3 files changed, 23 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 045e037fda5e..63d14be19898 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -239,6 +239,13 @@ in {
         owner = "git";
       };
 
+      gerrit-secrets = {
+        file = secretFile "gerrit-secrets";
+        path = "/var/lib/gerrit/etc/secure.config";
+        owner = "git";
+        mode = "0400";
+      };
+
       clbot-ssh = {
         file = secretFile "clbot-ssh";
         owner = "clbot";
diff --git a/ops/secrets/gerrit-secrets.age b/ops/secrets/gerrit-secrets.age
new file mode 100644
index 000000000000..077f33f060b3
--- /dev/null
+++ b/ops/secrets/gerrit-secrets.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw Bw9waqFGuEfRZ+T4Tal4zD/qeKXmbzeHKq1DedTJawU
+9F/yABuX8Z4gv0LIJK1hFpoWEuYbVDGeH7CczxHcGO4
+-> ssh-ed25519 CpJBgQ DMfduPdf94CtostSTGvf96fSpqfkG8+3XIwq9GZyy24
+DJhILoNXS3neZT1o0PMmnidAaHJqXc58B7OzsLim4Hw
+-> ssh-ed25519 aXKGcg OWb2IzlRgzVYa2UJTsaAYc438NZ+caXze1ZjUGwnDAA
+Cm2ldnOJEJXjD7yHV179v63cdASRmog7p6a/20SkOLY
+-> ssh-ed25519 OkGqLg 9YZDxC3bXKhlMd8glsou1o906htYA2HLx2NQnL4IMnE
+v+G4u38p7fc9yZoLvT3xnnUO1qEKrVpvS86d7NlrqfQ
+-> &ra-grease Cm_tn }E 4X=NQ
+P8JOzsAd/9LKrfFmhQOUkfMVuDxNTG1fKh+6OMelYOTVx01HrG4Ef6BP0+/MFYbD
+wgaooG5RXHhtDOp7zQA
+--- 7f+r07jnglWxYdKKU7A78xcdkljUCXy77Z1MhLs6lN4
+†ZTárÌ’êjP{ý’u\é,\šž¦u©sÞ‚Àsîu:`®º£(Ï@~Qø,Ÿ]¤šT J¦âëåÇµ7ö îíÀÀrkØ#[Ö³üPX'rÈãS€ºlij|x›BÊë^À0fF@<êúð'Ýr§?ÜËþ¥zl[ªå‡p"yÞ6†vBM
+D‘vô|v×º´ÆC‰zð™t?lŠjl™†dš¹û>Š:Q'V¹Ö÷a…©e¹Bˆ…'p±¢J¶)-±6#gjÏ
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 57cd6598f5dc..e1101645468d 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -22,6 +22,7 @@ in {
   "clbot-ssh.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;
+  "gerrit-secrets.age" = default;
   "grafana.age" = default;
   "irccat.age" = default;
   "keycloak-db.age" = default;