refactor(ops): Use besadii configuration from agenix r/3198

We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62

2 files changed, 10 insertions, 0 deletions

diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 0000000000..5a571f511c
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k
++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc
+-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE
+THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM
+-> 62T-grease 7 RH''g X
+4zRtTUAapv8
+--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g
+i'�`��/��햏�(�q�ciY�fҜ�"���+�s����0�X�; ���3��5΂ӄ�K?d%;v�[��
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 66176c3b9e..9dae76d15b 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -14,6 +14,7 @@ let
 in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
+  "buildkite-graphql-token.age" = default;
   "clbot-ssh.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;