5 files changed, 29 insertions, 2 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 88c0aa9d03..572417fea6 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -219,6 +219,23 @@ in {
         group = "buildkite-agents";
       };
 
+      buildkite-graphql-token = {
+        file = secretFile "buildkite-graphql-token";
+        mode = "0440";
+        group = "buildkite-agent";
+      };
+
+      buildkite-besadii-config = {
+        file = secretFile "besadii";
+        mode = "0440";
+        group = "buildkite-agent";
+      };
+
+      gerrit-besadii-config = {
+        file = secretFile "besadii";
+        owner = "git";
+      };
+
       clbot-ssh = {
         file = secretFile "clbot-ssh";
         owner = "clbot";
diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix
index 57f2edc846..30caa984d7 100644
--- a/ops/modules/monorepo-gerrit.nix
+++ b/ops/modules/monorepo-gerrit.nix
@@ -5,7 +5,7 @@ let
   cfg = config.services.gerrit;
 
   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
-    export BESADII_CONFIG=/etc/secrets/besadii.json
+    export BESADII_CONFIG=/run/agenix/gerrit-besadii-config
     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
   '';
 
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index 38709c3cda..f7d7223a03 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -7,7 +7,7 @@ let
   description = "Buildkite agents for TVL";
 
   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
-    export BESADII_CONFIG=/etc/secrets/besadii.json
+    export BESADII_CONFIG=/run/agenix/buildkite-besadii-config
     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
   '';
 
diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 0000000000..5a571f511c
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k
++nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc
+-> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE
+THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM
+-> 62T-grease 7 RH''g X
+4zRtTUAapv8
+--- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g
+i'©`äô/”¼í–Ë(ºqÐciY”fÒœñ"€„¹+ás™ªÙ0‘XÌ; ’¼™3š‚5Î‚Ó„K?d%;vŽ[¨Æ
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 66176c3b9e..9dae76d15b 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -14,6 +14,7 @@ let
 in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
+  "buildkite-graphql-token.age" = default;
   "clbot-ssh.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;