about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-10T06·58+0300
committerVincent Ambo <mail@tazj.in>2021-12-10T07·32+0300
commit78744c00f5df97d45b2c1b865cf8756edec0c5a3 (patch)
tree791368a0cdd21400dbda9f202be21a697dfb1afe
parent496d8994287f27f93f08ac847e430a6f2dfc94bd (diff)
refactor(ops): Move clbot secret into agenix r/3174
Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
-rw-r--r--ops/machines/whitby/default.nix10
-rw-r--r--ops/modules/clbot.nix8
-rw-r--r--ops/secrets/clbot.age10
-rw-r--r--ops/secrets/secrets.nix1
4 files changed, 25 insertions, 4 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 82b3bc37cf4a..1f146c923ebb 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -203,9 +203,13 @@ in {
   };
 
   # Configure secrets for services that need them.
-  age.secrets = {
-    gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age";
-  };
+  age.secrets =
+    let
+      secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age";
+    in {
+      clbot.file = secretFile "clbot";
+      gerrit-queue.file = secretFile "gerrit-queue";
+    };
 
   # Automatically collect garbage from the Nix store.
   services.depot.automatic-gc = {
diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix
index 71ff2fbc3288..ef4c2ab23795 100644
--- a/ops/modules/clbot.nix
+++ b/ops/modules/clbot.nix
@@ -37,7 +37,7 @@ let
 
       serviceConfig = {
         User = "clbot";
-        EnvironmentFile = "/etc/secrets/clbot";
+        EnvironmentFile = cfg.secretsFile;
         Restart = "always";
       };
     };
@@ -55,6 +55,12 @@ in {
       type = with types; listOf str;
       description = "Channels in which to post (generates one unit per channel)";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      description = "EnvironmentFile from which to load secrets";
+      default = "/run/agenix/clbot";
+    };
   };
 
   config = mkIf cfg.enable {
diff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age
new file mode 100644
index 000000000000..a7378ee0ad46
--- /dev/null
+++ b/ops/secrets/clbot.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw C9pIPqWBPvZXOoR1UfOXyrdpLOXNeYKhJ2gMZsskwAs
+brPt1M5Qctpbhb/uWvZgvBQSCI9ZXdtT+5YUM45fGhg
+-> ssh-ed25519 OkGqLg M32cq8ZL03DHvPs+Virh1D2NnGahOet2BwmxRzonYw0
+sr8bU7EQeta01VG1vmy6blon6bEEpZtbZVhtgNbsS8o
+-> 9!s-grease 'MtvzqH] O3mD + W,i<Q+
+oQjwvQE2RFj3vSgU3yxmRqX2hMxBU2yS3X8uzJ8
+--- 3mNJwPxtEqcJ2Bj93u0ljorCdidA7geojpQrFWP5pLc
+���VJ�E�p��ᆅ��8
+�S݈�m(�lT���	Jc:oHmȅ���Cۜ����Q��1�p��u���f��T
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 390c91129bf3..ef359cd1cd1b 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -10,4 +10,5 @@ let
 in {
   "besadii.age" = default;
   "gerrit-queue.age" = default;
+  "clbot.age" = default;
 }