refactor(ops): Use besadii configuration from agenix r/3198

We already checked this in, but this commit adds the configuration for
making use of it.

There are two copies of besadii's JSON configuration with different
permissions.

Note that the buildkite-graphql-token path needs to be updated in
static-pipeline.yml, but this needs to happen in a separate commit
after deploy because the pipeline will break otherwise.

Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62

5 files changed, 29 insertions, 2 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 88c0aa9d03c4..572417fea695 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -219,6 +219,23 @@ in {
         group = "buildkite-agents";
       };
 
+      buildkite-graphql-token = {
+        file = secretFile "buildkite-graphql-token";
+        mode = "0440";
+        group = "buildkite-agent";
+      };
+
+      buildkite-besadii-config = {
+        file = secretFile "besadii";
+        mode = "0440";
+        group = "buildkite-agent";
+      };
+
+      gerrit-besadii-config = {
+        file = secretFile "besadii";
+        owner = "git";
+      };
+
       clbot-ssh = {
         file = secretFile "clbot-ssh";
         owner = "clbot";
diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix
index 57f2edc846bb..30caa984d706 100644
--- a/ops/modules/monorepo-gerrit.nix
+++ b/ops/modules/monorepo-gerrit.nix
@@ -5,7 +5,7 @@ let
   cfg = config.services.gerrit;
 
   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
-    export BESADII_CONFIG=/etc/secrets/besadii.json
+    export BESADII_CONFIG=/run/agenix/gerrit-besadii-config
     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
   '';
 
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index 38709c3cda1b..f7d7223a037d 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -7,7 +7,7 @@ let
   description = "Buildkite agents for TVL";
 
   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
-    export BESADII_CONFIG=/etc/secrets/besadii.json
+    export BESADII_CONFIG=/run/agenix/buildkite-besadii-config
     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
   '';
 
diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 000000000000..5a571f511c26
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k
++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc
+-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE
+THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM
+-> 62T-grease 7 RH''g X
+4zRtTUAapv8
+--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g
+i'�`��/��햏�(�q�ciY�fҜ�"���+�s����0�X�; ���3��5΂ӄ�K?d%;v�[��
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 66176c3b9ef3..9dae76d15ba5 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -14,6 +14,7 @@ let
 in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
+  "buildkite-graphql-token.age" = default;
   "clbot-ssh.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;