about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rwxr-xr-xbin/__dispatch.sh4
l---------bin/kms_pass1
-rw-r--r--ci-builds.nix1
-rw-r--r--default.nix7
-rw-r--r--ops/infra/.skip-subtree2
-rw-r--r--ops/infra/gcp/.gitignore3
-rw-r--r--ops/infra/gcp/default.tf116
-rw-r--r--ops/infra/kubernetes/cgit/config.yaml80
-rw-r--r--ops/infra/kubernetes/gemma/config.lisp19
-rw-r--r--ops/infra/kubernetes/https-cert/cert.yaml8
-rw-r--r--ops/infra/kubernetes/https-lb/ingress.yaml43
-rw-r--r--ops/infra/kubernetes/nginx/nginx.conf59
-rw-r--r--ops/infra/kubernetes/nginx/nginx.yaml60
-rw-r--r--ops/infra/kubernetes/nixery/config.yaml67
-rw-r--r--ops/infra/kubernetes/nixery/id_nixery.pub1
-rw-r--r--ops/infra/kubernetes/nixery/known_hosts3
-rw-r--r--ops/infra/kubernetes/nixery/secrets.yaml18
-rw-r--r--ops/infra/kubernetes/nixery/ssh_config4
-rw-r--r--ops/infra/kubernetes/primary-cluster.yaml38
-rw-r--r--ops/infra/kubernetes/website/config.yaml37
-rw-r--r--ops/kms_pass.nix61
-rw-r--r--ops/secrets/.skip-subtree1
-rw-r--r--ops/secrets/gcsr-tazjin-passwordbin186 -> 0 bytes
-rw-r--r--ops/secrets/gmaps-api-keybin121 -> 0 bytes
-rw-r--r--ops/secrets/nixery-gcs-jsonbin2416 -> 0 bytes
-rw-r--r--ops/secrets/nixery-gcs-pembin3214 -> 0 bytes
-rw-r--r--ops/secrets/nixery-ssh-privatebin1906 -> 0 bytes
-rw-r--r--ops/secrets/sr.ht-tokenbin114 -> 0 bytes
-rw-r--r--overrides/kontemplate/default.nix13
-rwxr-xr-xusers/tazjin/cloud-dns/import (renamed from ops/infra/dns/import)0
-rw-r--r--users/tazjin/cloud-dns/kontemplate-works (renamed from ops/infra/dns/kontemplate-works)0
-rw-r--r--users/tazjin/cloud-dns/oslo-pub (renamed from ops/infra/dns/oslo-pub)0
-rw-r--r--users/tazjin/cloud-dns/root-tazj-in (renamed from ops/infra/dns/root-tazj-in)0
34 files changed, 0 insertions, 648 deletions
diff --git a/README.md b/README.md
index 0807fa2761..b5ff0ae166 100644
--- a/README.md
+++ b/README.md
@@ -22,8 +22,6 @@ Twitter][].
 * `tools/cheddar` contains a source code and Markdown rendering tool
   that is integrated with my cgit instance to render files in various
   views
-* `ops/kms_pass.nix` is a tiny tool that emulates the user-interface of `pass`,
-  but actually uses Google Cloud KMS for secret decryption
 * `ops/kontemplate` contains my Kubernetes resource templating tool (with which
   the services in this repository are deployed!)
