29 files changed, 258 insertions, 0 deletions

diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
new file mode 100644
index 000000000000..80f63816f5ba
--- /dev/null
+++ b/ops/secrets/.skip-subtree
@@ -0,0 +1,2 @@
+The Nix configuration in here is read by agenix and not compatible
+with readTree.
diff --git a/ops/secrets/README.md b/ops/secrets/README.md
new file mode 100644
index 000000000000..e59b86541335
--- /dev/null
+++ b/ops/secrets/README.md
@@ -0,0 +1 @@
+TVL's deployment secrets, encrypted with [agenix](https://github.com/ryantm/agenix/commits/main)
diff --git a/ops/secrets/besadii.age b/ops/secrets/besadii.age
new file mode 100644
index 000000000000..50c2d1442def
--- /dev/null
+++ b/ops/secrets/besadii.age
Binary files differdiff --git a/ops/secrets/buildkite-agent-token.age b/ops/secrets/buildkite-agent-token.age
new file mode 100644
index 000000000000..66802310bbca
--- /dev/null
+++ b/ops/secrets/buildkite-agent-token.age
Binary files differdiff --git a/ops/secrets/buildkite-graphql-token.age b/ops/secrets/buildkite-graphql-token.age
new file mode 100644
index 000000000000..6ebf3efca7dc
--- /dev/null
+++ b/ops/secrets/buildkite-graphql-token.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw X7cI9stdU1F8M8Mhk/5a4UwU2Ze6rBXuwRDxUTKCTHw
+CnksXNl+VEs2CYiucBeIgfpzpA05VshlECkbmTUZSpI
+-> ssh-ed25519 zcCuhA 7KOsie4KRM0pPKZk8MeDISuX4tT9MAw/5mehSQcNOE8
+UfbpAlKJVhZOH5j4YIw5CVDen7UebTO/S55sLT9tVyc
+-> ssh-ed25519 CpJBgQ EiDs9pCdSnPb4T4HvgF+gdyJ9f5orhtn1OVUp45e3jM
+SlMWEzpi/mMlhfBPzVBn6jZknvjWCbRQMLoJEklJV2w
+-> ssh-ed25519 aXKGcg kiuat73hEcxKvRZ9Gk115LjB3WVgd0h5KrjMOyTRLzw
+CwEmQX6vmi6DnJp/TeYFOSdsfrprHylXAzhnAaQ3aKw
+-> ssh-ed25519 OkGqLg R+moPPGckVPXrAnwQXFPqsizUwK+8UlL2VAA1965d1Y
+J0sxPR2PDqK3k39dSLOzFQkUUZ5cfYqww6NHQ7E4ql4
+-> lb6ND/-grease !D$d P~ Tj.
+HjRsXF0B07o957mq0zRgyHlckismT8UI8KcyFN55ff9FlWpci3+LEcPCb08wtraP
+DSRvOi4
+--- AomJrDQJ4VQghgD6b7ItcPNyiu+cDmNQM31FOqYBbEk
+
0:��๹X��0b��^�(��:���V�r%GT�h���>~������q��*���	�ת�;}$�
\ No newline at end of file
diff --git a/ops/secrets/buildkite-ssh-private-key.age b/ops/secrets/buildkite-ssh-private-key.age
new file mode 100644
index 000000000000..c9aa988277bf
--- /dev/null
+++ b/ops/secrets/buildkite-ssh-private-key.age
Binary files differdiff --git a/ops/secrets/clbot-ssh.age b/ops/secrets/clbot-ssh.age
new file mode 100644
index 000000000000..c24f8f45d3da
--- /dev/null
+++ b/ops/secrets/clbot-ssh.age
Binary files differdiff --git a/ops/secrets/clbot.age b/ops/secrets/clbot.age
new file mode 100644
index 000000000000..2cec1f7f36c7
--- /dev/null
+++ b/ops/secrets/clbot.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw ZkAwxhi/ckHaVTnF7bmzOXhQG3HHqw1CpMe6nQL0rHc
