diff options
-rw-r--r-- | users/grfn/secrets/bbbg.age | bin | 658 -> 733 bytes | |||
-rw-r--r-- | users/grfn/secrets/buildkite-ssh-key.age | bin | 3853 -> 3883 bytes | |||
-rw-r--r-- | users/grfn/secrets/buildkite-token.age | bin | 488 -> 623 bytes | |||
-rw-r--r-- | users/grfn/secrets/cloudflare.age | 16 | ||||
-rw-r--r-- | users/grfn/secrets/ddclient-password.age | bin | 398 -> 429 bytes | |||
-rw-r--r-- | users/grfn/secrets/secrets.nix | 5 | ||||
-rw-r--r-- | users/grfn/system/system/machines/ogopogo.nix | 43 |
7 files changed, 54 insertions, 10 deletions
diff --git a/users/grfn/secrets/bbbg.age b/users/grfn/secrets/bbbg.age index 6c15dcdf7361..ebc0df233898 100644 --- a/users/grfn/secrets/bbbg.age +++ b/users/grfn/secrets/bbbg.age Binary files differdiff --git a/users/grfn/secrets/buildkite-ssh-key.age b/users/grfn/secrets/buildkite-ssh-key.age index 0ae5aa5502f7..d9587f11df4b 100644 --- a/users/grfn/secrets/buildkite-ssh-key.age +++ b/users/grfn/secrets/buildkite-ssh-key.age Binary files differdiff --git a/users/grfn/secrets/buildkite-token.age b/users/grfn/secrets/buildkite-token.age index 9e9e370f1bec..320ee06c0937 100644 --- a/users/grfn/secrets/buildkite-token.age +++ b/users/grfn/secrets/buildkite-token.age Binary files differdiff --git a/users/grfn/secrets/cloudflare.age b/users/grfn/secrets/cloudflare.age index e2f6e9360385..4f42ee782165 100644 --- a/users/grfn/secrets/cloudflare.age +++ b/users/grfn/secrets/cloudflare.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 CpJBgQ tWx7wXCFjOOfD0wKRHHvLUdR+SF0i43xvnQG9GKurnk -NRh7kSn7wqw80Y9EFr9Ccft+zYMadXZhYNPEaQlQXtQ --> ssh-ed25519 LfBFbQ SPQMLC3Ehw00IG1CcbcLFZI2tHy89fjRgVgH4Iw2iBM -oo2gT9472/DFRoZ6TYxhnM9ylRUNzoS8mLQYvn+4OSM --> D[7+*-grease `>j ~Jk Dz%o vaKET3 -TkKVm8IpqfiVzETAi9+zuUtCdkReB+lHtthwNw ---- 3iOmY4TNICMi/Fz7k8pmoZlFym9uQBWNtHNlizoAMaM -ZPzQ65ATI;;Зy5]k^!`t$RւtK)<k_#XmASpU1@)cֺqj1z,Hg: \ No newline at end of file +-> ssh-ed25519 CpJBgQ AVkUs8tuzVlDq3FH/zRrBr5f4KR05fONM6iCluq6hyM +feS2cxFowSWfDdUQjtmIiMc5338n805yownSZ/ZWfS8 +-> ssh-ed25519 LfBFbQ F67irB+DYQ8WMhaFcO+3o0O0lJsf+tWFZ9cSGSuHgA8 +EKS4zRGUEgeldjxdx4sIsnorWHoeTlXa9LJtNf9lkAM +-> QvY:XSvC-grease 04 +pBnXsOF6qugcSBp+pw +--- +g65NbIxu6bVVerS93kYZpEO5ssUZfCD+sZMzOjDUdU +RTmaF[BÊ0a_&˕=3dlzRVi6-9:U.E JΙA-qྟ|}}a=H+]mtR%9\Jt|1B \ No newline at end of file diff --git a/users/grfn/secrets/ddclient-password.age b/users/grfn/secrets/ddclient-password.age index 0de870710571..8d25e3b539bd 100644 --- a/users/grfn/secrets/ddclient-password.age +++ b/users/grfn/secrets/ddclient-password.age Binary files differdiff --git a/users/grfn/secrets/secrets.nix b/users/grfn/secrets/secrets.nix index 986ad181b87c..448dbba1fd1a 100644 --- a/users/grfn/secrets/secrets.nix +++ b/users/grfn/secrets/secrets.nix @@ -1,6 +1,7 @@ let grfn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA"; mugwump = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB"; + ogopogo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINoS7PqM8d7xc8nn0yfiPGfRaH8U/nq2Jm27nRO3L5P0"; bbbg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/VzrNEY47KPTce3dgfORkAbweWkr4BI8j54BAIs7bG"; in @@ -8,6 +9,6 @@ in "bbbg.age".publicKeys = [ grfn mugwump bbbg ]; "cloudflare.age".publicKeys = [ grfn mugwump ]; "ddclient-password.age".publicKeys = [ grfn mugwump ]; - "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ]; - "buildkite-token.age".publicKeys = [ grfn mugwump ]; + "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ]; + "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ]; } diff --git a/users/grfn/system/system/machines/ogopogo.nix b/users/grfn/system/system/machines/ogopogo.nix index eeb016921f84..d6b70d834fab 100644 --- a/users/grfn/system/system/machines/ogopogo.nix +++ b/users/grfn/system/system/machines/ogopogo.nix @@ -3,6 +3,7 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ../modules/common.nix ../modules/xserver.nix ../modules/fonts.nix @@ -94,4 +95,46 @@ wal_level = "logical"; }; }; + + services.buildkite-agents.ogopogo-1 = rec { + enable = true; + tokenPath = config.age.secretsDir + "/buildkite-token"; + privateSshKeyPath = config.age.secretsDir + "/buildkite-ssh-key"; + runtimePackages = with pkgs; [ + docker + nix + gnutar + gzip + bash + ]; + tags = { + queue = "ogopogo"; + }; + dataDir = "/home/grfn/buildkite-agent"; + + hooks.environment = '' + export BUILDKITE_AGENT_HOME=${dataDir} + ''; + }; + systemd.services.buildkite-agent-ogopogo-1.serviceConfig.User = + lib.mkForce "grfn"; + users.users.grfn.extraGroups = [ "keys" ]; + + age.secrets = + let + secret = name: depot.users.grfn.secrets."${name}.age"; + in + { + buildkite-ssh-key = { + file = secret "buildkite-ssh-key"; + group = "keys"; + mode = "0440"; + }; + + buildkite-token = { + file = secret "buildkite-token"; + group = "keys"; + mode = "0440"; + }; + }; } |