fix(gerrit): make buildbot able to read the priv ssh key

Signed-off-by: Raito Bezarius <raito@lix.systems>

buildbot_nix/__init__.py

@@ -597,15 +597,15 @@ def nix_build_config(
         factory=factory,
     )
 
-
+def assemble_secret_file_path(secret_name: str) -> Path:
-def read_secret_file(secret_name: str) -> str:
     directory = os.environ.get("CREDENTIALS_DIRECTORY")
     if directory is None:
         print("directory not set", file=sys.stderr)
         sys.exit(1)
-    return Path(directory).joinpath(secret_name).read_text().rstrip()
+    return Path(directory).joinpath(secret_name)
-
 
+def read_secret_file(secret_name: str) -> str:
+    return assemble_secret_file_path(secret_name).read_text().rstrip()
 
 def config_for_project(
     config: dict[str, Any],

nix/coordinator.nix

@@ -188,7 +188,7 @@ in
       home = "/var/lib/buildbot";
       extraImports = ''
         from datetime import timedelta
-        from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config
+        from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config, assemble_secret_file_path
 
         # TODO(raito): make me configurable from the NixOS module.
         # how?
@@ -209,7 +209,7 @@ in
               "${cfg.gerrit.domain}",
               "${cfg.gerrit.username}",
               "${toString cfg.gerrit.port}",
-              "${cfg.gerrit.privateKeyFile}",
+              assemble_secret_file_path('buildbot-service-private-key'),
               projects=${builtins.toJSON cfg.gerrit.projects},
               allowed_origins=${builtins.toJSON cfg.allowedOrigins},
               url=${builtins.toJSON config.services.buildbot-master.buildbotUrl},
@@ -269,6 +269,7 @@ in
         LoadCredential = [
           "buildbot-nix-workers:${cfg.workersFile}"
           "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
+          "buildbot-service-private-key:${cfg.gerrit.privateKeyFile}"
         ];
       };
     };