+9qnf0AY/inCEvk1VBd4RC3M0kATM/JuIyWxqisjersY
+-> ssh-ed25519 zcCuhA o3PRUMcah5zjj39LtDWpgmBPFtHyx1N9WQz++lFrFEI
+7K1kZHKfmlV5G/xVbgeOuLAO2iXKqcEyRYm+YfTvURs
+-> ssh-ed25519 CpJBgQ pFnL2XmxzppshipadVltN/zSgiRiMh6emu6O8EZTpxI
+K/RPjooKVSwqxc2aAUBtdTnkKoZvXDi+2NPB2NPXT9E
+-> ssh-ed25519 aXKGcg sTN4w5iMnwxmp/E7OKu5I3pUc695OXBYmfOY8/hs1AM
+DguaArDGVn7scD0NrDntgePjN1LFlfrPKfjEd1T9iOI
+-> ssh-ed25519 OkGqLg xuRTDdql+UBNW2go+XxkC/FJZa+N/e6Kj/Fjm7MzG3E
+KC39o7+WV+d/psN4mYSxeUSHsSCxPWTJgYjY1f1Dd3w
+-> J:e-grease
+CISPWfdtr4GKDU+lhCFk6B/EVyOmYwDxhChu
+--- nwu3QYk6rfvIJWJrTB8RSBsWjS1uok8rSxc9FCzoA9k
+WS�Mr��
g#MSB�}A"�֞��������w��}����������-��Z��1���oo�Go8�Ҩw���
\ No newline at end of file
diff --git a/ops/secrets/default.nix b/ops/secrets/default.nix
new file mode 100644
index 000000000000..43f2a738bb6b
--- /dev/null
+++ b/ops/secrets/default.nix
@@ -0,0 +1,3 @@
+args:
+let mkSecrets = import ./mkSecrets.nix args; in
+mkSecrets ./. (import ./secrets.nix) // { inherit mkSecrets; }
diff --git a/ops/secrets/depot-inbox-imap.age b/ops/secrets/depot-inbox-imap.age
new file mode 100644
index 000000000000..9bce1845cb88
--- /dev/null
+++ b/ops/secrets/depot-inbox-imap.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw cpeIOVtFcfaHZpIAp495fkQLJoT++h1v6p0crBeuzFM
++zomKCg7UVNl/FlfcZflVPbo48C45uGoGoR1tbetEdk
+-> ssh-ed25519 zcCuhA loSmQUCnO0EBaGg+wFYYkXOdLBQ6Z+pPl4Y3oGx6xzw
++RdXNYYtIDDXGr1Z0Mh28psvF9gzg12M3EJTUqmdFtU
+-> ssh-ed25519 CpJBgQ 0W0LWu8WW6pQzUhK21CeNDUtW0srwR5gNCRjwTy94B4
+A02F+AyP+DajnVTJakx+0jynYRDix9I/9uZUDPjXpis
+-> ssh-ed25519 aXKGcg SVBo2urAYGSYrlj3ieoi9nkrffcZ9ZroCn86pZkn4nI
+xQRrLNeNcI9cpQY+X2xfLDoBqLNQixGjaYtMDWtHio4
+-> ssh-ed25519 BXptmQ UKNJPPjIiqPQndZ6/yASSg+5PQIn2N9nUy2hQMREq1Y
+X9zM/ji9R3jLOEDGLpIVESjU13VU0e3cTAR1xEMhY5I
+-> B-grease Y
+vUOYknqY0okoUOKZD/8MpnpwkOU31sszuUZfeSVsuVyUMPEbFjWQT74
+--- ymKMaoUQXFPRc9U0ZvULBEC0Az0ew2oEyHwH/kR9ETI
+�
Eu��	���x����e_)zP��h��������s��G����BLQ
\ No newline at end of file
diff --git a/ops/secrets/depot-replica-key.age b/ops/secrets/depot-replica-key.age
new file mode 100644
index 000000000000..5e8ce94d5d61
--- /dev/null
+++ b/ops/secrets/depot-replica-key.age
Binary files differdiff --git a/ops/secrets/gerrit-queue.age b/ops/secrets/gerrit-queue.age
new file mode 100644
index 000000000000..2e04be952d55
--- /dev/null
+++ b/ops/secrets/gerrit-queue.age
Binary files differdiff --git a/ops/secrets/gerrit-secrets.age b/ops/secrets/gerrit-secrets.age
new file mode 100644
index 000000000000..9ad123d578d4
--- /dev/null
+++ b/ops/secrets/gerrit-secrets.age