 * `ops/besadii` contains a tool that runs as the git
diff --git a/bin/__dispatch.sh b/bin/__dispatch.sh
index eddc208893..ad559fe962 100755
--- a/bin/__dispatch.sh
+++ b/bin/__dispatch.sh
@@ -19,10 +19,6 @@ case "${TARGET_TOOL}" in
   stern)
     attr="third_party.stern"
     ;;
-  kms_pass)
-    attr="ops.kms_pass"
-    TARGET_TOOL="pass"
-    ;;
   aoc2019)
     attr="fun.aoc2019.${1}"
     ;;
diff --git a/bin/kms_pass b/bin/kms_pass
deleted file mode 120000
index 8390ec9c96..0000000000
--- a/bin/kms_pass
+++ /dev/null
@@ -1 +0,0 @@
-__dispatch.sh
\ No newline at end of file
diff --git a/ci-builds.nix b/ci-builds.nix
index 1e98e8a041..b36b293266 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -61,7 +61,6 @@ in lib.fix (self: {
     depot.ops."posix_mq.rs"
     besadii
     journaldriver
-    kms_pass
     kontemplate
     mq_cli
   ];
diff --git a/default.nix b/default.nix
index 8c7a35f995..9c54a7d470 100644
--- a/default.nix
+++ b/default.nix
@@ -24,13 +24,6 @@ let
     # Pass third_party as 'pkgs' (for compatibility with external
     # imports for certain subdirectories)
     pkgs = depot.third_party;
-
-    kms = {
-      project = "tazjins-infrastructure";
-      region = "europe-north1";
-      keyring = "tazjins-keys";
-      key = "kontemplate-key";
-    };
   };
 
   readTree' = import ./nix/readTree {};
diff --git a/ops/infra/.skip-subtree b/ops/infra/.skip-subtree
deleted file mode 100644
index cee24b7579..0000000000
--- a/ops/infra/.skip-subtree
+++ /dev/null
@@ -1,2 +0,0 @@
-Code under //ops/infra is mostly configuration for other tools, not
-Nix derivations to be built.
diff --git a/ops/infra/gcp/.gitignore b/ops/infra/gcp/.gitignore
deleted file mode 100644
index 96c7538dda..0000000000
--- a/ops/infra/gcp/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-.terraform
-*.tfstate
-*.tfstate.backup
diff --git a/ops/infra/gcp/default.tf b/ops/infra/gcp/default.tf
deleted file mode 100644
index d2e31090b5..0000000000
--- a/ops/infra/gcp/default.tf
+++ /dev/null
@@ -1,116 +0,0 @@
-# Terraform configuration for the GCP project 'tazjins-infrastructure'
-
-provider "google" {
-  project = "tazjins-infrastructure"
-  region  = "europe-north1"
-  version = "~> 2.20"
-}
-
-# Configure a storage bucket in which to keep Terraform state and
-# other data, such as Nixery's layers.
-resource "google_storage_bucket" "tazjins-data" {
-  name     = "tazjins-data"
-  location = "EU"
-}
-
-terraform {
-  backend "gcs" {
-    bucket = "tazjins-data"
-    prefix = "terraform"
-  }
-}
-
-# Configure enabled APIs
-resource "google_project_services" "primary" {
-  project = "tazjins-infrastructure"
-  services = [
-    "bigquery-json.googleapis.com",
-    "bigquerystorage.googleapis.com",
-    "cloudapis.googleapis.com",
-    "cloudbuild.googleapis.com",
-    "clouddebugger.googleapis.com",
-    "cloudfunctions.googleapis.com",
-    "cloudkms.googleapis.com",
-    "cloudtrace.googleapis.com",
-    "compute.googleapis.com",
-    "container.googleapis.com",
-    "containerregistry.googleapis.com",
-    "datastore.googleapis.com",
-    "distance-matrix-backend.googleapis.com",
-    "dns.googleapis.com",
-    "gmail.googleapis.com",
-    "iam.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "logging.googleapis.com",
-    "monitoring.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "run.googleapis.com",
-    "secretmanager.googleapis.com",
-    "servicemanagement.googleapis.com",
-    "serviceusage.googleapis.com",
-    "sourcerepo.googleapis.com",
-    "sql-component.googleapis.com",
-    "storage-api.googleapis.com",
-    "storage-component.googleapis.com",
-  ]
-}
-
-
-# Configure the main Kubernetes cluster in which services are deployed
-resource "google_container_cluster" "primary" {
-  name     = "tazjin-cluster"
-  location = "europe-north1"
-
-  remove_default_node_pool = true
-  initial_node_count       = 1
-}
-
-resource "google_container_node_pool" "primary_nodes" {
-  name       = "primary-nodes"
-  location   = "europe-north1"
-  cluster    = google_container_cluster.primary.name
-  node_count = 1
-
-  node_config {
-    preemptible  = true
-    machine_type = "n1-standard-2"
-
-    oauth_scopes = [
-      "storage-rw",
-      "logging-write",
-      "monitoring",
-      "https://www.googleapis.com/auth/source.read_only",
-    ]
-  }
-}
-
-# Configure a service account for which GCS URL signing keys can be created.
