refactor(ops): Move Nix cache secret to agenix r/3199

... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0

1 files changed, 9 insertions, 2 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 572417fea695..129a1a766772 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -173,7 +173,7 @@ in {
     nrBuildUsers = 256;
     maxJobs = lib.mkDefault 64;
     extraOptions = ''
-      secret-key-files = /etc/secrets/nix-cache-privkey
+      secret-key-files = /run/agenix/nix-cache-priv
     '';
 
     trustedUsers = [
@@ -212,6 +212,7 @@ in {
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
       owothia.file = secretFile "owothia";
+      nix-cache-priv.file = secretFile "nix-cache-priv";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
@@ -240,6 +241,12 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
+
+      # Not actually a secret
+      nix-cache-pub = {
+        file = secretFile "nix-cache-pub";
+        mode = "0444";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -419,7 +426,7 @@ in {
   services.nix-serve = {
     enable = true;
     port = 6443;
-    secretKeyFile = "/etc/secrets/nix-cache-key.sec";
+    secretKeyFile = "/run/agenix/nix-cache-priv";
     bindAddress = "localhost";
   };