16 files changed, 157 insertions, 0 deletions
diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
new file mode 100644
index 000000000000..80f63816f5ba
--- /dev/null
+++ b/ops/secrets/.skip-subtree
@@ -0,0 +1,2 @@
+The Nix configuration in here is read by agenix and not compatible
+with readTree.
diff --git a/ops/secrets/README.md b/ops/secrets/README.md
new file mode 100644
index 000000000000..e59b86541335
--- /dev/null
+++ b/ops/secrets/README.md
@@ -0,0 +1 @@
+TVL's deployment secrets, encrypted with [agenix](https://github.com/ryantm/agenix/commits/main)
diff --git a/ops/secrets/besadii.age b/ops/secrets/besadii.age
new file mode 100644
index 000000000000..b78f02da8fce
--- /dev/null
+++ b/ops/secrets/besadii.age
Binary files differdiff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age
new file mode 100644
index 000000000000..35e592ee51e1
--- /dev/null
+++ b/ops/secrets/buildkite-agent-token.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw ZJlRpsGtBnu7qtonHrIKyxDuACwAn9Z4Ad8YTvOjyWQ
+TsBnCAtRF3lJOI3LW0x8cpJ0Ir+51myqwGCubBEEihQ
+-> ssh-ed25519 CpJBgQ Hr5JZFUsFLFX49F4qvc8ZS4Zz/rrETCl4V4uDtoxHgU
+IP8wOvr0mhyc56WLZhtEU9QXd69k8gRK3oWzxs5nyH4
+-> ssh-ed25519 aXKGcg yl4A7utB4cm5Wy8QXvPB0u6bmeRTGu2iOS2BIY+XWiE
+lQZFYlbSOHZV5+aZlxixKcb7qQ6cWtBbkahBS4TRSq0
+-> ssh-ed25519 OkGqLg esgNILaiQxhHVMgPNmyzFPhvjL5m3tY1PdvdzrZhtGo
+kNH1ng583BphHjSgSUdzIpy6gYDYjjbQC2rmcGJY5gU
+-> M,-grease y}:Lz[#F iM :l 2P7"r)!
+MUDSRsvwDGzejN/obhT6jpmTl7ZHpWEZ4VhRbVDzbG8DsWp/a9Nt+hxlEdQ/eAap
+mh77cYawCsYVFx8
+--- 6hjVqgo4RHJupqYhROm1lW2ZpWTH/5K20jfNe69Nc+Q
+Éï`ùkóï²ÎèÈ9Î6G`ü§’g7Ku#¦ÁéÛ;ò#;dÄ¹RÕð®ÔÏœ×Ã™lJª TÆÍÀËŽã%Í~Ê²ÄŒA„‰»kþÚ=
\ No newline at end of file
diff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 000000000000..e1c30b785b94
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw eGKM1q69QdToZ9wbtsdAgAfGHOsVrc/IJ4IFbHfoeAA
+eogaENxdhqW/2H+FM7SPWgN1UcXPzUTx3tYiVU9K8Rk
+-> ssh-ed25519 CpJBgQ v00XK32Div5ddrWPdzjv5ZFPECtW14rPv3G6iFvXUFI
+OQAJaolWVUiVXTK14b9Q5ZTYR4YQL2e6Ye5TY4Xxq0Y
+-> ssh-ed25519 aXKGcg ieOvBBSHPSP7k05I5unpRn6+S4K9NfRqwUb5s0XM0js