-resource "google_service_account" "nixery" {
-  account_id   = "nixery"
-  display_name = "Nixery service account"
-}
-
-# Configure Cloud KMS for secret encryption
-resource "google_kms_key_ring" "tazjins_keys" {
-  name     = "tazjins-keys"
-  location = "europe-north1"
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-resource "google_kms_crypto_key" "kontemplate_key" {
-  name     = "kontemplate-key"
-  key_ring = google_kms_key_ring.tazjins_keys.id
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-# Configure the git repository that contains everything.
-resource "google_sourcerepo_repository" "depot" {
-  name = "depot"
-}
diff --git a/ops/infra/kubernetes/cgit/config.yaml b/ops/infra/kubernetes/cgit/config.yaml
deleted file mode 100644
index 73392adaad..0000000000
--- a/ops/infra/kubernetes/cgit/config.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gcsr-secrets
-type: Opaque
-data:
-  username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
-  # This credential is a GCSR 'gitcookie' token.
-  password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
-  # This credential is an OAuth token for builds.sr.ht
-  sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cgit
-  labels:
-    app: cgit
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: cgit
-  template:
-    metadata:
-      labels:
-        app: cgit
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      containers:
-      - name: cgit
-        image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
-        command: [ "cgit-launch" ]
-        env:
-          - name: HOME
-            value: /git
-        volumeMounts:
-          - name: git-volume
-            mountPath: /git
-      - name: sync-gcsr
-        image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
-        command: [ "sync-gcsr" ]
-        env:
-          - name: SYNC_USER
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: username
-          - name: SYNC_PASS
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: password
-          - name: SRHT_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: sourcehut
-        volumeMounts:
-          - name: git-volume
-            mountPath: /git
-      volumes:
-        - name: git-volume
-          emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cgit
-spec:
-  selector:
-    app: cgit
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080
diff --git a/ops/infra/kubernetes/gemma/config.lisp b/ops/infra/kubernetes/gemma/config.lisp
deleted file mode 100644
index 517a658cf1..0000000000
--- a/ops/infra/kubernetes/gemma/config.lisp
+++ /dev/null
@@ -1,19 +0,0 @@
-(config :port 4242
-        :data-dir "/var/lib/gemma/")
-
-(deftask bathroom/wipe-mirror 7)
-(deftask bathroom/wipe-counter 7)
-
-;; Bedroom tasks
-(deftask bedroom/change-sheets 7)
-(deftask bedroom/vacuum 10)
-
-;; Kitchen tasks
-(deftask kitchen/normal-trash 3)
-(deftask kitchen/green-trash 5)
-(deftask kitchen/blue-trash 5)
-(deftask kitchen/wipe-counters 3)
-(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!")
-
-;; Entire place
-(deftask clean-windows 60)
diff --git a/ops/infra/kubernetes/https-cert/cert.yaml b/ops/infra/kubernetes/https-cert/cert.yaml
deleted file mode 100644
index c7a85275ae..0000000000
--- a/ops/infra/kubernetes/https-cert/cert.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-apiVersion: networking.gke.io/v1beta1
-kind: ManagedCertificate
-metadata:
-  name: {{ .domain | replace "." "-" }}
-spec:
-  domains:
-    - {{ .domain }}
diff --git a/ops/infra/kubernetes/https-lb/ingress.yaml b/ops/infra/kubernetes/https-lb/ingress.yaml
deleted file mode 100644
index 930affec7a..0000000000
--- a/ops/infra/kubernetes/https-lb/ingress.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-# This resource configures the HTTPS load balancer that is used as the
-# entrypoint to all HTTPS services running in the cluster.
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: https-ingress
-  annotations:
-    networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub
-spec:
-  rules:
-    # Route website to, well, the website ...
