ci-runners: secret available at image build time

.ci.sdImages.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+source /run/agenix/ci-secrets
+
 set -eou pipefail
 
 set -x

.ci.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+source /run/agenix/ci-secrets
+
 set -eou pipefail
 
 set -x

modules/ci-runners.nix

@@ -4,8 +4,13 @@ let
   gitea-runner-directory = "/var/lib/gitea-runner";
   secrets = import ../secrets.nix;
 in {
-  age.secrets.gitea-runner-token = {
-    file = ../secrets/gitea-runner-token-${config.networking.hostName}.age;
+  age.secrets = {
+    gitea-runner-token.file =
+      ../secrets/gitea-runner-token-${config.networking.hostName}.age;
+    ci-secrets = { # for printer host sd images
+      file = ../secrets/ci-secrets.age;
+      mode = "444";
+    };
   };
 
   services.gitea-actions-runner.instances.nix = {

secrets.nix

@@ -53,7 +53,10 @@ in {
   "secrets/synapseExtraConfig.age".publicKeys = ar ++ [ zorigami ];
   "secrets/gitea-runner-token-zorigami.age".publicKeys = ar ++ [ zorigami ];
   "secrets/gitea-runner-token-scylla.age".publicKeys = ar ++ [ scylla ];
-  "secrets/hswaw-wifi.age".publicKeys = ar; # TODO: we're not getting ssh keys for the generated disk image…
+  "secrets/ci-secrets.age".publicKeys = ar ++ [
+    scylla
+    zorigami
+  ]; # TODO: we're not getting ssh keys for the generated disk image, so we need to embed it at disk image build time
 
   inherit ar;
 }

secrets/hswaw-wifi.age

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 kY4Rgg N6Jqbjj+5CXGRVrcG1RVKTHYkTsus4/yEDQ3L4Pfc2M
-wQ3m82ax5s7wQblxD1RzuftQMJ5KyokVOvuXvdoXyXg
--> ssh-ed25519 grc4Uw 0hM20m3Wqjphc/Nz4kcXGK8kGmTSHqtsAB18ticDIRo
-XgNFc5WKE9cFZvr6bhSTMwOGFenhJfVBM246sN5ERD8
--> +n9QBq$-grease
-/oA0UeYd9bU6gvkD0MDcqU9CkdY9KdbuRNUcaeUkid+mWBn0jTaQS/AvR7r6BMAB
-iOqMW50jF+WickRN9RQ3wSrVk7k0iHQQ9u0c637+5X/CwSYtkYc
---- DhnsuPBkBAqKjHyn1fadSFPp4eCQXuwhSYO8W7Txyzs
-©õø¤Á÷]±«Q‚Cyc<79>‹3b	\¾Ñ0IA¨k
±iØ¿».ãÝó@Üõo$Ôòš»¥