3 files changed, 8 insertions, 2 deletions

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 1a624c8f6642..8cec05284a75 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -216,6 +216,11 @@ in {
         mode = "0440";
         group = "buildkite-agents";
       };
+
+      clbot-ssh = {
+        file = secretFile "clbot-ssh";
+        owner = "clbot";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -280,7 +285,7 @@ in {
     flags = {
       gerrit_host = "cl.tvl.fyi:29418";
       gerrit_ssh_auth_username = "clbot";
-      gerrit_ssh_auth_key = "/etc/secrets/id_clbot";
+      gerrit_ssh_auth_key = "/run/agenix/clbot-ssh";
 
       irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}";
       irc_user = "tvlbot";
@@ -290,7 +295,7 @@ in {
       notify_repo = "depot";
 
       # This secret is read from an environment variable, which is
-      # populated from /etc/secrets/clbot
+      # populated by a systemd EnvironmentFile.
       irc_pass = "$CLBOT_PASS";
     };
   };
diff --git a/ops/secrets/clbot-ssh.age b/ops/secrets/clbot-ssh.age
new file mode 100644
index 000000000000..8253bab67d86
--- /dev/null
+++ b/ops/secrets/clbot-ssh.age
Binary files differdiff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 6c9f558e3a36..f98f884f4b7c 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -11,6 +11,7 @@ in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
   "clbot.age" = default;
+  "clbot-ssh.age" = default;
   "gerrit-queue.age" = default;
   "owothia.age" = default;
 }