Binary files differdiff --git a/ops/secrets/grafana.age b/ops/secrets/grafana.age
new file mode 100644
index 000000000000..eef349d64c09
--- /dev/null
+++ b/ops/secrets/grafana.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 0h55HIHm0kf6LqtI99LFUWBCoERBmpoF+anfnxjhDBU
+0bHlgfRABn51BoMwAIjUlaVnCr3ZDXkQPmFOiIV3TvI
+-> ssh-ed25519 zcCuhA 0vFMP1qFEiN4MUt+1qQCqtEovmO2d6QHj+KjHBrvqB4
+CUM2MDNPEKpksyCQmfDg/k/CKz7/ckgafw4aj0FLcmE
+-> ssh-ed25519 CpJBgQ Y971kTqyElTHpOw4D7mUfkIQFWELOBeuGPUE6bqSrXQ
+zt3ju2cqDfQJg9BsSsWcOGfPu5Q4XuIz0k2gasaRCPE
+-> ssh-ed25519 aXKGcg eNxh3cCMbxG/u4luhlE2WQVzFMlZIcDKDx4dcpK43hY
+HGJZYkWbYA0I7HtArCz9ErXwAAfOBHe20JH1J5Bx904
+-> ssh-ed25519 OkGqLg a1+l3dkThz8LLp7C1D9l7CzdB8Q4hxjNzaY7B6HMSnQ
+du3nw0b61TGdF91Mq7C/PpjDlnIIph1dVEIivcDpM7M
+-> \gwpw]-grease p#:x#sA ^S5*A/ ZpY
+1rTU2Rc5MnpJj8zwOK4yR9HvDPOiKjCKHOURq6ak4SUmEgqqyqoujzRaL4I0cKf0
+zMFTkoKnLXjjLiHyvJWqCGwCRq9veUsTiJ6jqs+y6L+YaT71qDzDXi3YfX2p
+--- hraNRaUxkHCnhk6AC/3jyxaAj1gyyIi0Q7cqoupcRrA
+��:�'�!�37� �s�+0�@��ׯ��d�?�!%�l�ش�͎�;����
2������B��!�/��g����/��:wuՉ���[��~�������p��F�
\ No newline at end of file
diff --git a/ops/secrets/irccat.age b/ops/secrets/irccat.age
new file mode 100644
index 000000000000..2002b15c4957
--- /dev/null
+++ b/ops/secrets/irccat.age
Binary files differdiff --git a/ops/secrets/journaldriver.age b/ops/secrets/journaldriver.age
new file mode 100644
index 000000000000..c58773f36b21
--- /dev/null
+++ b/ops/secrets/journaldriver.age
Binary files differdiff --git a/ops/secrets/keycloak-db.age b/ops/secrets/keycloak-db.age
new file mode 100644
index 000000000000..54194df18383
--- /dev/null
+++ b/ops/secrets/keycloak-db.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw tWBrwZf6FNYAHRjoVV9/X6gJCXPqxZSoA01dvIrIOzg
+6W2A3smrrosM3sJgl5CT9vkCWqVKR3SaSxWS2nnwKJU
+-> ssh-ed25519 zcCuhA IS0OcHfEfb01xe+FJUe1poruK+uuP0MaJpeoGYyVAFY
+eEzcEYcW4KoKZZUEH/ha1nn9NudeK9HgPRgmrCWMjug
+-> ssh-ed25519 CpJBgQ 4mjCHMHfnGu2bhANPBNmcrZQrKBcPgZU+ll8opmvGCk
+0+Vd6pRPovUcKa9i37JVU/DUeYAmJ9D88MR4flA8gY8
+-> ssh-ed25519 aXKGcg WGCgCoViKLqndC35OTaExqZlPBDRwXRBJFuS7fw8n3Q
+kUHunOUgIsxXmOzMCwUFF/0dYiae8YZGmgZaz8gXPJo
+-> ssh-ed25519 OkGqLg LLIDJkImcqMjwRitnGevcav5YjDwYsQ//elx7fgbCQ4
+EnYTppSr/GKug9T+bFLGxrxUnNiXD5ODhB75OcH/h24
+-> j@-grease @:arA
+8EFNz7i8N3gbZEMaQw
+--- RkHJIg9pif/R47lgqrZD/XgkTETxXWkwW9QnFFsmfOA
+�o�]�~��6�+j�n]�l�+��K=ʽ	Z�p9����R��zVg u2���_
\ No newline at end of file
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
new file mode 100644
index 000000000000..c99130835f15
--- /dev/null
+++ b/ops/secrets/mkSecrets.nix
@@ -0,0 +1,27 @@
+# Expose secrets as part of the tree, making it possible to validate
+# their paths at eval time.
