4 files changed, 8 insertions, 1 deletions

diff --git a/docs/gerrit.org b/docs/gerrit.org
index fa993c7..bee0509 100644
--- a/docs/gerrit.org
+++ b/docs/gerrit.org
@@ -6,7 +6,7 @@ A gerrit instance is running at [[https://cl.fcuny.net][cl.fcuny.net]].
 - branches other than main can be pushed to the server
 - the main branch can only be modified by gerrit
 * Secure configuration
-The file =/var/lib/gerrit/etc/secure.config= is not (yet) managed by nix. The file contains:
+The file =/var/lib/gerrit/etc/secure.config= is managed by nix. The file contains:
 #+begin_src ini
 [auth]
   registerEmailPrivateKey = <redacted>
diff --git a/hosts/tahoe/secrets/gerrit/secure-config.age b/hosts/tahoe/secrets/gerrit/secure-config.age
new file mode 100644
index 0000000..45d0c42
--- /dev/null
+++ b/hosts/tahoe/secrets/gerrit/secure-config.age
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 031426f..d3571f4 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -31,6 +31,12 @@ in
     mode = "0440";
   };
 
+  "gerrit/secure-config.age" = {
+    publicKeys = all;
+    owner = "git";
+    path = "/var/lib/gerrit/etc/secure.config";
+  };
+
   "syncthing/key.age" = {
     publicKeys = all;
     owner = "fcuny";
diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix
index 9ae9e50..1592839 100644
--- a/modules/services/gerrit/default.nix
+++ b/modules/services/gerrit/default.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.my.services.gerrit;
+  secrets = config.age.secrets;
 
   my-gerrit-hook = name:
     pkgs.writeShellScript "my-gerrit-hook" ''