-    - host: tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: website
-              servicePort: 8080
-    # Same for www.* (the redirect is handled by the website nginx)
-    - host: www.tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: website
-              servicePort: 8080
-    # Route git.tazj.in to the cgit pods
-    - host: git.tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: nginx
-              servicePort: 6756
-    # Route oslo.pub to the nginx instance which serves redirects
-    - host: oslo.pub
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: nginx
-              servicePort: 6756
diff --git a/ops/infra/kubernetes/nginx/nginx.conf b/ops/infra/kubernetes/nginx/nginx.conf
deleted file mode 100644
index 918aa60678..0000000000
--- a/ops/infra/kubernetes/nginx/nginx.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-daemon off;
-worker_processes  1;
-error_log stderr;
-pid /run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    log_format json_combined escape=json
-    '{'
-        '"time_local":"$time_local",'
-        '"remote_addr":"$remote_addr",'
-        '"remote_user":"$remote_user",'
-        '"request":"$request",'
-        '"status": "$status",'
-        '"body_bytes_sent":"$body_bytes_sent",'
-        '"request_time":"$request_time",'
-        '"http_referrer":"$http_referer",'
-        '"http_user_agent":"$http_user_agent"'
-        '}';
-
-    access_log /dev/stdout json_combined;
-
-    sendfile        on;
-    keepalive_timeout  65;
-
-    server {
-        listen 80 default_server;
-        location / {
-            return 200 "ok";
-        }
-    }
-
-    server {
-        listen       80;
-        server_name  oslo.pub;
-
-        location / {
-            return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
-        }
-    }
-
-    server {
-        listen       80;
-        server_name  git.tazj.in;
-
-        # Static assets must always hit the root.
-        location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
-           proxy_pass http://cgit;
-        }
-
-        # Everything else hits the depot directly.
-        location / {
-            proxy_pass http://cgit/cgit.cgi/depot/;
-        }
-    }
-}
diff --git a/ops/infra/kubernetes/nginx/nginx.yaml b/ops/infra/kubernetes/nginx/nginx.yaml
deleted file mode 100644
index 61678a85bc..0000000000
--- a/ops/infra/kubernetes/nginx/nginx.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# Deploy an nginx instance which serves ... redirects.
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nginx-conf
-data:
-  nginx.conf: {{ insertFile "nginx.conf" | toJson }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels:
-    app: nginx
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-        config: {{ insertFile "nginx.conf" | sha1sum }}
-    spec:
-      containers:
-        - name: nginx
-          image: nixery.local/shell/third_party.nginx:{{ .version }}
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              cd /run
-              echo 'nogroup:x:30000:nobody' >> /etc/group
-              echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd
-              exec nginx -c /etc/nginx/nginx.conf
-          volumeMounts:
-            - name: nginx-conf
-              mountPath: /etc/nginx
-            - name: nginx-rundir
-              mountPath: /run
-      volumes:
-        - name: nginx-conf
-          configMap:
-            name: nginx-conf
-        - name: nginx-rundir
-          emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx
-spec:
-  type: NodePort
-  selector:
-    app: nginx
-  ports:
-    - protocol: TCP
-      port: 6756
-      targetPort: 80
diff --git a/ops/infra/kubernetes/nixery/config.yaml b/ops/infra/kubernetes/nixery/config.yaml
deleted file mode 100644
index 0775e79b58..0000000000
--- a/ops/infra/kubernetes/nixery/config.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-# Deploys an instance of Nixery into the cluster.
-#
-# The service via which Nixery is exposed has a private DNS entry
-# pointing to it, which makes it possible to resolve `nixery.local`
-# in-cluster without things getting nasty.
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nixery
-  namespace: kube-public
-  labels:
-    app: nixery
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nixery
-  template:
-    metadata:
-      labels:
-        app: nixery
-    spec:
-      containers:
-      - name: nixery
-        image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
-        volumeMounts:
-          - name: nixery-secrets
-            mountPath: /var/nixery
-        env:
-          - name: BUCKET
-            value: {{ .bucket}}
-          - name: PORT
-            value: "{{ .port }}"
-          - name: GOOGLE_APPLICATION_CREDENTIALS
-            value: /var/nixery/gcs-key.json
-          - name: GCS_SIGNING_KEY
-            value: /var/nixery/gcs-key.pem
-          - name: GCS_SIGNING_ACCOUNT
-            value: {{ .account }}
-          - name: GIT_SSH_COMMAND
-            value: 'ssh -F /var/nixery/ssh_config'
-          - name: NIXERY_PKGS_REPO
-            value: {{ .repo }}
-          - name: NIX_POPULARITY_URL
-            value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}'
-      volumes:
-        - name: nixery-secrets
-          secret:
-            secretName: nixery-secrets
-            defaultMode: 256
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: nixery
-  namespace: kube-public
-  annotations:
-    cloud.google.com/load-balancer-type: "Internal"
-spec:
-  selector:
-    app: nixery
-  type: LoadBalancer
-  ports:
-  - protocol: TCP
-    port: 80
-    targetPort: 8080
diff --git a/ops/infra/kubernetes/nixery/id_nixery.pub b/ops/infra/kubernetes/nixery/id_nixery.pub
deleted file mode 100644
index dc3fd617d0..0000000000
--- a/ops/infra/kubernetes/nixery/id_nixery.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
diff --git a/ops/infra/kubernetes/nixery/known_hosts b/ops/infra/kubernetes/nixery/known_hosts
deleted file mode 100644
index 7faf21f69b..0000000000
--- a/ops/infra/kubernetes/nixery/known_hosts
+++ /dev/null
@@ -1,3 +0,0 @@
-github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
diff --git a/ops/infra/kubernetes/nixery/secrets.yaml b/ops/infra/kubernetes/nixery/secrets.yaml
deleted file mode 100644
index d9a674d2c9..0000000000
--- a/ops/infra/kubernetes/nixery/secrets.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# The secrets below are encrypted using keys stored in Cloud KMS and
-# templated in by kontemplate when deploying.
