26 files changed, 290 insertions, 0 deletions
diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
new file mode 100644
index 0000000000..80f63816f5
--- /dev/null
+++ b/ops/secrets/.skip-subtree
@@ -0,0 +1,2 @@
+The Nix configuration in here is read by agenix and not compatible
+with readTree.
diff --git a/ops/secrets/README.md b/ops/secrets/README.md
new file mode 100644
index 0000000000..e59b865413
--- /dev/null
+++ b/ops/secrets/README.md
@@ -0,0 +1 @@
+TVL's deployment secrets, encrypted with [agenix](https://github.com/ryantm/agenix/commits/main)
diff --git a/ops/secrets/besadii.age b/ops/secrets/besadii.age
new file mode 100644
index 0000000000..cfbe27b972
--- /dev/null
+++ b/ops/secrets/besadii.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw WLrxQqBE+I1Z5BUcjAK+YfuRFlmmFYu+nwF4Z6eGZWI
+ADFyrki3ojHKjthCQ0MliiwEoCqYFVPFmSDbnbesIFU
+-> ssh-ed25519 zcCuhA j4NiKfnxBQlsthKUNUQMFJsazo9cL5R7RghHaFEGxAw
+lJNgCMjP7+2zDG/hJ++6Q7tBbsdVbzRZIbZZsfIwMSQ
+-> ssh-ed25519 CpJBgQ pVYsbcpywPaHDfnJQcnSZmNGw9Ppv5Un/xunzUG/KBg
+5uFarYtHRrXi6tEYWzbS7ZVsOEn3U0FoURcbx0OHPhU
+-> ssh-ed25519 aXKGcg dz+OWTc3c+odvXbaZR3lOq9t0EFu/t5qfhWOJp/tZxI
+j/z4v0C+Cy+fNuGVMspJfqoOqwkynhQXMK8fPC362PY
+-> ssh-ed25519 OkGqLg UQIzISNwV3+d3CEfeNcImttt+gPOyMuw1rbZ/TIsglo
+cHu007ebLhPE4+ayCjvOcINmG58FYukadAcimcMeTXI
+-> lP{m-grease
+yVvZbJopVdBDfLsbOqhss3DJZNU7ZcSWQP409nTzyy/iV4XwrE85Yj9SsDNRDtTp
+zoPwqQ
+--- O6W1Z0ixSR5N2A7KdPxl5HUKWXDvy/Wcb2fiUzxPK64
+�g#����lEŋ�2�~���t���+��CQ�s�1���R����Ǡ��M'	^�2�P��J�x�s��PhU���
܂��g�g��3v95$��(��b57W���M��pc	Ƨ�������f��e*'�"�]�,��8��|��7�$0��q�ٷ���5�۳d���wƲ��F^�}!"|O|e
�
+���Ձ�>D4����G~Ni���Lސ�@�����m�d|��*빽၄Ӫ�a)G2\X�3G\d~��o�{�O;LR��e]֏^�v
+�/��j��HV��!U�T}�)[mv��e���X0@��;]�Z${�mF
�i<
+Z(�Syƨ�C8AM�6���A��T��B�˨9ϩ�����+�~���:Q���o^��n.�����l�s��Jy��;���pe�����L�'���LY����v&0�*�0>��J��$�vt
\ No newline at end of file
diff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age
new file mode 100644
index 0000000000..aef7b142b6
--- /dev/null
+++ b/ops/secrets/buildkite-agent-token.age
Binary files differdiff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 0000000000..e656a6e04d
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw L31em0JneG6XJikTp2LlYLSMDfsbDWjrNgQPQimIqWk
+3CJid3K/8RsE4cYEeZpqqaTmggMKH12GCDyalQMaK8s
+-> ssh-ed25519 zcCuhA LKq27N4Hx8OQ3eu0TDdBiXO0BcOdSfRZO0YNNG1Y8xE
