From 002d183876e67338498bd4fbae9928af4fb5694c Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 10 Dec 2021 15:32:11 +0300
Subject: [PATCH] refactor(ops): Move clbot SSH key into agenix

Change-Id: Iae03ead7dda0509689a76f0d76f9cfeb8434e967
---
 ops/machines/whitby/default.nix |   9 +++++++--
 ops/secrets/clbot-ssh.age       | Bin 0 -> 741 bytes
 ops/secrets/secrets.nix         |   1 +
 3 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 ops/secrets/clbot-ssh.age

diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 1a624c8f6..8cec05284 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -216,6 +216,11 @@ in {
         mode = "0440";
         group = "buildkite-agents";
       };
+
+      clbot-ssh = {
+        file = secretFile "clbot-ssh";
+        owner = "clbot";
+      };
     };
 
   # Automatically collect garbage from the Nix store.
@@ -280,7 +285,7 @@ in {
     flags = {
       gerrit_host = "cl.tvl.fyi:29418";
       gerrit_ssh_auth_username = "clbot";
-      gerrit_ssh_auth_key = "/etc/secrets/id_clbot";
+      gerrit_ssh_auth_key = "/run/agenix/clbot-ssh";
 
       irc_server = "localhost:${toString config.services.znc.config.Listener.l.Port}";
       irc_user = "tvlbot";
@@ -290,7 +295,7 @@ in {
       notify_repo = "depot";
 
       # This secret is read from an environment variable, which is
-      # populated from /etc/secrets/clbot
+      # populated by a systemd EnvironmentFile.
       irc_pass = "$CLBOT_PASS";
     };
   };
diff --git a/ops/secrets/clbot-ssh.age b/ops/secrets/clbot-ssh.age
new file mode 100644
index 0000000000000000000000000000000000000000..8253bab67d860f40c60c6be6384daf3b4f2d777f
GIT binary patch
literal 741
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnNiI(GDOWJ5D$30$
zHS<pnO)SiDG%Ghrwr~&Cx5zHnk4SaSb~H?KHZx5x4%Uwdj^qll@H4B(wJZp(bn?t}
zD=)H43k|4>a`CMy%S$ygb9TzeF$)Z~^f0g}^F+7JKij>~Ctbm{%&9aYGrcU>F~~T*
z(%8_eprF{uQ@cDl+}$}_+ttZ0C@?M6H_|N8$(JkG%OI^XDk?aj$TKs_zr@QZ(l6XB
zEHyjT-8Hf_pxCTb+c7U7Aiu!WI22@?VX~jPRe5@>ZhBE_VsR>0UU9CuXH`aiWoe2#
zm#(g^LS%?bxIs~oZ(^Z^L0+g|sB1~FUs;J$l#jV@Sg5{Pgh{GTXqAU+xVv{cSDV_E
zlhdDte%SQmvrm_4ZC(C_2g*MxI&a8}PX7Ms%A2LWUsH2xc>7YOPCK=CQU2Z%o%1P2
zfBtDJ=3mIF9&#Y|vBRI$-=;9K_`hC$X|YK3h4~k!zP)ts$1}Fn!iAyhn;$gm-FW$w
z(<nMbF(+)Q+0ws8ADYbnFK_6MJJvh%mYv7W_A9UEII?=ii%EY~I>p4l=2Oi5t=l+7
zm1gv@v2>oRjh`US@vx`mMVR{6R+DcNe^)sye%CN9@rsRf#J_I`-xuEfR(>(v;Jk`-
z-I2FaO2++B<+AEYxBvXUC2VM0+B5a2%G&38JhtmH-YGE6NIG4~edx%lJcs#dx|0rX
zGWuT8)P0llOwEk1zm23>o>Z>?A1jk~;=AsF0|Dlf1a9^{o}R|?|Bka|RpKMYh8?j=
zOrlGo*|wdN?^IiCqp_^7@y#Ud{aUT9`O4qE)y#8J5-<=j$#U3he^q{pQ{ct4mX)VZ
zO>Zt-{`tOl)ZV%4I`1>Ix*nai(?q&hYs$K??#Qsaz3&z;Jl%MR@9E;TK6?uP{+#-G
cx_i5OSHCa&rOO{P)1I|#e(`u+>xOTf0O4*ziU0rr

literal 0
HcmV?d00001

diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 6c9f558e3..f98f884f4 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -11,6 +11,7 @@ in {
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
   "clbot.age" = default;
+  "clbot-ssh.age" = default;
   "gerrit-queue.age" = default;
   "owothia.age" = default;
 }