-#
-# Not all of the values are actually secret (see the matching)
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: nixery-secrets
-  namespace: kube-public
-type: Opaque
-data:
-  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
-  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
-  id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
-  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
-  known_hosts: {{ insertFile "known_hosts" | b64enc }}
-  ssh_config: {{ insertFile "ssh_config" | b64enc }}
diff --git a/ops/infra/kubernetes/nixery/ssh_config b/ops/infra/kubernetes/nixery/ssh_config
deleted file mode 100644
index 78afbb0b03..0000000000
--- a/ops/infra/kubernetes/nixery/ssh_config
+++ /dev/null
@@ -1,4 +0,0 @@
-Match host *
-      User tazjin@google.com
-      IdentityFile /var/nixery/id_nixery
-      UserKnownHostsFile /var/nixery/known_hosts
diff --git a/ops/infra/kubernetes/primary-cluster.yaml b/ops/infra/kubernetes/primary-cluster.yaml
deleted file mode 100644
index 3d601b80cd..0000000000
--- a/ops/infra/kubernetes/primary-cluster.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-# Kontemplate configuration for the primary GKE cluster in the project
-# 'tazjins-infrastructure'.
----
-context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster
-include:
-  # SSL certificates (provisioned by Google)
-  - name: tazj-in-cert
-    path: https-cert
-    values:
-      domain: tazj.in
-  - name: www-tazj-in-cert
-    path: https-cert
-    values:
-      domain: www.tazj.in
-  - name: git-tazj-in-cert
-    path: https-cert
-    values:
-      domain: git.tazj.in
-  - name: oslo-pub-cert
-    path: https-cert
-    values:
-      domain: oslo.pub
-
-  # Services
-  - name: nixery
-    values:
-      port: 8080
-      version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg
-      bucket: tazjins-data
-      account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
-      repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot
-      popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json'
-  - name: website
-  - name: cgit
-  - name: https-lb
-  - name: nginx
-    values:
-      version: a349d5e9145ae9a6c89f62ec631f01fb180de546
diff --git a/ops/infra/kubernetes/website/config.yaml b/ops/infra/kubernetes/website/config.yaml
deleted file mode 100644
index 02de735b05..0000000000
--- a/ops/infra/kubernetes/website/config.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: website
-  labels:
-    app: website
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: website
-  template:
-    metadata:
-      labels:
-        app: website
-    spec:
-      containers:
-      - name: website
-        image: nixery.local/shell/web.homepage:{{ gitHEAD }}
-        env:
-          - name: CONTAINER_SETUP
-            value: "true"
-        command: [ "homepage" ]
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: website
-spec:
-  type: NodePort
-  selector:
-    app: website
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 8080
diff --git a/ops/kms_pass.nix b/ops/kms_pass.nix
deleted file mode 100644
index 2399559b4d..0000000000
--- a/ops/kms_pass.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-# This tool mimics a subset of the interface of 'pass', but uses
-# Google Cloud KMS for encryption.
-#
-# It is intended to be compatible with how 'kontemplate' invokes
-# 'pass.'
-#
-# Only the 'show' and 'insert' commands are supported.