+#
+# Note that encrypted secrets end up in the Nix store, but this is
+# fine since they're publicly available anyways.
+{ depot, lib, ... }:
+
+let
+  inherit (depot.nix.yants)
+    attrs
+    any
+    defun
+    list
+    path
+    restrict
+    string
+    struct
+    ;
+  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
+  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
+in
+
+defun [ path (attrs agenixSecret) (attrs any) ]
+  (path: secrets:
+  depot.nix.readTree.drvTargets
+    # Import each secret into the Nix store
+    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
diff --git a/ops/secrets/nix-cache-priv.age b/ops/secrets/nix-cache-priv.age
new file mode 100644
index 000000000000..0381fb12907f
--- /dev/null
+++ b/ops/secrets/nix-cache-priv.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 0Pp+oYDW8qhXoui/ewFhOTP10+JNOMS5qw66SuVHsXg
+Usi+hC3pq8gzqp/taDJr2C+7fM1qxunhrngbyGrUMJ8
+-> ssh-ed25519 zcCuhA xO33hAmuSPrpYeZXX1saM6mPYL5M6biLtBrsxc73+is
+S/pyKMUvn7zjjL3uIy3AJCkag4HpoOTh5SMYx/ZJ+rU
+-> ssh-ed25519 CpJBgQ D1PyFsBzoKLMocbcQpy4PE7lFQGweoI7MJDuAzDRUhM
+9+7ofW8vB3ZdS4A9nU0Rq+c4AJQPTZ0Bo/R3z1FY3io
+-> ssh-ed25519 aXKGcg u7+l6RDdquEw0/e55x+Yx/W0+019qNsxJzR8DCkxwj0
+tseOgvoIQk5QG65IOqBg65n7ToFXTjHT+QhPT1/9PE0
+-> ssh-ed25519 OkGqLg Hsk569u9xxHWQZKNqqxpQbFaX4KDjS9VRqE808vh/kA
+kiaoD3XCcrqfYEbneU+L7b2yPHo6ioUhtpxI9uEVnJw
+-> a{7<M_-grease k~MV B{E[
+sc3e
+--- dvGSRVY+ZDyS4cLqY8yguVZraB/IZSPaexlGMKLvnlQ
+�(w����Η/Ӗ�W�$|Q��j�창z^�	]�
ݣm�$��%�.x�K�K���l[n�O75�wi��>���g�#�q4�^�k;\ehX�"w��������` 9��_��C�o�q������ݷ9mt���K�5�
\ No newline at end of file
diff --git a/ops/secrets/nix-cache-pub.age b/ops/secrets/nix-cache-pub.age
new file mode 100644
index 000000000000..ae06f49d69d7
--- /dev/null
+++ b/ops/secrets/nix-cache-pub.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw +jfxfM1YDu5CoYtFeRWtpkUQhmFWn/kNBYsBnie7BVg
+XxL9l87hXD0zCUEwbSR9OHSYgpOw89Km5iyxPPnVDGQ
+-> ssh-ed25519 zcCuhA VAoDkN2gwErUFE/59V4IF9PbSBSleOjt2gosvYnHxWg
+Pf6eh8EfAdATjZIkQfhhqOXuJXIdwIpybITcn+rcutI
+-> ssh-ed25519 CpJBgQ C6zIv78gu+wBeAjhmXANegSNqGHnugemXBPQcTimgxg
+80109g83Hk+smWuZkTIZJ6VFQqJ+LU1boWKQIH1AHjc
+-> ssh-ed25519 aXKGcg lPb+kGr0vuJkQO6VutAm4Yh1CVi/XfqNdGbAh/B7ZRk
+h4xb++7I9iv8208oqY0xLruA1r62mepISFcusczdbgs
+-> ssh-ed25519 OkGqLg aOHt9OR8JChtYpclkgn9wCFnlayFje7WsMGQb8AqChU
+3VRTDMUwFtDcoxGU/wiBzTvS0SB/xOpBG6s+ENvAXVE
+-> Kow$7|\-grease
+8OGnQnY7gm4vMJRXjnBogA0HRU7hqIxs2sErFc7sV1CUNkZlFjdK8tZomlNwshjc