+PQjl1SErWej6e7jwsddoj06TWQQwp2J/m8zvxR1pRhg
+-> ssh-ed25519 CpJBgQ dRMHEzXCpKPppncOBF4AmOYDZOSxZn+ta0o2H0zyAT0
+qNQFHL0QFxGlm7ZYnJ0H22iyVN3Ya7KYO596j2mN03Y
+-> ssh-ed25519 aXKGcg z31fIwcokphDOcPLNfBZB3ZN9nzG71pMmC68R60nWnU
+3U32x1lxd7brCQj9V8eglSzQ1lCwraxDnjLl68EIR18
+-> ssh-ed25519 OkGqLg 2jyx2iccmCeaXxs7pajP1WkRswZRwxrwVhNUKs1HzxE
+LjScnNDoWArkBXKWtSlJKnIlbnv0892nwn5aRyrF+sA
+-> 8Y8-grease \ObI# /"xHCp uyu Gn&q
+mLNOU8cvH8SB5PCkgKkBmxTb/cgwiQEBUbPI6GmMxvXy/8EMg5K1h3kpKSawW849
+jtLtHeLrM8FLeNtwZyIWpG4
+--- wnNSrutHnL4Trg5hNkuIHPguKl3JYjfEiJVCH4ScnVo
+�:���-$m�Y:�yO�L�VLG�d�Qg��M���b��������JÄ���:O�!6O5ɪ�OZ8�*sA
\ No newline at end of file
diff --git a/ops/secrets/buildkite-ssh-private-key.age b/ops/secrets/buildkite-ssh-private-key.age
new file mode 100644
index 0000000000..485c90a9b7
--- /dev/null
+++ b/ops/secrets/buildkite-ssh-private-key.age
Binary files differdiff --git a/ops/secrets/clbot-ssh.age b/ops/secrets/clbot-ssh.age
new file mode 100644
index 0000000000..a5019e7b87
--- /dev/null
+++ b/ops/secrets/clbot-ssh.age
Binary files differdiff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age
new file mode 100644
index 0000000000..d5d5ae2f08
--- /dev/null
+++ b/ops/secrets/clbot.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw aKWeIQEoQpPT9lPUsV7tK/ySf/0WmFWw7xr7ic4RDFM
+OLRVTC6qVuhNhkYbGQwrxq4sQnqmuQEclKeQ9VPJrOw
+-> ssh-ed25519 zcCuhA j3JAw3UyZHR/x3O7pOTNkytbk5bTGnfBtsM030NolQk
+nt+9a3tJkO7j2nGI9C6S5YlYWYOCMqNOETU77PI4b10
+-> ssh-ed25519 CpJBgQ ScLyIj1cdn0wAwgaOSVGsusx/y3PD5/rDy7+OvjGIiU
+5tYuoEfVn0i1RtZ5XP+1HgyTSWkkRN4m36u6Fj3PkC4
+-> ssh-ed25519 aXKGcg 9p2LQFtV1X7jzG7n//GRUGmHGAsbGSCz6Q6SyBOZWwY
+wdOPCOHYkplGEoUOOTs99Kgde15xuJq8uzkZxudUo24
+-> ssh-ed25519 OkGqLg oLEc1KdRriCWobe5DF9OKVwDqQaW9RyjWDft1h5M4x8
+i/UEbhITzk3IOYme/xKuTfdbNMFNhLgRHbiiCAgKFBI
+-> %-grease 0 \^g*
+8aTar8xKZk24swVi7NVE0UN19BrexqAGcMWOeovRmQ
+--- N/kNOLE5d+yk7fAPRZmj8E1qMggLha56uKb9oj0/uHQ
+-��� �>I1f9NF�	wKl��x�05�5O�Zz���~y���s!gQtՇl1W��f9\�sΰ��p.n�
\ No newline at end of file
diff --git a/ops/secrets/default.nix b/ops/secrets/default.nix
new file mode 100644
index 0000000000..43f2a738bb
--- /dev/null
+++ b/ops/secrets/default.nix
@@ -0,0 +1,3 @@
+args:
+let mkSecrets = import ./mkSecrets.nix args; in
+mkSecrets ./. (import ./secrets.nix) // { inherit mkSecrets; }
