about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ops/machines/whitby/default.nix6
-rw-r--r--ops/modules/tvl-buildkite.nix2
-rw-r--r--ops/secrets/buildkite-agent-token.age10
-rw-r--r--ops/secrets/secrets.nix1
4 files changed, 18 insertions, 1 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index d6d3004ffc34..c066fa400fe3 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -210,6 +210,12 @@ in {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
       owothia.file = secretFile "owothia";
+
+      buildkite-agent-token = {
+        file = secretFile "buildkite-agent-token";
+        mode = "0440";
+        group = "buildkite-agents";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index 56e49c991238..1f0d4e2e7abe 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -33,7 +33,7 @@ in {
       value = {
         inherit name;
         enable = true;
-        tokenPath = "/etc/secrets/buildkite-agent-token";
+        tokenPath = "/run/agenix/buildkite-agent-token";
         runtimePackages = with pkgs; [ curl jq ];
         hooks.post-command = "${buildkiteHooks}/bin/post-command";
       };
diff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age
new file mode 100644
index 000000000000..27ed2282b890
--- /dev/null
+++ b/ops/secrets/buildkite-agent-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw TEQdP/s+YdThYzunL0Fxs7ccPR+qjxd9IJdtkVjX3jI
+ZnnD2KIMunt9Qgs2zJFMeMuoj2l0NKZlMO2WweLnkx8
+-> ssh-ed25519 OkGqLg wIAe9VrOPFrheQAKmMjumuX92H0dEAbqJe/IuNvp4TM
+AYoLx7LdZEqoOECgmPutF6T+P/lUqO7GKf7w61YgQbg
+-> t-grease vGPB i
+qH3ME5lUwm8DmZYeo0sP
+--- tkaQiyOtKJ4PSuOPxPWK5R6R7YGLSzVd9szY5QubKWI
+<;St/eC{_ec@
FBH:A4PV
+?q>3s+g 3=bϪ;u_
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 308893358dc9..6c9f558e3a36 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -9,6 +9,7 @@ let
   default.publicKeys = tazjin ++ [ whitby ];
 in {
   "besadii.age" = default;
+  "buildkite-agent-token.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;
   "owothia.age" = default;
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-01T20·53+0000