refactor(ops): Use besadii configuration from agenix
We already checked this in, but this commit adds the configuration for making use of it. There are two copies of besadii's JSON configuration with different permissions. Note that the buildkite-graphql-token path needs to be updated in static-pipeline.yml, but this needs to happen in a separate commit after deploy because the pipeline will break otherwise. Change-Id: I6fab4bf1a2e679df7cf76521e2b53bd9dadbac62
This commit is contained in:
		
							parent
							
								
									b1108821a9
								
							
						
					
					
						commit
						82a885a750
					
				
					 5 changed files with 29 additions and 2 deletions
				
			
		|  | @ -219,6 +219,23 @@ in { | |||
|         group = "buildkite-agents"; | ||||
|       }; | ||||
| 
 | ||||
|       buildkite-graphql-token = { | ||||
|         file = secretFile "buildkite-graphql-token"; | ||||
|         mode = "0440"; | ||||
|         group = "buildkite-agent"; | ||||
|       }; | ||||
| 
 | ||||
|       buildkite-besadii-config = { | ||||
|         file = secretFile "besadii"; | ||||
|         mode = "0440"; | ||||
|         group = "buildkite-agent"; | ||||
|       }; | ||||
| 
 | ||||
|       gerrit-besadii-config = { | ||||
|         file = secretFile "besadii"; | ||||
|         owner = "git"; | ||||
|       }; | ||||
| 
 | ||||
|       clbot-ssh = { | ||||
|         file = secretFile "clbot-ssh"; | ||||
|         owner = "clbot"; | ||||
|  |  | |||
|  | @ -5,7 +5,7 @@ let | |||
|   cfg = config.services.gerrit; | ||||
| 
 | ||||
|   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' | ||||
|     export BESADII_CONFIG=/etc/secrets/besadii.json | ||||
|     export BESADII_CONFIG=/run/agenix/gerrit-besadii-config | ||||
|     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" | ||||
|   ''; | ||||
| 
 | ||||
|  |  | |||
|  | @ -7,7 +7,7 @@ let | |||
|   description = "Buildkite agents for TVL"; | ||||
| 
 | ||||
|   besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" '' | ||||
|     export BESADII_CONFIG=/etc/secrets/besadii.json | ||||
|     export BESADII_CONFIG=/run/agenix/buildkite-besadii-config | ||||
|     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@" | ||||
|   ''; | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										9
									
								
								ops/secrets/buildkite-graphql-token.age
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								ops/secrets/buildkite-graphql-token.age
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,9 @@ | |||
| age-encryption.org/v1 | ||||
| -> ssh-ed25519 dcsaLw xzwSc5FlU9NrAyQhMXigihf3oEE2yA8nZfpP3U1co1k | ||||
| +nUTx+ppxHIgKs9RG0mhWG3a7OkbelZDNDiXabGIMrc | ||||
| -> ssh-ed25519 OkGqLg lTCF8xm2+wljZs6PyUeB6ySD9TEEAfQdbW3qIuat4gE | ||||
| THlu4VhAm5FKLYvc6ad6lFnlssVJsPiGqucSVF949vM | ||||
| -> 62T-grease 7 RH''g X | ||||
| 4zRtTUAapv8 | ||||
| --- d8zm0fuBJSw1oZmpsIAJ66YqkS3y/UBQzd/A2/8u17g | ||||
| i'©`äô/”¼í–<C3AD>Ë(ºqÐciY”fÒœñ"€„¹+ás<C3A1>™ªÙ0‘XÌ; ’¼™3š‚5΂ӄ<C393>K?d%;vŽ[¨Æ | ||||
|  | @ -14,6 +14,7 @@ let | |||
| in { | ||||
|   "besadii.age" = default; | ||||
|   "buildkite-agent-token.age" = default; | ||||
|   "buildkite-graphql-token.age" = default; | ||||
|   "clbot-ssh.age" = default; | ||||
|   "clbot.age" = default; | ||||
|   "gerrit-queue.age" = default; | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue