diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-10T06·58+0300 |
---|---|---|
committer | Vincent Ambo <mail@tazj.in> | 2021-12-10T07·32+0300 |
commit | 78744c00f5df97d45b2c1b865cf8756edec0c5a3 (patch) | |
tree | 791368a0cdd21400dbda9f202be21a697dfb1afe | |
parent | 496d8994287f27f93f08ac847e430a6f2dfc94bd (diff) |
refactor(ops): Move clbot secret into agenix r/3174
Relates to b/161 Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
-rw-r--r-- | ops/machines/whitby/default.nix | 10 | ||||
-rw-r--r-- | ops/modules/clbot.nix | 8 | ||||
-rw-r--r-- | ops/secrets/clbot.age | 10 | ||||
-rw-r--r-- | ops/secrets/secrets.nix | 1 |
4 files changed, 25 insertions, 4 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 82b3bc37cf4a..1f146c923ebb 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -203,9 +203,13 @@ in { }; # Configure secrets for services that need them. - age.secrets = { - gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age"; - }; + age.secrets = + let + secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age"; + in { + clbot.file = secretFile "clbot"; + gerrit-queue.file = secretFile "gerrit-queue"; + }; # Automatically collect garbage from the Nix store. services.depot.automatic-gc = { diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index 71ff2fbc3288..ef4c2ab23795 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -37,7 +37,7 @@ let serviceConfig = { User = "clbot"; - EnvironmentFile = "/etc/secrets/clbot"; + EnvironmentFile = cfg.secretsFile; Restart = "always"; }; }; @@ -55,6 +55,12 @@ in { type = with types; listOf str; description = "Channels in which to post (generates one unit per channel)"; }; + + secretsFile = mkOption { + type = types.str; + description = "EnvironmentFile from which to load secrets"; + default = "/run/agenix/clbot"; + }; }; config = mkIf cfg.enable { diff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age new file mode 100644 index 000000000000..a7378ee0ad46 --- /dev/null +++ b/ops/secrets/clbot.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw C9pIPqWBPvZXOoR1UfOXyrdpLOXNeYKhJ2gMZsskwAs +brPt1M5Qctpbhb/uWvZgvBQSCI9ZXdtT+5YUM45fGhg +-> ssh-ed25519 OkGqLg M32cq8ZL03DHvPs+Virh1D2NnGahOet2BwmxRzonYw0 +sr8bU7EQeta01VG1vmy6blon6bEEpZtbZVhtgNbsS8o +-> 9!s-grease 'MtvzqH] O3mD + W,i<Q+ +oQjwvQE2RFj3vSgU3yxmRqX2hMxBU2yS3X8uzJ8 +--- 3mNJwPxtEqcJ2Bj93u0ljorCdidA7geojpQrFWP5pLc +VJEpᆅ8 +S݈m(lT Jc:oHmȅCۜQ1pufT \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 390c91129bf3..ef359cd1cd1b 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -10,4 +10,5 @@ let in { "besadii.age" = default; "gerrit-queue.age" = default; + "clbot.age" = default; } |