about summary refs log tree commit diff
path: root/ops/machines
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-12-10T18·23+0300
committertazjin <mail@tazj.in>2021-12-10T19·48+0000
commit2fe8d724d7cbc86c68c62ed6233e7b982566ad4d (patch)
tree9e2384047122267f4896002d4d8bfdbd206ed009 /ops/machines
parent82a885a750cfe3bdf282a19a37f91842f374b24c (diff)
refactor(ops): Move Nix cache secret to agenix r/3199
... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
Diffstat (limited to 'ops/machines')
-rw-r--r--ops/machines/whitby/default.nix11
1 files changed, 9 insertions, 2 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 572417fea695..129a1a766772 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -173,7 +173,7 @@ in {
     nrBuildUsers = 256;
     maxJobs = lib.mkDefault 64;
     extraOptions = ''
-      secret-key-files = /etc/secrets/nix-cache-privkey
+      secret-key-files = /run/agenix/nix-cache-priv
     '';
 
     trustedUsers = [
@@ -212,6 +212,7 @@ in {
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
       owothia.file = secretFile "owothia";
+      nix-cache-priv.file = secretFile "nix-cache-priv";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
@@ -240,6 +241,12 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
+
+      # Not actually a secret
+      nix-cache-pub = {
+        file = secretFile "nix-cache-pub";
+        mode = "0444";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -419,7 +426,7 @@ in {
   services.nix-serve = {
     enable = true;
     port = 6443;
-    secretKeyFile = "/etc/secrets/nix-cache-key.sec";
+    secretKeyFile = "/run/agenix/nix-cache-priv";
     bindAddress = "localhost";
   };