From 78744c00f5df97d45b2c1b865cf8756edec0c5a3 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 10 Dec 2021 09:58:16 +0300
Subject: refactor(ops): Move clbot secret into agenix

Relates to b/161

Change-Id: I7badf22ff93bb4e8b06e4dd4a8bf880b0bd48f09
---
 ops/machines/whitby/default.nix | 10 +++++++---
 ops/modules/clbot.nix           |  8 +++++++-
 ops/secrets/clbot.age           | 10 ++++++++++
 ops/secrets/secrets.nix         |  1 +
 4 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 ops/secrets/clbot.age

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 82b3bc37cf..1f146c923e 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -203,9 +203,13 @@ in {
   };
 
   # Configure secrets for services that need them.
-  age.secrets = {
-    gerrit-queue.file = depot.path.origSrc + "/ops/secrets/gerrit-queue.age";
-  };
+  age.secrets =
+    let
+      secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age";
+    in {
+      clbot.file = secretFile "clbot";
+      gerrit-queue.file = secretFile "gerrit-queue";
+    };
 
   # Automatically collect garbage from the Nix store.
   services.depot.automatic-gc = {
diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix
index 71ff2fbc32..ef4c2ab237 100644
--- a/ops/modules/clbot.nix
+++ b/ops/modules/clbot.nix
@@ -37,7 +37,7 @@ let
 
       serviceConfig = {
         User = "clbot";
-        EnvironmentFile = "/etc/secrets/clbot";
+        EnvironmentFile = cfg.secretsFile;
         Restart = "always";
       };
     };
@@ -55,6 +55,12 @@ in {
       type = with types; listOf str;
       description = "Channels in which to post (generates one unit per channel)";
     };
+
+    secretsFile = mkOption {
+      type = types.str;
+      description = "EnvironmentFile from which to load secrets";
+      default = "/run/agenix/clbot";
+    };
   };
 
   config = mkIf cfg.enable {
diff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age
new file mode 100644
index 0000000000..a7378ee0ad
--- /dev/null
+++ b/ops/secrets/clbot.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw C9pIPqWBPvZXOoR1UfOXyrdpLOXNeYKhJ2gMZsskwAs
+brPt1M5Qctpbhb/uWvZgvBQSCI9ZXdtT+5YUM45fGhg
+-> ssh-ed25519 OkGqLg M32cq8ZL03DHvPs+Virh1D2NnGahOet2BwmxRzonYw0
+sr8bU7EQeta01VG1vmy6blon6bEEpZtbZVhtgNbsS8o
+-> 9!s-grease 'MtvzqH] O3mD + W,i<Q+
+oQjwvQE2RFj3vSgU3yxmRqX2hMxBU2yS3X8uzJ8
+--- 3mNJwPxtEqcJ2Bj93u0ljorCdidA7geojpQrFWP5pLc
+•·�VJ�E–püØᆅ½À8
+ S݈¹m(îlT­ä«ä	Jc:oHmÈ…µèüCÛœ¤ÐðúQ±ó1œpƒºuëúƒfô¿T
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 390c91129b..ef359cd1cd 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -10,4 +10,5 @@ let
 in {
   "besadii.age" = default;
   "gerrit-queue.age" = default;
+  "clbot.age" = default;
 }
-- 
cgit 1.4.1