-
-{ depot, kms, ... }:
-
-let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
-in (writeShellScriptBin "pass" ''
-  set -eo pipefail
-
-  CMD="$1"
-  readonly SECRET=$2
-  readonly SECRETS_DIR=${./secrets}
-  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
-
-  function secret_check {
-    if [[ -z $SECRET ]]; then
-      echo 'Secret must be specified'
-      exit 1
-    fi
-  }
-
-  if [[ -z $CMD ]]; then
-    CMD="ls"
-  fi
-
-  case "$CMD" in
-    ls)
-       ${tree}/bin/tree $SECRETS_DIR
-       ;;
-    show)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms decrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      ;;
-    insert)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms encrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      echo "Inserted secret '$SECRET'"
-      ;;
-    *)
-      echo "Usage: pass show/insert <secret>"
-      exit 1
-      ;;
-  esac
-'') // { meta.enableCI = true; }
diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
deleted file mode 100644
index 25dba2a344..0000000000
--- a/ops/secrets/.skip-subtree
+++ /dev/null
@@ -1 +0,0 @@
-No Nix derivations under //ops/secrets
diff --git a/ops/secrets/gcsr-tazjin-password b/ops/secrets/gcsr-tazjin-password
deleted file mode 100644
index 5893de1315..0000000000
--- a/ops/secrets/gcsr-tazjin-password
+++ /dev/null
Binary files differdiff --git a/ops/secrets/gmaps-api-key b/ops/secrets/gmaps-api-key
deleted file mode 100644
index 6a45226460..0000000000
--- a/ops/secrets/gmaps-api-key
+++ /dev/null
Binary files differdiff --git a/ops/secrets/nixery-gcs-json b/ops/secrets/nixery-gcs-json
deleted file mode 100644
index b8b5445116..0000000000
--- a/ops/secrets/nixery-gcs-json
+++ /dev/null
Binary files differdiff --git a/ops/secrets/nixery-gcs-pem b/ops/secrets/nixery-gcs-pem
deleted file mode 100644
index 798a1e5a66..0000000000
--- a/ops/secrets/nixery-gcs-pem
+++ /dev/null
Binary files differdiff --git a/ops/secrets/nixery-ssh-private b/ops/secrets/nixery-ssh-private
deleted file mode 100644
index 5c4ff20233..0000000000
--- a/ops/secrets/nixery-ssh-private
+++ /dev/null
Binary files differdiff --git a/ops/secrets/sr.ht-token b/ops/secrets/sr.ht-token
deleted file mode 100644
index 53eb0d16b0..0000000000
--- a/ops/secrets/sr.ht-token
+++ /dev/null
Binary files differdiff --git a/overrides/kontemplate/default.nix b/overrides/kontemplate/default.nix
deleted file mode 100644
index 6147d1f465..0000000000
--- a/overrides/kontemplate/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ depot, ... }:
-
-with depot;
-
-third_party.writeShellScriptBin "kontemplate" ''
-  export PATH="${ops.kms_pass}/bin:$PATH"
-
-  if [[ -z $1 ]]; then
-    exec ${ops.kontemplate}/bin/kontemplate
-  fi
-
-  exec ${ops.kontemplate}/bin/kontemplate $1 ${./../..}/ops/infra/kubernetes/primary-cluster.yaml ''${@:2}
-''
diff --git a/ops/infra/dns/import b/users/tazjin/cloud-dns/import
index e79e426b55..e79e426b55 100755
--- a/ops/infra/dns/import
+++ b/users/tazjin/cloud-dns/import
diff --git a/ops/infra/dns/kontemplate-works b/users/tazjin/cloud-dns/kontemplate-works
index 326a129d21..326a129d21 100644
--- a/ops/infra/dns/kontemplate-works
+++ b/users/tazjin/cloud-dns/kontemplate-works
diff --git a/ops/infra/dns/oslo-pub b/users/tazjin/cloud-dns/oslo-pub
index 674687484b..674687484b 100644
--- a/ops/infra/dns/oslo-pub
+++ b/users/tazjin/cloud-dns/oslo-pub
diff --git a/ops/infra/dns/root-tazj-in b/users/tazjin/cloud-dns/root-tazj-in
index 43db5834a0..43db5834a0 100644
--- a/ops/infra/dns/root-tazj-in
+++ b/users/tazjin/cloud-dns/root-tazj-in