+z8Q+psAM7Zj02M7m3KNNjSTLmiLH9S+nOzQE5xz1nr0
+-> ssh-ed25519 OkGqLg OKzXlZJyHE73V36WVZ2KhvFhif3HZtZDjjBBv5g3hyA
+ilL9pohUoCXfNi1jLekPx35Iu3dGOBAe1H2JFXrKHTU
+-> VQDa2-grease 'HsH ^-&
+YuO3YgYZ3Q1CjlIayGFg1Y9zplKgzqR0mZeZlyaOJDMHDrWSOaWRPXjFVU/s2EvP
+MECrypRbNRaHEdPSY7udi1q5cVBPNj3Dci5uiq9t
+--- HKTtOZJq9MSAhr3x1eUhk6yFJU3y7TCPilXPhMNfbwA
+1“0‘æ?ñ×a³€¬“¥àó9î½¡ü4ùbWyÓŒ†é
+jb¨çnãðºý6	PpÕš»–lÇ'Y¸Fy÷÷ñ
\ No newline at end of file
diff --git a/ops/secrets/clbot-ssh.age b/ops/secrets/clbot-ssh.age
new file mode 100644
index 000000000000..ab51ccc68e20
--- /dev/null
+++ b/ops/secrets/clbot-ssh.age
Binary files differdiff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age
new file mode 100644
index 000000000000..c44c77f58322
--- /dev/null
+++ b/ops/secrets/clbot.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw sjFTLxJ9JArZ/GU/R/hqRVgX73x3sDO4uNdVrRrZpXE
+cbMS1tn4+diLX4Hf1Pe0XBYvJH5G3ueZIIA+3KImq3Y
+-> ssh-ed25519 CpJBgQ 3yeOIq2DxFqr8NW4VpdaUVoEmwvQayWThPzoMo9UCmY
+xLyNilVdqXZ6WjAbT9NDFIssFc4564C/13z4w8WGnpU
+-> ssh-ed25519 aXKGcg peKlfil+osni6uHra2unBeQM5MBeK9TVmBg3BpozVy0
+KsKJ5yQQFWGbuiANV8uOck3sSIW82v/JKqLEuLJRsAo
+-> ssh-ed25519 OkGqLg Jo5YHWYNkou8JIBKrSrRJBG1VMdStmDqe/S62hdo+Ac
+U5zaBxJ6TKsuaB3vKS7+03vBJLe+nAWMZ6fSlwF+VQs
+-> 8SA_}x-grease
+J/zFiD0MDxVK5FDCv4fmA6sawl8gQZcPg0h1NunSjVnBUPNXx9FZylONpu9M56y8
+Z2JJ
+--- bR5Pl8ZiMNPIgx/n6ozwOkikLE9E6GWEK2SVIMUlbvI
+gØyÄ†Ëx_ˆåøãáé¡nø2ê	uTôÏZÒÄÛRÓôGò7,i£µS%ZSáKÍQdæ.`¯,y(ðYÛn‰9c¬„À…þ	
\ No newline at end of file
diff --git a/ops/secrets/default.nix b/ops/secrets/default.nix
new file mode 100644
index 000000000000..cafd605a4e9b
--- /dev/null
+++ b/ops/secrets/default.nix
@@ -0,0 +1,21 @@
+# Expose secrets as part of the tree, making it possible to validate
+# their paths at eval time.
+#
+# Note that encrypted secrets end up in the Nix store, but this is
+# fine since they're publicly available anyways.
+{ depot, pkgs, ... }:
+
+let
+  inherit (builtins) attrNames listToAttrs;
+
+  # Import agenix configuration file, this itself is not a readTree
+  # target but defines all valid secrets.
