From 9ea4d55d81d61b6073e69bebdc614f9694d8223c Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 10 Dec 2021 10:29:41 +0300
Subject: refactor(ops): Move buildkite-agent-token into agenix

Relates to b/161

Change-Id: I5d3a698d437928966d8b78ce9e0ba226c1437655
---
 ops/machines/whitby/default.nix       |  6 ++++++
 ops/modules/tvl-buildkite.nix         |  2 +-
 ops/secrets/buildkite-agent-token.age | 10 ++++++++++
 ops/secrets/secrets.nix               |  1 +
 4 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ops/secrets/buildkite-agent-token.age

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index d6d3004ffc..c066fa400f 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -210,6 +210,12 @@ in {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
       owothia.file = secretFile "owothia";
+
+      buildkite-agent-token = {
+        file = secretFile "buildkite-agent-token";
+        mode = "0440";
+        group = "buildkite-agents";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index 56e49c9912..1f0d4e2e7a 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -33,7 +33,7 @@ in {
       value = {
         inherit name;
         enable = true;
-        tokenPath = "/etc/secrets/buildkite-agent-token";
+        tokenPath = "/run/agenix/buildkite-agent-token";
         runtimePackages = with pkgs; [ curl jq ];
         hooks.post-command = "${buildkiteHooks}/bin/post-command";
       };
diff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age
new file mode 100644
index 0000000000..27ed2282b8
--- /dev/null
+++ b/ops/secrets/buildkite-agent-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw TEQdP/s+YdThYzunL0Fxs7ccPR+qjxd9IJdtkVjX3jI
+ZnnD2KIMunt9Qgs2zJFMeMuoj2l0NKZlMO2WweLnkx8
+-> ssh-ed25519 OkGqLg wIAe9VrOPFrheQAKmMjumuX92H0dEAbqJe/IuNvp4TM
+AYoLx7LdZEqoOECgmPutF6T+P/lUqO7GKf7w61YgQbg
+-> t-grease vGPB i
+qH3ME5lUwm8DmZYeo0sP
+--- tkaQiyOtKJ4PSuOPxPWK5R6R7YGLSzVd9szY5QubKWI
+<;ÂùÍSÖÙtÃ/eÁC˜{_¡øec±»¹@•½Å¹Fà›BÕÔÐH:ƒ®A4PV
+?qÉììŒ>3sÂ+Ÿg ™3=bÏª »;u_ßòû
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 308893358d..6c9f558e3a 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -9,6 +9,7 @@ let
   default.publicKeys = tazjin ++ [ whitby ];
 in {
   "besadii.age" = default;
+  "buildkite-agent-token.age" = default;
   "clbot.age" = default;
   "gerrit-queue.age" = default;
   "owothia.age" = default;
-- 
cgit 1.4.1