diff --git a/ops/secrets/gerrit-queue.age b/ops/secrets/gerrit-queue.age
new file mode 100644
index 0000000000..eb9828847c
--- /dev/null
+++ b/ops/secrets/gerrit-queue.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw qywg/yigMgYkhxORSqfuVsggQUMmQSPp6T9BjlEogGk
++vVPOuG9MqK/K5lkn/dTjd2RLJYL9F3uYnsK3I2r6nk
+-> ssh-ed25519 zcCuhA w1iPgVkUx3U/r64ooH4UhUMnrHC+Kqs5oooDIL+pbyA
+zUDp/32Hj3pEEXeL/8BJ0J5qQLqCOjpzbmQdsXGA9qk
+-> ssh-ed25519 CpJBgQ kRl0KlOJtcHsnNyJfyWlm9cW6ZQMrzmhgKaT+zYr03A
+lTprX0AfgP68w5towNfJw/YO3LoZFZYm0Y26Lb2La50
+-> ssh-ed25519 aXKGcg 4T+HCfrAPXDQORxNFm3lR9qJBfd4WcCQ/ny7bBs4mT8
+zKu2W42LJl6jUS6vYFJj30x+SaQQarx7OALCJ7fUTac
+-> ssh-ed25519 OkGqLg EEpq+VV3LC55VErd92bKnj7KqEzQqS6S60EZuCgb5Co
+XiyO6rELbfgj+2S3SQDu4Csz0Bw1NIGos69ixDPIEMU
+-> GY`K*hZ-grease VW)6 t.El^< @P
+dS5BLWUWe5RDzdf4uWzEOwW7lLrWtD8hqISTSWzFOFGnQgWX6cqZhtUlCmciRlCq
+RLXx5Nu3sSIEBX6FZR30PjmjyDQ7qArxc/Up0pkJ+ntG1d2lobyeB3qXsn8femUU
+Ku76
+--- 7KKYqquKMip1Qht63i2YH/9lGTv+MMso2YtIzF+6eis
+b>��w~I��R�j�W��=�ͳ�?�1:�ZMJ�����g�����J��2�*nz��Eּwg���q[3���.�����^���8i��%!#�|�ub�2d�a��rn�=�������/�T��I-����M�T�E��¸��˕N�'0��\K��d~�-�kɜ��f�)��
\ No newline at end of file
diff --git a/ops/secrets/gerrit-secrets.age b/ops/secrets/gerrit-secrets.age
new file mode 100644
index 0000000000..9869b0d46a
--- /dev/null
+++ b/ops/secrets/gerrit-secrets.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw UCZDSCgRCFAE07NoKG/fuyEE1k4wmNE0Dlg4APH/Exk
+VEnLQHoxfRgBqu3A0FTQ5KMo3w2pPSzr/dG0jT06xq0
+-> ssh-ed25519 zcCuhA fdZUx8wTyxVYd7DCngcLKligArm5mlYGTqCUKYsSflI
+hO8Hx6qJ3GRZipYDWseJmbGJEQ/FyU0/eMqsO9Sc9DM
+-> ssh-ed25519 CpJBgQ NCz9xhb6O5+XQxQSGTdJanwj68kg/mnhRm35/4L3+Sc
+kxZ6+NOd5b2VK/VjPKpbRNTmCW8wdNZV5IgY5OT2zEk
+-> ssh-ed25519 aXKGcg ZCfSQV7NUBsDLgb5sk0wRG3Zvhb8St98odNS7TmPu0c
+b3AqqM9bcNPI8G+in9a/ZPg0CiqXOYNMXMTrR42xr0k
+-> ssh-ed25519 OkGqLg SgctN3C54OmcYTCSrN0pA4+E7D1ry3byKebqV7Tjbg4
+Yk/2xD6lD69vhZH4+GQZh07hOOcOc0AKRq2zmkCrrjk
+-> ax~swz;-grease
++jjWRJAR+9n7HqxifiYbIvk2tFX9H/1H9O329yzf
+--- oZTj6wdxzeIDNWtZxBB5zo2DM4W1OcWPsTMqWJqYLSk
+��r��i�-C�T	}29�K|�C��T��Q$�I�m#xd�ň3>�D�d{FS�ma�çZ�ua�����O��e�u:r�Ϧ�
�����d</�,-���S���u�?)�J����o�#��R�Mv*x��Y�M����ß[l����℟Փ�����aй����?r�rgr�O��i,c��a�$�m3�QEx(�Dܯ{���8|�`���2�
\ No newline at end of file
diff --git a/ops/secrets/grafana.age b/ops/secrets/grafana.age
new file mode 100644
index 0000000000..d6022b4ea5
