From 7873806218f3ca06ad599cf1693848db6599415c Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Thu, 20 Jan 2022 09:28:01 -0500 Subject: refactor(grfn/mugwump): Move buildkite secrets into age Use agenix for the buildkite ssh key and agent token on mugwump, instead of storing stuff in /etc/secrets Change-Id: I56951587b949fc0854e56f5c4e33b601e9cd964e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5027 Reviewed-by: grfn Autosubmit: grfn Tested-by: BuildkiteCI --- users/grfn/system/system/machines/mugwump.nix | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'users/grfn/system') diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index a9f8769725..7de6555878 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -72,6 +72,18 @@ with lib; bbbg.file = secret "bbbg"; cloudflare.file = secret "cloudflare"; ddclient-password.file = secret "ddclient-password"; + + buildkite-ssh-key = { + file = secret "buildkite-ssh-key"; + group = "keys"; + mode = "0440"; + }; + + buildkite-token = { + file = secret "buildkite-token"; + group = "keys"; + mode = "0440"; + }; }; services.depot.auto-deploy = { @@ -142,6 +154,8 @@ with lib; quiet = true; }; + systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false; + security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; credentialsFile = "/run/agenix/cloudflare"; @@ -247,8 +261,8 @@ with lib; value = { inherit name; enable = true; - tokenPath = "/etc/secrets/buildkite-agent-token"; - privateSshKeyPath = "/etc/secrets/buildkite-ssh-key"; + tokenPath = "/run/agenix/buildkite-agent-token"; + privateSshKeyPath = "/run/agenix/buildkite-ssh-key"; runtimePackages = with pkgs; [ docker nix -- cgit 1.4.1