode = "0440"; }; + + windtunnel-bot-github-token = { + file = secret "windtunnel-bot-github-token"; + group = "keys"; + mode = "0440"; + }; }; services.fail2ban = { @@ -295,6 +301,6 @@ with lib; users.users."buildkite-agent-mugwump-1" = { isSystemUser = true; - extraGroups = [ "docker" ]; + extraGroups = [ "docker" "keys" ]; }; }