From 3a410a78df98fbace3fb3d6c6a570058a2758811 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 12 Dec 2021 11:14:50 +0300
Subject: feat(ops/secrets): Make (encrypted) secrets part of the tree

Currently in NixOS configuration using agenix secrets there is no
build time validation of secret paths - things fail at runtime (system
activation).

To prevent that, this CL makes the secrets part of the tree based on
the same configuration file used by agenix itself.

This guards against:

* agenix secrets.nix definition for a non-existent file
* age.secrets value in a NixOS config for a non-existent secret

Change-Id: I5b191dcbd5b2522566ff7c38f8a988bbf7679364
---
 ops/machines/whitby/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ops/machines/whitby/default.nix')

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 3a41e1442c..f0e934c635 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -205,7 +205,7 @@ in {
   # Configure secrets for services that need them.
   age.secrets =
     let
-      secretFile = name: "${depot.path.origSrc}/ops/secrets/${name}.age";
+      secretFile = name: depot.ops.secrets."${name}.age";
     in {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
-- 
cgit 1.4.1