+  secrets = import ./secrets.nix;
+
+  # Import a secret to the Nix store
+  declareSecret = name: pkgs.runCommandNoCC name {} ''
+    cp ${./. + "/${name}"} $out
+  '';
+in depot.nix.readTree.drvTargets (listToAttrs (
+  map (name: { inherit name; value = declareSecret name; }) (attrNames secrets)
+))
diff --git a/ops/secrets/gerrit-queue.age b/ops/secrets/gerrit-queue.age
new file mode 100644
index 000000000000..68dd1e7e2e04
--- /dev/null
+++ b/ops/secrets/gerrit-queue.age
Binary files differdiff --git a/ops/secrets/grafana.age b/ops/secrets/grafana.age
new file mode 100644
index 000000000000..9c093968471c
--- /dev/null
+++ b/ops/secrets/grafana.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw TjDj+2FT4468X7jin78UPetVsZRmDtwU7HfwAk79Omc
+WLxXI+jaYFuvynK06GaHFs7D3XeYzSjHl6mteiks3uc
+-> ssh-ed25519 CpJBgQ Z3y+8U5H0ZTQdIaBgOtLGFst925kTspwJ1z+W/op8wo
+jHuIydmqN1ypCsyPZVbJYuuW6aJiTOe3SoSD7Ju2tMY
+-> ssh-ed25519 aXKGcg KttaHGM/1zYMFCfdYFKmWyUpco0mPmKxeX2LpUndm0c
+vLULuYNRGDdvuWf1M9o+Vq9cnk3G/DzYVAcxdZfvcvg
+-> ssh-ed25519 OkGqLg Obwnq0537RDZHFT7I+vucuYFk/fKTZYUzccSM/HfNnY
+tSqtWbgt/PebTDK9Od0EWj4mf3gXomtONcj0XBFYQDs
+-> [eCG-grease CV
+j5A3qikgyfxFMAcqeheGI8CMNDfhBh399JddXXvziPYB7QBkbeznUdMCX+2wOg/U
+U2rBgA1G84Rlr+2BJXlQ6iLL9xs7/us9vANaiTPiB0Ir4u377HBuCWoDLg
+--- ucJ+JohxZBSFnDzNw/pFvlYOZIFWvBxrn+CP9bcEsD0
+rB]Ü0U©¤jfuabd¨6
+pWyëHÌ\°§eÈÖ¯8·rC¼z)Ó›ßuß_äŒ¡èºclw,ŒÈ"áeù¤wSµvh˜%8§þÆà°×eê{ˆ7dC'ª¹€_n
\ No newline at end of file
diff --git a/ops/secrets/irccat.age b/ops/secrets/irccat.age
new file mode 100644
index 000000000000..5a45efa7ccdf
--- /dev/null
+++ b/ops/secrets/irccat.age
Binary files differdiff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age
new file mode 100644
index 000000000000..4a16897eb2c6
--- /dev/null
+++ b/ops/secrets/nix-cache-priv.age
Binary files differdiff --git a/ops/secrets/nix-cache-pub.age b/ops/secrets/nix-cache-pub.age
new file mode 100644
index 000000000000..692d86901526
--- /dev/null
+++ b/ops/secrets/nix-cache-pub.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 2wWiYCk+TcJdGdiT+YWVvv1FZ28EJYykwseyiZ9pkzs
+AMvMQQsWe3nar2TQM+wcyD2PEKlE9PeSx8G2ufJzEzI
+-> ssh-ed25519 CpJBgQ SpGruCznXleG0wmFMUTGJf7VNGKLEYqeQb/mv+axKxM
+SL4MTYEiOFgp6+90Fp3QFnSzFUfMWxNF2OHdH3Q+uy0
+-> ssh-ed25519 aXKGcg wWO1kn2tUlBZoMFsO1JrVhyqJCfv1BNhoVfKBwfidmA
+A3PAoWzbJWSlIKxGYsUEvuwRbDvRTjZYUdeSi+LQa1M
+-> ssh-ed25519 OkGqLg 2usxSwcnF2tZbJt6R7M+psTSW2M5HcZgr51t47D01GI
+HVGRSasPX9/I9E9oZhhMd6hVK/ga3n/UYzRAe2CjRqI
+-> /oh-grease v* Qu8SiS 2
+5dc
+--- 59MLx4Yl2G9G8QjEp+gOrKBPjCqm/ntgg8guQICu/x0
+Ù`à	8DJÆ]îsÓPëÝ±Rwa!â7k47<i:'?)¿ÖÐÕ©ôî‡åÙ¿üS¸}òRÁop)è_wIKpä:ÝÞSŒ5ò0k½ù	žÎj˜í
\ No newline at end of file
diff --git a/ops/secrets/owothia.age b/ops/secrets/owothia.age
new file mode 100644
