From 2fe8d724d7cbc86c68c62ed6233e7b982566ad4d Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 10 Dec 2021 21:23:05 +0300
Subject: refactor(ops): Move Nix cache secret to agenix

... and also the public key, just to keep the distribution mechanism
the same.

Change-Id: Ief14daf9344c0fb99eeb5789c1ec9bfb1f12bee0
---
 ops/machines/whitby/default.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'ops/machines/whitby/default.nix')

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 572417fea6..129a1a7667 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -173,7 +173,7 @@ in {
     nrBuildUsers = 256;
     maxJobs = lib.mkDefault 64;
     extraOptions = ''
-      secret-key-files = /etc/secrets/nix-cache-privkey
+      secret-key-files = /run/agenix/nix-cache-priv
     '';
 
     trustedUsers = [
@@ -212,6 +212,7 @@ in {
       grafana.file = secretFile "grafana";
       irccat.file = secretFile "irccat";
       owothia.file = secretFile "owothia";
+      nix-cache-priv.file = secretFile "nix-cache-priv";
 
       buildkite-agent-token = {
         file = secretFile "buildkite-agent-token";
@@ -240,6 +241,12 @@ in {
         file = secretFile "clbot-ssh";
         owner = "clbot";
       };
+
+      # Not actually a secret
+      nix-cache-pub = {
+        file = secretFile "nix-cache-pub";
+        mode = "0444";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -419,7 +426,7 @@ in {
   services.nix-serve = {
     enable = true;
     port = 6443;
-    secretKeyFile = "/etc/secrets/nix-cache-key.sec";
+    secretKeyFile = "/run/agenix/nix-cache-priv";
     bindAddress = "localhost";
   };
 
-- 
cgit 1.4.1