fix(secrets): buildKite agents can read gerrit secrets

We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny <franck@fcuny.net>
author: Franck Cuny <franck@fcuny.net> 2022-06-09 13:54:35 -0700
committer: Franck Cuny <franck@fcuny.net> 2022-06-09 14:10:19 -0700
commit: 13ab97b5529fc78f08692e210851413459d96d4f (patch)
tree: dd7811a1e866d4905c37d6f5fe27c981a7da78e1 /hosts/tahoe/secrets/secrets.nix
parent: feat(gerrit-hook): propagate gerrit information in the environment (diff)
download: world-13ab97b5529fc78f08692e210851413459d96d4f.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 8776e6a..79273b8 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -21,9 +21,13 @@ in {
     mode = "0440";
   };
 
+  # the owner is gerrit, but we also want the builders to access this
+  # configuration.
   "gerrit/hooks.age" = {
     publicKeys = all;
     owner = "git";
+    group = "buildkite-agents";
+    mode = "0440";
   };
 
   "syncthing/key.age" = {
author	Franck Cuny <franck@fcuny.net>	2022-06-09 13:54:35 -0700
committer	Franck Cuny <franck@fcuny.net>	2022-06-09 14:10:19 -0700
commit	13ab97b5529fc78f08692e210851413459d96d4f (patch)
tree	dd7811a1e866d4905c37d6f5fe27c981a7da78e1 /hosts/tahoe/secrets/secrets.nix
parent	feat(gerrit-hook): propagate gerrit information in the environment (diff)
download	world-13ab97b5529fc78f08692e210851413459d96d4f.tar.gz