refactor(ops/whitby): Move Gerrit secrets into agenix

Gerrit has OAuth2 and email related secrets which now live in agenix
instead of a random file on disk.

Change-Id: I6220fbb7a2e2ec0102a900b4bcf6150b8b4d32ef
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4612
Tested-by: BuildkiteCI
Autosubmit: tazjin <mail@tazj.in>
Reviewed-by: lukegb <lukegb@tvl.fyi>

ops/machines/whitby/default.nix

@@ -239,6 +239,13 @@ in {
         owner = "git";
       };
 
+      gerrit-secrets = {
+        file = secretFile "gerrit-secrets";
+        path = "/var/lib/gerrit/etc/secure.config";
+        owner = "git";
+        mode = "0400";
+      };
+
       clbot-ssh = {
         file = secretFile "clbot-ssh";
         owner = "clbot";

ops/secrets/gerrit-secrets.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw Bw9waqFGuEfRZ+T4Tal4zD/qeKXmbzeHKq1DedTJawU
+9F/yABuX8Z4gv0LIJK1hFpoWEuYbVDGeH7CczxHcGO4
+-> ssh-ed25519 CpJBgQ DMfduPdf94CtostSTGvf96fSpqfkG8+3XIwq9GZyy24
+DJhILoNXS3neZT1o0PMmnidAaHJqXc58B7OzsLim4Hw
+-> ssh-ed25519 aXKGcg OWb2IzlRgzVYa2UJTsaAYc438NZ+caXze1ZjUGwnDAA
+Cm2ldnOJEJXjD7yHV179v63cdASRmog7p6a/20SkOLY
+-> ssh-ed25519 OkGqLg 9YZDxC3bXKhlMd8glsou1o906htYA2HLx2NQnL4IMnE
+v+G4u38p7fc9yZoLvT3xnnUO1qEKrVpvS86d7NlrqfQ
+-> &ra-grease Cm_tn }E 4X=NQ
+P8JOzsAd/9LKrfFmhQOUkfMVuDxNTG1fKh+6OMelYOTVx01HrG4Ef6BP0+/MFYbD
+wgaooG5RXHhtDOp7zQA
+--- 7f+r07jnglWxYdKKU7A78xcdkljUCXy77Z1MhLs6lN4
+†ZTárĚ’ęjP{ý’u\é,\šž¦u©sŢ‚Ŕsîu<C3AE>:`®şŁ(Ď@~Qř,ź]¤šT J¦âëĺǵ7ö îíŔŔrkŘ#[ÖłüPX'rČăS€şl­ij|x›BĘë^Ŕ0fF@<ę<>úđ'Ýr§?ÜËţĄzl[Şĺ‡p"yŢ6†vBM
+D‘vô|v׺´ĆC‰zđ™t?lŠjl™†dšąű>Š:Q'ŹVąÖ÷a…©eąBŹ<42>…'p±˘J¶)-±6#gj<67>Ď

ops/secrets/secrets.nix

@@ -22,6 +22,7 @@ in {
   "clbot-ssh.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;
+  "gerrit-secrets.age" = default;
   "grafana.age" = default;
   "irccat.age" = default;
   "keycloak-db.age" = default;