From 9ea4d55d81d61b6073e69bebdc614f9694d8223c Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 10 Dec 2021 10:29:41 +0300 Subject: refactor(ops): Move buildkite-agent-token into agenix Relates to b/161 Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655 --- ops/machines/whitby/default.nix | 6 ++++++ ops/modules/tvl-buildkite.nix | 2 +- ops/secrets/buildkite-agent-token.age | 10 ++++++++++ ops/secrets/secrets.nix | 1 + 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ops/secrets/buildkite-agent-token.age diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index d6d3004ffc34..c066fa400fe3 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -210,6 +210,12 @@ in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; owothia.file = secretFile "owothia"; + + buildkite-agent-token = { + file = secretFile "buildkite-agent-token"; + mode = "0440"; + group = "buildkite-agents"; + }; }; # Automatically collect garbage from the Nix store. diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 56e49c991238..1f0d4e2e7abe 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -33,7 +33,7 @@ in { value = { inherit name; enable = true; - tokenPath = "/etc/secrets/buildkite-agent-token"; + tokenPath = "/run/agenix/buildkite-agent-token"; runtimePackages = with pkgs; [ curl jq ]; hooks.post-command = "${buildkiteHooks}/bin/post-command"; }; diff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age new file mode 100644 index 000000000000..27ed2282b890 --- /dev/null +++ b/ops/secrets/buildkite-agent-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw TEQdP/s+YdThYzunL0Fxs7ccPR+qjxd9IJdtkVjX3jI +ZnnD2KIMunt9Qgs2zJFMeMuoj2l0NKZlMO2WweLnkx8 +-> ssh-ed25519 OkGqLg wIAe9VrOPFrheQAKmMjumuX92H0dEAbqJe/IuNvp4TM +AYoLx7LdZEqoOECgmPutF6T+P/lUqO7GKf7w61YgQbg +-> t-grease vGPB i +qH3ME5lUwm8DmZYeo0sP +--- tkaQiyOtKJ4PSuOPxPWK5R6R7YGLSzVd9szY5QubKWI +<;ÂùÍSÖÙtÃ/eÁC˜{_¡øec±»¹@•½Å ¹Fà›BÕÔÐH:ƒ®A4PV +?qÉììŒ >3sÂ+Ÿg ™3=bϪ »;u_ßòû \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 308893358dc9..6c9f558e3a36 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -9,6 +9,7 @@ let default.publicKeys = tazjin ++ [ whitby ]; in { "besadii.age" = default; + "buildkite-agent-token.age" = default; "clbot.age" = default; "gerrit-queue.age" = default; "owothia.age" = default; -- cgit 1.4.1