--- /dev/null
+++ b/ops/secrets/grafana.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw FAneL6Ra+ipVGA37rsEOIbObsDK5L93n1tk6vsDiq08
+HcEABCYv388oK0Fk3zcCXdnpi+arLHvYWjqS+vMwlWg
+-> ssh-ed25519 zcCuhA n0FaAavgxFkJ1Lbd7bdDihV3m0aQ6IrD30G4N0NsNXU
+YumH3OYrbM/r/vgTFzJ8vEEWd7I/2yYdk6uBF4FLzG0
+-> ssh-ed25519 CpJBgQ +80Q06PTyeX+lnPZf1o5v4jBDoSfuIudOD49c72i5gc
+gNXrdBhVicCa0j7uGmvFrbZFMgN+4NQ5wxyojQUI8JE
+-> ssh-ed25519 aXKGcg cB4hgrcG47MEbgdvRQdJLBgQtGpyAw7rZTHQnE8mF2U
+vF46NzfPXjodk081WEd9D8LHMwB33Emswx65k2xiiQw
+-> ssh-ed25519 OkGqLg H4abrPcW2U+0h9ChEANdCoaYgIXW/2GMOfaPXc142lk
+OYQyK4tSDsyRIbqLhXxWc6ZgnS4/9YS8FD/M3N8ctG8
+-> 2UpS,n-grease 2@ A F$+@#Lk\ C4|Pa
+WKOTNBDihEkbp8U9elitxCVbpwa+RUXIUkWDKDdcLalK7no6DtfJVMyPAyPPymWg
+QOXPnkx1mw16wzj6elS86QU
+--- vEbbqmuObg1gVHyfCb+6CN3bkeNyyWam3r7uG5KiHec
+��m2���6�NR��69�.l@�(_�ώ���Y�U���M�D���'�Nq�����%y%��(�2y��J��%�� Co	�������)����m���
+���
\ No newline at end of file
diff --git a/ops/secrets/irccat.age b/ops/secrets/irccat.age
new file mode 100644
index 0000000000..b70abf636c
--- /dev/null
+++ b/ops/secrets/irccat.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw fiDNJcoEINRGGnkyaUN9j2bkXfFszU6Auje59dkfDRY
+vbwn4fQP8PQ5ZFLLah4kgxcV5MN4Zbr6ncjJYtZx6mw
+-> ssh-ed25519 zcCuhA GwygU+Rh3BADW/+WVL5QBb/LGEQ46HtZRWi8Ez5gdGI
+qwV4L6q9LZ5UondrZ8lZiFCqyVyNj41v15yzb/9Ha0o
+-> ssh-ed25519 CpJBgQ pBgC0bUHKNiB+NqHA7G2mJtTsWohDlDEVYZzZg1S3hA
+Zr8h2M1lz+kENM/H6fiWr6zsz1pRCE+0FcS+8epFIDM
+-> ssh-ed25519 aXKGcg Kuz7+ZHdExz4sbeOVK7MOjtldakqpuiUoCXa5BzBrlM
+lhOZVOKxSjZi/GUu2zDM5HTrbKTcxyk92JZHccJlAig
+-> ssh-ed25519 OkGqLg NJg2CK0q37agzqgqsLTlSIm8rhfaPwEIEPm+7eBp2So
+kB4p46ar71gLlbRBC1VdnHtGsA7oM8hBOqEo4X8ixNA
+-> VSn<1?+[-grease N=4\Egxn P:d\gl Ye-lT|k0
+v4W8MII8drZm1Eryx4Wzasc9WjargNyCe4R5Q+umIsuUNZebjQpvcmg1SlasTfi/
+oAdY1SZLaOJH0LmkP2v9ztz0MDsvOx9y5NZd/qw/NswgrI9FJmVh
+--- m4VHPIp1FsrSWHAdKwliymn9kdmFFrfo2SncDua+MEY
+���{����-�`��2k|K��$��>�T�zF�6<K��|�c����m�5��B)�Ob���5V�@{����03��WE��&<E D���j�
\ No newline at end of file
diff --git a/ops/secrets/journaldriver.age b/ops/secrets/journaldriver.age
new file mode 100644
index 0000000000..823b527880
--- /dev/null
+++ b/ops/secrets/journaldriver.age
Binary files differdiff --git a/ops/secrets/keycloak-db.age b/ops/secrets/keycloak-db.age
new file mode 100644
index 0000000000..185f79da8b
