feat(ops/secrets): Add tf-keycloak secrets file r/3470

This file can be sourced (somehow, depending on the user) while
working with //ops/keycloak to get the relevant secrets.

Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>

4 files changed, 33 insertions, 1 deletions

diff --git a/bin/__dispatch.sh b/bin/__dispatch.sh
index 24a04d75cf..a6a945ad19 100755
--- a/bin/__dispatch.sh
+++ b/bin/__dispatch.sh
@@ -11,7 +11,7 @@ TARGET_TOOL=$(basename "$0")
 
 case "${TARGET_TOOL}" in
   age)
-    attr="third_party.nixpkgs-age"
+    attr="third_party.nixpkgs.age"
     ;;
   age-keygen)
     attr="third_party.nixpkgs.age"
diff --git a/ops/keycloak/README.md b/ops/keycloak/README.md
new file mode 100644
index 0000000000..e8ffd700b5
--- /dev/null
+++ b/ops/keycloak/README.md
@@ -0,0 +1,18 @@
+Terraform for Keycloak
+======================
+
+This contains the Terraform configuration for deploying TVL's Keycloak
+instance (which lives at `auth.tvl.fyi`).
+
+Secrets are needed for applying this. The encrypted file
+`//ops/secrets/tf-keycloak.age` contains `export` calls which should
+be sourced, for example via `direnv`, by users with the appropriate
+credentials.
+
+An example `direnv` configuration used by tazjin is this:
+
+```
+# //ops/secrets/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)
+```
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index e110164546..d21db24660 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -30,4 +30,5 @@ in {
   "nix-cache-pub.age" = default;
   "owothia.age" = default;
   "panettone.age" = default;
+  "tf-keycloak.age" = default;
 }
diff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
new file mode 100644
index 0000000000..ee0bcb679c
--- /dev/null
+++ b/ops/secrets/tf-keycloak.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw CRX6a8zfz3BaDYhwrBPXBgEn/o0WuS6UdvA55wYNTBc
+/5gTObQ8770g8kIxCQyQj8hOh+1dkOu5DW1sz33eiy8
+-> ssh-ed25519 CpJBgQ 1/oDGaLOKblznS/ciKQ0g7Jdfg1KtEKWugjE9o9n1jo
+A5wcsx6NXQpjKR8Y9jlM4JN34IUi3T4UuTIOtmOHwcs
+-> ssh-ed25519 aXKGcg pYkMVxIGv408998UFzNQZvCQqBNPOSx+fvMs9FGd2nc
+Ue1rNrARXo0/Fq0qazNo+5a4zc7JBLdEgrqUowOEOBg
+-> ssh-ed25519 OkGqLg iLVc9k937aMAyl82TFsmDeX46PSrjQ6QpEzU0BcrNHg
+NzZYEXjz4mwafayIIvGxcE0cLhhUZuzh5loyfIZzl+0
+-> `^*"*qb-grease r`; Fwf.0CJ+
+5qQRDetp1IFec1AkHd17faslyU+7OHDiTmwoSJGZZPWrdiY
+--- uguIPraC7NNVfyDIWoTVjiunofaRYY8xeLipwZuU0iQ
+f����E�''�Ɇ���%:�
���'%�U�3a�U�4��.��tm.qW	*�Z��i�p
��z�g�=v{��cX���o�!-L�i5	�L2	@A��A�
\ No newline at end of file