diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-12T08·14+0300 |
---|---|---|
committer | Vincent Ambo <mail@tazj.in> | 2021-12-12T08·19+0300 |
commit | 3a410a78df98fbace3fb3d6c6a570058a2758811 (patch) | |
tree | 0c12cf7c834a5061fd0e0319d3c0a4b75bb5f915 /ops/machines | |
parent | 8cbb42006a23b1b5295fb48a5115cc35b8f2224a (diff) |
feat(ops/secrets): Make (encrypted) secrets part of the tree r/3209
Currently in NixOS configuration using agenix secrets there is no build time validation of secret paths - things fail at runtime (system activation). To prevent that, this CL makes the secrets part of the tree based on the same configuration file used by agenix itself. This guards against: * agenix secrets.nix definition for a non-existent file * age.secrets value in a NixOS config for a non-existent secret Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
Diffstat (limited to 'ops/machines')
-rw-r--r-- | ops/machines/whitby/default.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 3a41e1442c4c..f0e934c635d1 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -205,7 +205,7 @@ in { # Configure secrets for services that need them. age.secrets = let - secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age"; + secretFile = name: depot.ops.secrets."${name}.age"; in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; |