diff options
Diffstat (limited to 'users/grfn/system/system/machines/mugwump.nix')
| -rw-r--r-- | users/grfn/system/system/machines/mugwump.nix | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index a9f8769725..7de6555878 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -72,6 +72,18 @@ with lib; bbbg.file = secret "bbbg"; cloudflare.file = secret "cloudflare"; ddclient-password.file = secret "ddclient-password"; + + buildkite-ssh-key = { + file = secret "buildkite-ssh-key"; + group = "keys"; + mode = "0440"; + }; + + buildkite-token = { + file = secret "buildkite-token"; + group = "keys"; + mode = "0440"; + }; }; services.depot.auto-deploy = { @@ -142,6 +154,8 @@ with lib; quiet = true; }; + systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false; + security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; credentialsFile = "/run/agenix/cloudflare"; @@ -247,8 +261,8 @@ with lib; value = { inherit name; enable = true; - tokenPath = "/etc/secrets/buildkite-agent-token"; - privateSshKeyPath = "/etc/secrets/buildkite-ssh-key"; + tokenPath = "/run/agenix/buildkite-agent-token"; + privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; runtimePackages = with pkgs; [ docker nix |