feat(whitby): Deploy private SSH key for build agents r/4118

Change-Id: I5b1dfaaf28e835cac5b897e18b015d90ac3b2857 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5665 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
author: Vincent Ambo <mail@tazj.in> 2022-05-25T16·17+0200
committer: tazjin <tazjin@tvl.su> 2022-05-25T23·53+0000
commit: e3a31b702a18423c825dc647211b2ae586ca8333 (patch)
tree: 16fcbae2b146fa632f9c5d95c3300065c8d8987b
parent: 77f096771dc948db20c8aa9f01d3843cd0eccb0a (diff)
2 files changed, 7 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 7518e67179..2078d86491 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -248,6 +248,12 @@ in
         group = "buildkite-agents";
       };
 
+      buildkite-private-key = {
+        file = secretFile "buildkite-ssh-private-key";
+        mode = "0440";
+        group = "buildkite-agents";
+      };
+
       gerrit-besadii-config = {
         file = secretFile "besadii";
         owner = "git";
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index c38687f80f..4341ef01d7 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -41,6 +41,7 @@ in
           inherit name;
           enable = true;
           tokenPath = config.age.secretsDir + "/buildkite-agent-token";
+          privateSshKeyPath = config.age.secretsDir + "/buildkite-private-key";
           hooks.post-command = "${buildkiteHooks}/bin/post-command";
 
           runtimePackages = with pkgs; [
author	Vincent Ambo <mail@tazj.in>	2022-05-25T16·17+0200
committer	tazjin <tazjin@tvl.su>	2022-05-25T23·53+0000
commit	e3a31b702a18423c825dc647211b2ae586ca8333 (patch)
tree	16fcbae2b146fa632f9c5d95c3300065c8d8987b
parent	77f096771dc948db20c8aa9f01d3843cd0eccb0a (diff)