--- /dev/null
+++ b/ops/secrets/keycloak-db.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw rG0ThGyx3bkL/WOz1K1iP3CmrKORLjsUrLNJbtb1WB0
+xbkyt7EUb1BhBKUYt3hh93kEU1avcqlCLKfHc3x+BEU
+-> ssh-ed25519 zcCuhA mwSN0urAXmA4vPCWIkzvCuDoE/LcA3eWpXr24Qab/lY
+Esa4Rfn55KYpIdYxsxGhBpPs40o28PJHbn8AEDn1n78
+-> ssh-ed25519 CpJBgQ ODm3P+PymrXBxEejSDi2YUTEadBVzJiIt6vYHpzH1C4
+nC9FY8yilVG65HXmRTtpvjKj2awE9SI1qp8duskNP7M
+-> ssh-ed25519 aXKGcg cdO7r0WCOktOmldIqvjVogyCximfA9sWd2Vq+bBgF2U
+1INC04f5PDwQgSQVeDpJomL5iZmyQfTwzHVu7BG+UUw
+-> ssh-ed25519 OkGqLg D6x2fkkNeoZToQrOhNVh69Y3kWN5NqZzXkUc2556nBY
+ZC4asUqTT6ZnQdnYV9Xn0yqTgLFt14Vo+3RncxWingU
+-> R^R|CZso-grease xq76HV<!
+MQSwHZCAIj24PlpplrTWjrZPAe5I31NC3xnWU80Q7Gk7FHUavAw
+--- NG3cBfD3zeP6McHAXxhPuWZVrC9au95/+r6fMi01Gjs
+`$�|�mR�_��!z[|伭2��s�"h���0���ž�*0(������-&
\ No newline at end of file
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
new file mode 100644
index 0000000000..c99130835f
--- /dev/null
+++ b/ops/secrets/mkSecrets.nix
@@ -0,0 +1,27 @@
+# Expose secrets as part of the tree, making it possible to validate
+# their paths at eval time.
+#
+# Note that encrypted secrets end up in the Nix store, but this is
+# fine since they're publicly available anyways.
+{ depot, lib, ... }:
+
+let
+  inherit (depot.nix.yants)
+    attrs
+    any
+    defun
+    list
+    path
+    restrict
+    string
+    struct
+    ;
+  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
+  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
+in
+
+defun [ path (attrs agenixSecret) (attrs any) ]
+  (path: secrets:
+  depot.nix.readTree.drvTargets
+    # Import each secret into the Nix store
+    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
diff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age
new file mode 100644
index 0000000000..cc8513071a
--- /dev/null
+++ b/ops/secrets/nix-cache-priv.age
Binary files differdiff --git a/ops/secrets/nix-cache-pub.age b/ops/secrets/nix-cache-pub.age
new file mode 100644
index 0000000000..f628f2bbe4
--- /dev/null
+++ b/ops/secrets/nix-cache-pub.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw j+RSQPvmBUL+/tJpoZqbMyh//yPYelDkS8rGMBDeYBg
+w9XLo36I+Fh8yCgL9aL1V2dHA5PFIhA/mi+inpA0vO0
+-> ssh-ed25519 zcCuhA KTfCgCjc38/NRthB4ttrQV7aXbBgvs0Bgxitspo1TTo
+Zj7ZcjNxdiXgasq0pACRL6E3PvRsjsYsZeHFbX1mNYY
