4 files changed, 15 insertions, 0 deletions

diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
new file mode 100644
index 0000000000..80f63816f5
--- /dev/null
+++ b/ops/secrets/.skip-subtree
@@ -0,0 +1,2 @@
+The Nix configuration in here is read by agenix and not compatible
+with readTree.
diff --git a/ops/secrets/README.md b/ops/secrets/README.md
new file mode 100644
index 0000000000..e59b865413
--- /dev/null
+++ b/ops/secrets/README.md
@@ -0,0 +1 @@
+TVL's deployment secrets, encrypted with [agenix](https://github.com/ryantm/agenix/commits/main)
diff --git a/ops/secrets/besadii.age b/ops/secrets/besadii.age
new file mode 100644
index 0000000000..b8a3a9b56f
--- /dev/null
+++ b/ops/secrets/besadii.age
Binary files differdiff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
new file mode 100644
index 0000000000..1cf2b5e44a
--- /dev/null
+++ b/ops/secrets/secrets.nix
@@ -0,0 +1,12 @@
+let
+  tazjin = [
+    # tverskoy
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
+  ];
+
+  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
+
+  default.publicKeys = tazjin ++ [ whitby ];
+in {
+  "besadii.age" = default;
+}