diff options
author | Griffin Smith <grfn@gws.fyi> | 2022-01-20T14·28-0500 |
---|---|---|
committer | grfn <grfn@gws.fyi> | 2022-01-20T14·32+0000 |
commit | 7873806218f3ca06ad599cf1693848db6599415c (patch) | |
tree | 502c9adf3fed7ef197dca2112eadbf7bd56df321 /users/grfn | |
parent | 8b63e0f8ce92328c6809490dcce9432d724a80fb (diff) |
refactor(grfn/mugwump): Move buildkite secrets into age r/3647
Use agenix for the buildkite ssh key and agent token on mugwump, instead of storing stuff in /etc/secrets Change-Id: I56951587b949fc0854e56f5c4e33b601e9cd964e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5027 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'users/grfn')
-rw-r--r-- | users/grfn/secrets/buildkite-ssh-key.age | bin | 0 -> 3853 bytes | |||
-rw-r--r-- | users/grfn/secrets/buildkite-token.age | 12 | ||||
-rw-r--r-- | users/grfn/secrets/secrets.nix | 2 | ||||
-rw-r--r-- | users/grfn/system/system/machines/mugwump.nix | 18 |
4 files changed, 30 insertions, 2 deletions
diff --git a/users/grfn/secrets/buildkite-ssh-key.age b/users/grfn/secrets/buildkite-ssh-key.age new file mode 100644 index 000000000000..0ae5aa5502f7 --- /dev/null +++ b/users/grfn/secrets/buildkite-ssh-key.age Binary files differdiff --git a/users/grfn/secrets/buildkite-token.age b/users/grfn/secrets/buildkite-token.age new file mode 100644 index 000000000000..9e9e370f1bec --- /dev/null +++ b/users/grfn/secrets/buildkite-token.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 CpJBgQ tz7tudrJYQw2Ftnk7iNbSd/De2UJ0GAafFJjPwUo8xM +bUBNO94Pjf79FErPxv92XnpXWFEgethREU+/U+xjWBc +-> ssh-ed25519 LfBFbQ yPjXk6XlJoGyVaCWMcPzfNXzb1cBNZhjYy+wsQtMhTI +qk6hZMl1oeKLniGb/bKIxSb6ocVRCQsmQPcwxnlYfno +-> \'q-grease +nYvpKokvFbVXfATzlQ7SPQa9Gw99E84SPRFdR7ey+HSCB705Q9uYwBpr9hjpiIod +9PJIi88ENWf9/XAmm2d7daE+YPRYhln4U6w +--- EuyCLA6GvtbGI+EoC1z2dbpfyxo4ebXX1nY+9rsgUVY +[hΩЪ`1?NC@uBl8*ՈsZ~PА?8 + +O~{G}0q.AW \ No newline at end of file diff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix index 557f2a70f1ef..986ad181b87c 100644 --- a/users/grfn/secrets/secrets.nix +++ b/users/grfn/secrets/secrets.nix @@ -8,4 +8,6 @@ in "bbbg.age".publicKeys = [ grfn mugwump bbbg ]; "cloudflare.age".publicKeys = [ grfn mugwump ]; "ddclient-password.age".publicKeys = [ grfn mugwump ]; + "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ]; + "buildkite-token.age".publicKeys = [ grfn mugwump ]; } diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index a9f876972539..7de6555878d9 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -72,6 +72,18 @@ with lib; bbbg.file = secret "bbbg"; cloudflare.file = secret "cloudflare"; ddclient-password.file = secret "ddclient-password"; + + buildkite-ssh-key = { + file = secret "buildkite-ssh-key"; + group = "keys"; + mode = "0440"; + }; + + buildkite-token = { + file = secret "buildkite-token"; + group = "keys"; + mode = "0440"; + }; }; services.depot.auto-deploy = { @@ -142,6 +154,8 @@ with lib; quiet = true; }; + systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false; + security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; credentialsFile = "/run/agenix/cloudflare"; @@ -247,8 +261,8 @@ with lib; value = { inherit name; enable = true; - tokenPath = "/etc/secrets/buildkite-agent-token"; - privateSshKeyPath = "/etc/secrets/buildkite-ssh-key"; + tokenPath = "/run/agenix/buildkite-agent-token"; + privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; runtimePackages = with pkgs; [ docker nix |