diff options
author | Vincent Ambo <mail@tazj.in> | 2021-12-10T13·11+0300 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2021-12-10T19·31+0000 |
commit | 82a885a750cfe3bdf282a19a37f91842f374b24c (patch) | |
tree | 6a40e6f099a31bbffe386ddfbfa5ba621334df73 /ops | |
parent | b1108821a9dbc617f02a4437c9300f5b0bdca479 (diff) |
refactor(ops): Use besadii configuration from agenix r/3198
We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
Diffstat (limited to 'ops')
-rw-r--r-- | ops/machines/whitby/default.nix | 17 | ||||
-rw-r--r-- | ops/modules/monorepo-gerrit.nix | 2 | ||||
-rw-r--r-- | ops/modules/tvl-buildkite.nix | 2 | ||||
-rw-r--r-- | ops/secrets/buildkite-graphql-token.age | 9 | ||||
-rw-r--r-- | ops/secrets/secrets.nix | 1 |
5 files changed, 29 insertions, 2 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 88c0aa9d03..572417fea6 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -219,6 +219,23 @@ in { group = "buildkite-agents"; }; + buildkite-graphql-token = { + file = secretFile "buildkite-graphql-token"; + mode = "0440"; + group = "buildkite-agent"; + }; + + buildkite-besadii-config = { + file = secretFile "besadii"; + mode = "0440"; + group = "buildkite-agent"; + }; + + gerrit-besadii-config = { + file = secretFile "besadii"; + owner = "git"; + }; + clbot-ssh = { file = secretFile "clbot-ssh"; owner = "clbot"; diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix index 57f2edc846..30caa984d7 100644 --- a/ops/modules/monorepo-gerrit.nix +++ b/ops/modules/monorepo-gerrit.nix @@ -5,7 +5,7 @@ let cfg = config.services.gerrit; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/gerrit-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 38709c3cda..f7d7223a03 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -7,7 +7,7 @@ let description = "Buildkite agents for TVL"; besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' - export BESADII_CONFIG=/etc/secrets/besadii.json + export BESADII_CONFIG=/run/agenix/buildkite-besadii-config exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" ''; diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age new file mode 100644 index 0000000000..5a571f511c --- /dev/null +++ b/ops/secrets/buildkite-graphql-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k ++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc +-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE +THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM +-> 62T-grease 7 RH''g X +4zRtTUAapv8 +--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g +i'`/햏(qciYfҜ"+s0X; 35ӄK?d%;v[ \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 66176c3b9e..9dae76d15b 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -14,6 +14,7 @@ let in { "besadii.age" = default; "buildkite-agent-token.age" = default; + "buildkite-graphql-token.age" = default; "clbot-ssh.age" = default; "clbot.age" = default; "gerrit-queue.age" = default; |