buildkite-agent: demotivate potential secrecy regressions through doc…

…umentation # Conflicts: # nixos/modules/services/continuous-integration/buildkite-agent.nix
NixOS · Nov 25, 2017 · d6069f8 · d6069f8
1 parent 815dc9d
commit d6069f8
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@@ -86,10 +86,13 @@ in
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
         environment.HOME = "/var/lib/buildkite-agent";
+
+        ## NB: maximum care is taken so that secrets (ssh keys and the CI token)
+        ##     don't end up in the Nix store.
         preStart = ''
             ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
-            ${copyOrEcho cfg.openssh.privateKey "/var/lib/buildkite-agent/.ssh/id_rsa"     600}
-            ${copyOrEcho cfg.openssh.publicKey  "/var/lib/buildkite-agent/.ssh/id_rsa.pub" 600}
+            ${copyOrEcho (toString cfg.openssh.privateKey) "/var/lib/buildkite-agent/.ssh/id_rsa"     600}
+            ${copyOrEcho (toString cfg.openssh.publicKey)  "/var/lib/buildkite-agent/.ssh/id_rsa.pub" 600}
 
             cat > "/var/lib/buildkite-agent/buildkite-agent.cfg" <<EOF
             token="${catOrLiteral cfg.token}"