+-> ssh-ed25519 CpJBgQ 4nH14KX8d5AYlQOYpAq77Oz6QLLcqh+We7WT0yXx3EA
+YCIc6wFk++uaankNET+SATIRMPXh1C2NemJssGUexXA
+-> ssh-ed25519 aXKGcg x2izNmR+I9+2sRoHye4YUXU/6EZA8ZicIKUbjARVR28
+AV28t/cAwP6Js4lfYedJ88dCyAuKLq7RJU9SlhBx1FA
+-> ssh-ed25519 OkGqLg PpKqeVlQ015Qv2zvvrR8kTj+7kDHirLz4Zk8f32NoTA
+huaUh3Q3uJmsi9yWyuJgnEhgmsVjspfpR+IN6uT8FgA
+-> R2aR1C?^-grease
+7rumeWTufR7m6GRBOwKKVfzmMG8QRHzmt103vQfgmylhzGa2r6z2L3qSfFTqCW7T
+gMdbpgVvvTO+5aROt+iieBz9KFkHD3l/NXAhyZf8ydWRQlmDXcomY7QmSC3jLAE
+--- RX4Cux3g3rn4jdCZMpP8XenZ45uol6W4+wBk8jofI0E
+��=���[���ބ����$֘��K��l�m�d�h�e�&���*�E��R����t�Ο��D�:���������;-�=;�W�$�0
\ No newline at end of file
diff --git a/ops/secrets/oauth2_proxy.age b/ops/secrets/oauth2_proxy.age
new file mode 100644
index 0000000000..816944684a
--- /dev/null
+++ b/ops/secrets/oauth2_proxy.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw pkxciQfQ/yrexMq/Djpq1KNLFYBRTnJSi3fo4iQ0MDk
+FAlEvIgT+h/7Lcj5E0BeEbaWlZAg1THoiqsQg6Sy1oI
+-> ssh-ed25519 zcCuhA sey8T2EXLHh5TF726U0DSn+MfXYYjimQxdsE67iflTc
+lPWYa9jrmwkac8KkCUypfZ5D3GCZwtdQPaXQRiM5xMo
+-> ssh-ed25519 CpJBgQ 6EzBbhxLD1Cjy1LRWnfum+tFvPRzxMoPT6P2HDN7qBs
+BPWNJiFIrAPdcOOK0um+RzclUGgrS7yJwCjx8X0pYTk
+-> ssh-ed25519 aXKGcg kMVeXntSlq3E5hbuNtu7e+iKoJpQDRR4isbx/WCYc0g
+fWvCPlcnjunuQ2LB02eQ51gr6SK2leaNuHttQOjJOyw
+-> ssh-ed25519 OkGqLg QFU47rj1sU5JuQtehbxyymEOpZYl0bWY6dRo81KrQxE
+5TXNy6e2sM5b+K5lSXEkLdJ8F4ZDJfYEetJ7/jsxAIY
+-> `!"O*HV-grease 1YD XwG${5; #Pr \7G
+CD72odW0Q4DMW6SGY+cUpBPhFePtjebkf1rpZJz0Twl8YrzbrXQfIgWv+tCUbr2d
+PKZKtlc9u0F+B6BKfVpZn0s0PD4/XGQ1PNLL/ZajxvYSB/w+UWbE67s
+--- U0nGetyOZONCTw7TQJ5QNUScp6v2noSVkrWCMJeROH8
+��zsͮ~=�H�'��Q�|d����L_B���x0;�7�Cg�
*��B3����k�p���8{P+a����%�ؽ�)�Em�F�'���`��A�U���v������UDzcL���W����o�x�����7�PT�(��	�n~a�
\ No newline at end of file
diff --git a/ops/secrets/owothia.age b/ops/secrets/owothia.age
new file mode 100644
index 0000000000..c3ad07d232
--- /dev/null
+++ b/ops/secrets/owothia.age
Binary files differdiff --git a/ops/secrets/panettone.age b/ops/secrets/panettone.age
new file mode 100644
index 0000000000..542c866d61
--- /dev/null
+++ b/ops/secrets/panettone.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 0vXqVyiNwKAvIjBi1PPPWYzapFFuwFAGQqohfdaaThc
+cp+oevy9hbMvviVNTxKpws1Fsyirxr/nKZltlA08cWI
+-> ssh-ed25519 zcCuhA bFhpOsXo7H8GF3xLFwLs84aJegWj50+pEQDbyYYpwE0
+Y5iRW6/dhBNUHgNmObUEJu991Ms0RU1Y7xkeoz16A0U
