diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index d6d3004ff..c066fa400 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -210,6 +210,12 @@ in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; owothia.file = secretFile "owothia"; + + buildkite-agent-token = { + file = secretFile "buildkite-agent-token"; + mode = "0440"; + group = "buildkite-agents"; + }; }; # Automatically collect garbage from the Nix store. diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 56e49c991..1f0d4e2e7 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -33,7 +33,7 @@ in { value = { inherit name; enable = true; - tokenPath = "/etc/secrets/buildkite-agent-token"; + tokenPath = "/run/agenix/buildkite-agent-token"; runtimePackages = with pkgs; [ curl jq ]; hooks.post-command = "${buildkiteHooks}/bin/post-command"; }; diff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age new file mode 100644 index 000000000..27ed2282b --- /dev/null +++ b/ops/secrets/buildkite-agent-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw TEQdP/s+YdThYzunL0Fxs7ccPR+qjxd9IJdtkVjX3jI +ZnnD2KIMunt9Qgs2zJFMeMuoj2l0NKZlMO2WweLnkx8 +-> ssh-ed25519 OkGqLg wIAe9VrOPFrheQAKmMjumuX92H0dEAbqJe/IuNvp4TM +AYoLx7LdZEqoOECgmPutF6T+P/lUqO7GKf7w61YgQbg +-> t-grease vGPB i +qH3ME5lUwm8DmZYeo0sP +--- tkaQiyOtKJ4PSuOPxPWK5R6R7YGLSzVd9szY5QubKWI +<;ÂùÍSÖÙtÃ/eÁC˜{_¡øec±»¹@•½Å ¹Fà›BÕÔÐH:ƒ®A4PV +?qÉììŒ >3sÂ+Ÿg ™3=bϪ »;u_ßòû \ No newline at end of file diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index 308893358..6c9f558e3 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -9,6 +9,7 @@ let default.publicKeys = tazjin ++ [ whitby ]; in { "besadii.age" = default; + "buildkite-agent-token.age" = default; "clbot.age" = default; "gerrit-queue.age" = default; "owothia.age" = default;