about summary refs log tree commit diff
diff options
context:
space:
mode:
authorGriffin Smith <grfn@gws.fyi>2022-01-20T14·28-0500
committergrfn <grfn@gws.fyi>2022-01-20T14·32+0000
commit7873806218f3ca06ad599cf1693848db6599415c (patch)
tree502c9adf3fed7ef197dca2112eadbf7bd56df321
parent8b63e0f8ce92328c6809490dcce9432d724a80fb (diff)
refactor(grfn/mugwump): Move buildkite secrets into age r/3647
Use agenix for the buildkite ssh key and agent token on mugwump, instead
of storing stuff in /etc/secrets

Change-Id: I56951587b949fc0854e56f5c4e33b601e9cd964e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5027
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI
Diffstat
-rw-r--r--users/grfn/secrets/buildkite-ssh-key.agebin0 -> 3853 bytes
-rw-r--r--users/grfn/secrets/buildkite-token.age12
-rw-r--r--users/grfn/secrets/secrets.nix2
-rw-r--r--users/grfn/system/system/machines/mugwump.nix18
4 files changed, 30 insertions, 2 deletions
diff --git a/users/grfn/secrets/buildkite-ssh-key.age b/users/grfn/secrets/buildkite-ssh-key.age
new file mode 100644
index 0000000000..0ae5aa5502
--- /dev/null
+++ b/users/grfn/secrets/buildkite-ssh-key.age
Binary files differdiff --git a/users/grfn/secrets/buildkite-token.age b/users/grfn/secrets/buildkite-token.age
new file mode 100644
index 0000000000..9e9e370f1b
--- /dev/null
+++ b/users/grfn/secrets/buildkite-token.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 CpJBgQ tz7tudrJYQw2Ftnk7iNbSd/De2UJ0GAafFJjPwUo8xM
+bUBNO94Pjf79FErPxv92XnpXWFEgethREU+/U+xjWBc
+-> ssh-ed25519 LfBFbQ yPjXk6XlJoGyVaCWMcPzfNXzb1cBNZhjYy+wsQtMhTI
+qk6hZMl1oeKLniGb/bKIxSb6ocVRCQsmQPcwxnlYfno
+-> \'q-grease
+nYvpKokvFbVXfATzlQ7SPQa9Gw99E84SPRFdR7ey+HSCB705Q9uYwBpr9hjpiIod
+9PJIi88ENWf9/XAmm2d7daE+YPRYhln4U6w
+--- EuyCLA6GvtbGI+EoC1z2dbpfyxo4ebXX1nY+9rsgUVY
+[hΩЪ`1?NC@uBl8*ՈsZ~PА?8
+
+O~{G}0q.AW
\ No newline at end of file
diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix
index 557f2a70f1..986ad181b8 100644
--- a/users/grfn/secrets/secrets.nix
+++ b/users/grfn/secrets/secrets.nix
@@ -8,4 +8,6 @@ in
   "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
   "cloudflare.age".publicKeys = [ grfn mugwump ];
   "ddclient-password.age".publicKeys = [ grfn mugwump ];
+  "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ];
+  "buildkite-token.age".publicKeys = [ grfn mugwump ];
 }
diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix
index a9f8769725..7de6555878 100644
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@@ -72,6 +72,18 @@ with lib;
     bbbg.file = secret "bbbg";
     cloudflare.file = secret "cloudflare";
     ddclient-password.file = secret "ddclient-password";
+
+    buildkite-ssh-key = {
+      file = secret "buildkite-ssh-key";
+      group = "keys";
+      mode = "0440";
+    };
+
+    buildkite-token = {
+      file = secret "buildkite-token";
+      group = "keys";
+      mode = "0440";
+    };
   };
 
   services.depot.auto-deploy = {
@@ -142,6 +154,8 @@ with lib;
     quiet = true;
   };
 
+  systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false;
+
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "cloudflare";
     credentialsFile = "/run/agenix/cloudflare";
@@ -247,8 +261,8 @@ with lib;
     value = {
       inherit name;
       enable = true;
-      tokenPath = "/etc/secrets/buildkite-agent-token";
-      privateSshKeyPath = "/etc/secrets/buildkite-ssh-key";
+      tokenPath = "/run/agenix/buildkite-agent-token";
+      privateSshKeyPath = "/run/agenix/buildkite-ssh-key";
       runtimePackages = with pkgs; [
         docker
         nix
generated by cgit-pink 1.4.1 (git 2.44.0) at 2024-05-09T02·59+0000