+p18HgtjJnaGhSqg1LyP7cJAo/XnSwDYCeNna/6vdlKBR3JeuOGTmx1NIG/cGSg
+--- w+jJplb/J3av+UcltcFf4qSqHoQ8Ol8lH/fFB3051Gw
+qI��e:1*`j8��s�nHcy��7����õ�(��.��x�D��_}�%�)P,D��6�S��H���U9�딬�0��8���\���'
\ No newline at end of file
diff --git a/ops/secrets/oauth2_proxy.age b/ops/secrets/oauth2_proxy.age
new file mode 100644
index 000000000000..f2ccf7e96d73
--- /dev/null
+++ b/ops/secrets/oauth2_proxy.age
Binary files differdiff --git a/ops/secrets/owothia.age b/ops/secrets/owothia.age
new file mode 100644
index 000000000000..177ee61383c9
--- /dev/null
+++ b/ops/secrets/owothia.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw 8XtdgZ++/ZqmK4j8CO8oiuskTxjvKhWDK7fet5hbqiM
+Fs4O1vFtQL1JamnuCMPLzfzRPb90nxfXB6OXkyCMoHo
+-> ssh-ed25519 zcCuhA 6PNsPMdRXM77ci+mBQNRxr1oMGDNdlQilpUB0Q5es28
+APw2L/0htM9U0fJ1IUthdkoem/UTM/6NNQrgn4Vmpcs
+-> ssh-ed25519 CpJBgQ ed00il0q23M+3KH6hf5fFPaXGUKcz03Bn01jSoKiB1U
+jEN0Dk2edJBQreAlNE11sx0cI5u1mfFDT11Ev0KJ+gs
+-> ssh-ed25519 aXKGcg NocBhG6QGlWDZhjsA6Sxvjv9Gs+3Pq5gcOqnVdiefBg
+HYnqBv0pdPz8bqgZ98VDfYFeKcFNeuJrlOsyWt551Sg
+-> ssh-ed25519 OkGqLg e0081m/IkQafXh1gAWUZ2glYG7bklCG/LaUy63rK6gc
+G2RNMxCxRnqocYhiq142T8EPZQD8cRHHs7AHKFrMLaU
+-> +J}@hPk-grease
+406BMfqUt/KjayTopj4dNa4owPZphR6AsBXPurJwU/zV9ipirfW3oEeaprdh4uLg
+RHO0bSZQV1uu1YmbXkuwMaVj1cVn2vsDPEv3xG2SRzMoEpAAKaFCBba8
+--- 5ncLI9pS25vz5CebIZjPPDQ5cHISlyRFF55rGgFQnnM
+�$"�PK�&C�\�(�G�[��(
���D��lǺ�8��4��P��)�������B���Լ���c\�U:���(�
\ No newline at end of file
diff --git a/ops/secrets/panettone.age b/ops/secrets/panettone.age
new file mode 100644
index 000000000000..0be42dc0a779
--- /dev/null
+++ b/ops/secrets/panettone.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw zzUe0JqhICtd/kgZnXFpwaQ1Ma6nqy/hMWaOJpRHmDs
+4cR+OnWShG6MpB/u0yfsSxplEch7x7DbygfBiJGxOOs
+-> ssh-ed25519 zcCuhA 0RZEYC9IuazO9fROalwoOCIgc0j+rNBP3gw7SKG0yEw
+mPRhN0hvccEr1A9ihWAFMH4/24vpBKpxBVq4BKBMmYM
+-> ssh-ed25519 CpJBgQ VrmfTtTVxuQmpUxMxtXtCnr8pFyqwtdyLHdbzYrlKlM
+kHgEdPmoIOLnGuMF5F5Ol1yZWcactSE4OZI0BSmDN+g
+-> ssh-ed25519 aXKGcg On4jwgsH504ZjYRwfw5oAfIDk3wU0+xgd43ryAn9H0I
+fayzht1ZPPiFCjuYTdwVtJu2nOUg4wtp5IipOR4oJm8
+-> ssh-ed25519 OkGqLg mubp0xI0fvsKOAUaNaftFkHJ+bxgFHbgjn+A7sR8XVs
+X68Zr8HvC4/XPC0AFIA5f1SKu7NSR/23oeX8cW1qfis
+-> ?`-grease
+hOy2Rwvk6+vXpHWWA49Wp10wKbw9TfsLXw
+--- 9MLGx6BVm40C0CSV3bq6dnXrpy3QunBlh2/uO5OisUU
+dzG�<����Y�A�Vs��/-%�g��.�e@�,Z���F�W收&���<O�q@�>w�̛Q�>�-gǓ'���`