index 000000000000..845252dd1d4a
--- /dev/null
+++ b/ops/secrets/owothia.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw ZV01yZa6uSpirIxPgW8fLJ3lI/RRb0tRObGey3zlgGE
+cu64HZYAxEL0qbUKcQEGzzQpwkAvXwp6NYYGaoHNwPw
+-> ssh-ed25519 CpJBgQ +NoCEPUKCscQxZLdjFI5YwWNiQuj8klra4AceYAOR1A
+xhNGia9flgRDn2QNsklyotwU7nJ9elXV8jMkT8XfUEA
+-> ssh-ed25519 aXKGcg MsimFAWS4vN6exoeKA2PVin+82QXzt32oS9iei6f4l4
+i+ph/HZ6a5f9QWorgwt0RFvmV4E4HpGSmkZAqdXhZ68
+-> ssh-ed25519 OkGqLg zLXi3YNberKHC7b/La1FdrLgLowjB4wovnXo/ayqeQs
+dYIN5zvmbMsN5yjhVrccjwYqXJHV9zcEJCjTnMIs55g
+-> FlqGql'-grease
+g+GgOSpwwnqLywaY4h9wMA2h7buTMM8vYEufiyTOOOSD7ljq1cgBePAoCFluW8UW
+8SDabs5WTRYgqqDnzVkx9V3JeIWJrfiKQj9coLZ1Crx5+YRD9r766eGEvHOC5eat
+432j
+--- V/bZkitOabEh8PO3J8dmv/IgycQOF5CmMvGTsHTdmlo
+Ïõõ7(‘±t²NÙÖÓÂFú·gžÀÊ¿Z‡&ooÒ,Æ¦²Q1ì(^ä¹ì…K}W‚Ù14ï«)õ‚D@×¸ŸŽ”ðYÀÚüYi
\ No newline at end of file
diff --git a/ops/secrets/panettone.age b/ops/secrets/panettone.age
new file mode 100644
index 000000000000..a8a176fb13e8
--- /dev/null
+++ b/ops/secrets/panettone.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw lFE6Oxzl0jaGpmfxEzmvywEyxsmPNfhv+NNR95XGiDI
+NJhZ6KFNLcScSR5iNB5IAL4UqWzort+jWypbKQPsxu0
+-> ssh-ed25519 CpJBgQ 7sMqCFUdss274yNWtYbXe+l7oevKaR99d6E7c4LWtjg
+rqwEyv2dT07qd87suVZxk+8+bmA2W6MFkoG8NktRRbY
+-> ssh-ed25519 aXKGcg 9/0QlqFKxPVwjwagBTWHdhJXWWYXn0v649ZhmzpUxWc
+pMs+PoMRi3FghN2odcBQ9tpE+0Mb/jaErnOnuuoq4sw
+-> ssh-ed25519 OkGqLg Is/FQ/8s+oq+qThcwOdnAgCrZX/kNBLc0Cwpvi2NMwk
+Zf31SwMF/fyBd1d899GPv8Z8A8GSBy5xuG4d8zL9Zz0
+-> wyU-grease Dzk;3o # ,q\WtGwI
+PoJGe6Xlhl47AhFLxM4HLaEYAqcx9lzodHasyZ1AH0BtdSFYT92cYw/1rSNWheTk
+YedxiXNrosw
+--- tJE6XbPtWlMYKHItyPlThcnLnmp/9AS1muhfgDosTCk
+$;˜ !†Øó?;
+žb²çHŸ}ùïÔÐÃfx°QÅÒÍ¤dÞaá·êˆ‡K7¿¤ÿ1O†UÓ³<¹¡Ìè‹	«çy8Õmf–ºV~ÉJÒªü°Z½ð0³¬|‡tNøà[ÃO÷;ð2;/™³3)väGP%ª¤í‰J0ÖY%Ø¨¢d’[1¦k/ý+³
+þ
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
new file mode 100644
index 000000000000..825b1caf2cf5
--- /dev/null
+++ b/ops/secrets/secrets.nix
@@ -0,0 +1,31 @@
+let
+  tazjin = [
+    # tverskoy
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
+  ];
+
+  grfn = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA "
+  ];
+
+  sterni = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
+  ];
+
+  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
+
+  default.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
+in {
+  "besadii.age" = default;
+  "buildkite-agent-token.age" = default;
+  "buildkite-graphql-token.age" = default;
+  "clbot-ssh.age" = default;
+  "clbot.age" = default;
+  "gerrit-queue.age" = default;
+  "grafana.age" = default;
+  "irccat.age" = default;
+  "nix-cache-priv.age" = default;
+  "nix-cache-pub.age" = default;
+  "owothia.age" = default;
+  "panettone.age" = default;
+}