about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-09T13·53+0300
committerVincent Ambo <mail@tazj.in>2021-12-10T07·32+0300
commit496d8994287f27f93f08ac847e430a6f2dfc94bd (patch)
tree1bc4215f1b0f36b1d5af3e222bc69c305777af69
parent4870b1a2ff8cec7f7e0ce9be1cb25e0ba463e3d3 (diff)
feat(ops/secrets): Configure secrets for gerrit-queue r/3173
Adds a systemd EnvironmentFile secret that contains the Gerrit
username & password for gerrit-queue.

Change-Id: I25acf87764c26774045138402b8a417b6813ee8f
-rw-r--r--ops/machines/whitby/default.nix6
-rw-r--r--ops/secrets/gerrit-queue.age9
-rw-r--r--ops/secrets/secrets.nix1
3 files changed, 16 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 78945a74174b..82b3bc37cf4a 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -40,6 +40,7 @@ in {
     "${depot.path}/ops/modules/www/tvl.fyi.nix"
     "${depot.path}/ops/modules/www/tvl.su.nix"
     "${depot.path}/ops/modules/www/wigglydonke.rs.nix"
+    "${depot.third_party.agenix.src}/modules/age.nix"
     "${pkgs.path}/nixos/modules/services/web-apps/gerrit.nix"
   ];
 
@@ -201,6 +202,11 @@ in {
     challengeResponseAuthentication = false;
   };
 
+  # Configure secrets for services that need them.
+  age.secrets = {
+    gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age";
+  };
+
   # Automatically collect garbage from the Nix store.
   services.depot.automatic-gc = {
     enable = true;
diff --git a/ops/secrets/gerrit-queue.age b/ops/secrets/gerrit-queue.age
new file mode 100644
index 000000000000..c4b102ffd51d
--- /dev/null
+++ b/ops/secrets/gerrit-queue.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw XuDxJkTX3Tq8PRoHq29hYz/Qcz2uvud00BW5F8QvA0w
+zxl5HgqvDoB5WwB5NDCcuq0/hD2hDP0vIEJ6rs8hM9Y
+-> ssh-ed25519 OkGqLg K5Hsabm/iPD9tgNre6p6kbMnlnxmXi1ogG2+BdWX/BQ
+QCmy7rhSmkdmj50twwlqrtp7t0nfhRPVlC7Z79P64hY
+-> b-grease ouC0Z%'v Sx lOZ]`8 H
+XQjxJlepFUehbRQ
+--- NAKvcgfnmSJDWoG37cUVJ/uOcsYsie4QDeqKsVrSEME
+aq8PԷ4*0?A
KI|x^:^`[e&}y6oA4Wy/P=;d
N>U4[~uΘA>k}/8iFUݢ)oQfb!)j~5	[y`iJ
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 1cf2b5e44a50..390c91129bf3 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -9,4 +9,5 @@ let
   default.publicKeys = tazjin ++ [ whitby ];
 in {
   "besadii.age" = default;
+  "gerrit-queue.age" = default;
 }