From d6069f88bd78cbda4987f2d0179078205ac9ac21 Mon Sep 17 00:00:00 2001
From: Kosyrev Serge <serge.kosyrev@iohk.io>
Date: Fri, 24 Nov 2017 21:01:36 +0300
Subject: [PATCH] buildkite-agent:  demotivate potential secrecy regressions
 through documentation

# Conflicts:
#	nixos/modules/services/continuous-integration/buildkite-agent.nix
---
 .../services/continuous-integration/buildkite-agent.nix    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix
index 2395987d499b00..36d321e59d8302 100644
--- a/nixos/modules/services/continuous-integration/buildkite-agent.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@@ -86,10 +86,13 @@ in
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
         environment.HOME = "/var/lib/buildkite-agent";
+
+        ## NB: maximum care is taken so that secrets (ssh keys and the CI token)
+        ##     don't end up in the Nix store.
         preStart = ''
             ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
-            ${copyOrEcho cfg.openssh.privateKey "/var/lib/buildkite-agent/.ssh/id_rsa"     600}
-            ${copyOrEcho cfg.openssh.publicKey  "/var/lib/buildkite-agent/.ssh/id_rsa.pub" 600}
+            ${copyOrEcho (toString cfg.openssh.privateKey) "/var/lib/buildkite-agent/.ssh/id_rsa"     600}
+            ${copyOrEcho (toString cfg.openssh.publicKey)  "/var/lib/buildkite-agent/.ssh/id_rsa.pub" 600}
 
             cat > "/var/lib/buildkite-agent/buildkite-agent.cfg" <<EOF
             token="${catOrLiteral cfg.token}"