+-> ssh-ed25519 CpJBgQ 5y0eXpmerwxRtySanRSBQeHCkMt96BOLVgR8S2lDSH4
++Z+3b9d8B5HZRVOL76SCNPIh9nhXKPSWq4lj0X2k2eg
+-> ssh-ed25519 aXKGcg HK5KeRoc+fhbYQ9RZTnum5x2y+vvyEQNKRpnNOISFn0
+TxZplwFO2e1YgY/V9tkLSVGxh9407xsxsT09N3jfcv4
+-> ssh-ed25519 OkGqLg otifGzPJ9Ykwdx9AkwlFW9AHAQL5OXnDexp8N4lJ6ys
+dFVgPNi8p3wQYbVbokxGqiNKUd3POXBs49LO3FAR6Js
+-> e"s'-grease :{S#]YZ MyRj r['U^ 0
++qc7
+--- Gnh5iyD6drHbPt2bE9JCGlXcPAPDPhkJl8A9+5SHNz4
+!��u��
+9wIV~��Ep| ����*�a�Gc3�ZƩ�SQ��Ҿ�\���)f[���)7g����ޘ����ס�PY��EE5�W�$�igL���LC�F=N
t�
+b7ŏ�y�Fx���;d9н��+<r��(U^P1��W�/%w��#��cWK�k|��)M�rrY�z�L2�/��!�]��:Drya��̳G
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
new file mode 100644
index 0000000000..0d45f3b025
--- /dev/null
+++ b/ops/secrets/secrets.nix
@@ -0,0 +1,46 @@
+let
+  tazjin = [
+    # tverskoy
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
+
+    # zamalek
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBRXeb8EuecLHP0bW4zuebXp4KRnXgJTZfeVWXQ1n1R"
+  ];
+
+  grfn = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA "
+  ];
+
+  sterni = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
+  ];
+
+  sanduny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOag0XhylaTVhmT6HB8EN2Fv5Ymrc4ZfypOXONUkykTX";
+  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
+
+  whitbyDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
+  allDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ sanduny whitby ];
+in
+{
+  "besadii.age" = whitbyDefault;
+  "buildkite-agent-token.age" = whitbyDefault;
+  "buildkite-ssh-private-key.age" = whitbyDefault;
+  "buildkite-graphql-token.age" = whitbyDefault;
+  "clbot-ssh.age" = whitbyDefault;
+  "clbot.age" = whitbyDefault;
+  "gerrit-queue.age" = whitbyDefault;
+  "gerrit-secrets.age" = whitbyDefault;
+  "grafana.age" = whitbyDefault;
+  "irccat.age" = whitbyDefault;
+  "journaldriver.age" = allDefault;
+  "keycloak-db.age" = whitbyDefault;
+  "nix-cache-priv.age" = whitbyDefault;
+  "nix-cache-pub.age" = whitbyDefault;
+  "oauth2_proxy.age" = whitbyDefault;
+  "owothia.age" = whitbyDefault;
+  "panettone.age" = whitbyDefault;
+  "smtprelay.age" = whitbyDefault;
+  "tf-glesys.age" = whitbyDefault;
+  "tf-keycloak.age" = whitbyDefault;
+  "tvl-alerts-bot-telegram-token.age" = whitbyDefault;
+}
diff --git a/ops/secrets/smtprelay.age b/ops/secrets/smtprelay.age
