From 13ab97b5529fc78f08692e210851413459d96d4f Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Thu, 9 Jun 2022 13:54:35 -0700 Subject: fix(secrets): buildKite agents can read gerrit secrets We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny --- hosts/tahoe/secrets/secrets.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'hosts/tahoe/secrets') diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix index 8776e6a..79273b8 100644 --- a/hosts/tahoe/secrets/secrets.nix +++ b/hosts/tahoe/secrets/secrets.nix @@ -21,9 +21,13 @@ in { mode = "0440"; }; + # the owner is gerrit, but we also want the builders to access this + # configuration. "gerrit/hooks.age" = { publicKeys = all; owner = "git"; + group = "buildkite-agents"; + mode = "0440"; }; "syncthing/key.age" = { -- cgit 1.4.1