refactor(grfn/mugwump): Move buildkite secrets into age

Use agenix for the buildkite ssh key and agent token on mugwump, instead of storing stuff in /etc/secrets Change-Id: I56951587b949fc0854e56f5c4e33b601e9cd964e Reviewed-on: https://cl.tvl.fyi/c/depot/+/5027 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2022-01-20 09:28:01 -05:00 · 2022-01-20 09:28:01 -05:00 · 7873806218
commit 7873806218
parent 8b63e0f8ce
4 changed files with 30 additions and 2 deletions
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@ -72,6 +72,18 @@ with lib;
    bbbg.file = secret "bbbg";
    cloudflare.file = secret "cloudflare";
    ddclient-password.file = secret "ddclient-password";
+
+    buildkite-ssh-key = {
+      file = secret "buildkite-ssh-key";
+      group = "keys";
+      mode = "0440";
+    };
+
+    buildkite-token = {
+      file = secret "buildkite-token";
+      group = "keys";
+      mode = "0440";
+    };
  };

  services.depot.auto-deploy = {
@ -142,6 +154,8 @@ with lib;
    quiet = true;
  };

+  systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false;
+
  security.acme.certs."metrics.gws.fyi" = {
    dnsProvider = "cloudflare";
    credentialsFile = "/run/agenix/cloudflare";
@ -247,8 +261,8 @@ with lib;
    value = {
      inherit name;
      enable = true;
-      tokenPath = "/etc/secrets/buildkite-agent-token";
-      privateSshKeyPath = "/etc/secrets/buildkite-ssh-key";
+      tokenPath = "/run/agenix/buildkite-agent-token";
+      privateSshKeyPath = "/run/agenix/buildkite-ssh-key";
      runtimePackages = with pkgs; [
        docker
        nix