new file mode 100644
index 0000000000..3904107261
--- /dev/null
+++ b/ops/secrets/smtprelay.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw mqDmOqzDl7BY8xj7TuCHcIGrkiqURHK4Y4NkmUesyQE
+sfNvq6kuQUWuza3B6feUQtcWYhYh/aiN89fTOHdhHSY
+-> ssh-ed25519 zcCuhA rBlPiVmj7dSYHljc4/fhL7a9GSeCp/8FqG1R2f1kPgw
+o6Za8zm3n2LBnj9jQAU7Xtvt5ULIUesdiTi11DeRMY8
+-> ssh-ed25519 CpJBgQ vM3qI0XMQJY/ExxE3a0mmHhc5hY9rPDBzdJ4v9oZBlY
+lLHtL9j8ltx86eWwlPkyblcWjRd2iMjimwMXZptsRAc
+-> ssh-ed25519 aXKGcg +6heNooQufYnntQ1PJHlW/8aG4vijzY/CfXHUGPKMQE
+T95bxZSRC9Cdx9ZTaTnHWdeq0wKOkRL9mQxNo8j9SfA
+-> ssh-ed25519 OkGqLg HvpZmHz0DZIqWHiXvUsJ/OILlRhptl4WMDDiVF6dxko
+FoTSc84FRFnBh0rOYFX3M7t9p/hvn4DZMHZfU9jy0zo
+-> $<0F{v-grease
+blva6tBLrd967p8hOMGy0JT6Y19zWNdgowASEEBpoFzsmNlyKdbaYyMbxKTuqmCy
+8Wy5TpBj99pcUsEB
+--- DTMNC/wQr8xtJKIPPKjx90PmAZ15eimydKbYGnEa7Jc
+��֐Զ"��R��A����!]*���	����)��
�2)7ꗞ3�AjӤ�ʏ�L��5E�N"1:�4t���p�.܋�jpq�G2��(�\�mqߑF�@��1aŌ%�
\ No newline at end of file
diff --git a/ops/secrets/tf-glesys.age b/ops/secrets/tf-glesys.age
new file mode 100644
index 0000000000..caeac0b1ee
--- /dev/null
+++ b/ops/secrets/tf-glesys.age
Binary files differdiff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
new file mode 100644
index 0000000000..b450e84fb0
--- /dev/null
+++ b/ops/secrets/tf-keycloak.age
Binary files differdiff --git a/ops/secrets/tvl-alerts-bot-telegram-token.age b/ops/secrets/tvl-alerts-bot-telegram-token.age
new file mode 100644
index 0000000000..d9562ce924
--- /dev/null
+++ b/ops/secrets/tvl-alerts-bot-telegram-token.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 14nPZssvAKQSzPdL+1iyz0BVA1DOdFDafdCyRfcmSWo
++ENcKRKyUN3G9+kd/Y9IpQbO3rIZdYiznqGO1cfVNZE
+-> ssh-ed25519 zcCuhA i/ag/HD84XrTpYigStOfwnWBLjOSypCnVuIYjtdVc2o
+T+dN0nl3H6J6OaMyLNHLgy99H8YJtSjgintxogJkWjo
+-> ssh-ed25519 CpJBgQ bbyerpmjpTkMmSaLnV5OuMQzqqtGao4eqE4kiFzm+Dw
+0Hskm4/Cks4Eu/Jr4Eh6302jWo64rdInvvJH6XJFyBk
+-> ssh-ed25519 aXKGcg sqdfN/2YLFmdhEWgn5Z/OAsmXwMORX/dPrmD4O7MlCE
+h/ej9LjZHn04rkEbvIaGAcLT3dMs9RdL3vFA+Rgdp3g
+-> ssh-ed25519 OkGqLg fK2cPxfOupCIfC1giMj2CFg/K/+4XX+fLpkqUmQHzDY
+uXTHT30ytEvliNAvmwlPyaySsYDVLarZgouV9Tfo6qo
+-> Me?Ykt-grease 4S m!3LR ^/)u#tFR
+1A
+--- UP4D68fCAMJC+1T1zbIiGCah3Ph+pJf7Z6wv2YJaOCQ
+��js�]U-Jγ�6�Y�#^�
+$�$�L�1p��w�a:qwgq3�Ԓ�b��0�zH%�f!.�0�ΐ�'�֘�!
\ No newline at end of file