���X�ҟ�P8��x<RNv�9�#'/)��g�����m2���v��<,�7����邢��q���v���Q��AO�-�ژ�+g�c�#޵����*����e� -��)� �;
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
new file mode 100644
index 000000000000..3f7740a2e548
--- /dev/null
+++ b/ops/secrets/secrets.nix
@@ -0,0 +1,55 @@
+let
+  flokli = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli"
+  ];
+
+  tazjin = [
+    # tverskoy
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
+
+    # zamalek
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBRXeb8EuecLHP0bW4zuebXp4KRnXgJTZfeVWXQ1n1R"
+  ];
+
+  grfn = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA "
+  ];
+
+  sterni = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
+  ];
+
+  sanduny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOag0XhylaTVhmT6HB8EN2Fv5Ymrc4ZfypOXONUkykTX";
+  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
+
+  terraform.publicKeys = tazjin ++ grfn ++ sterni ++ flokli;
+  whitbyDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
+  allDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ sanduny whitby ];
+  sandunyDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ sanduny ];
+in
+{
+  "besadii.age" = whitbyDefault;
+  "buildkite-agent-token.age" = whitbyDefault;
+  "buildkite-graphql-token.age" = whitbyDefault;
+  "buildkite-ssh-private-key.age" = whitbyDefault;
+  "clbot-ssh.age" = whitbyDefault;
+  "clbot.age" = whitbyDefault;
+  "depot-inbox-imap.age" = sandunyDefault;
+  "depot-replica-key.age" = whitbyDefault;
+  "gerrit-queue.age" = whitbyDefault;
+  "gerrit-secrets.age" = whitbyDefault;
+  "grafana.age" = whitbyDefault;
+  "irccat.age" = whitbyDefault;
+  "journaldriver.age" = allDefault;
+  "keycloak-db.age" = whitbyDefault;
+  "nix-cache-priv.age" = whitbyDefault;
+  "nix-cache-pub.age" = whitbyDefault;
+  "oauth2_proxy.age" = whitbyDefault;
+  "owothia.age" = whitbyDefault;
+  "panettone.age" = whitbyDefault;
+  "smtprelay.age" = whitbyDefault;
+  "tf-buildkite.age" = terraform;
+  "tf-glesys.age" = terraform;
+  "tf-keycloak.age" = terraform;
+  "tvl-alerts-bot-telegram-token.age" = whitbyDefault;
+}
diff --git a/ops/secrets/smtprelay.age b/ops/secrets/smtprelay.age
new file mode 100644
index 000000000000..62fbaffadf6c
--- /dev/null
+++ b/ops/secrets/smtprelay.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw CW2Lgm0tSWUDwKSNSX/aLkVzQ/QeEeQgU3NITpz2D0M
+F7dA+zWdCz21s443bj9zCz6lBsRlFIxiG+l8CdbuPFk
+-> ssh-ed25519 zcCuhA l8rsBoYDwhUB5stbeGXYTQ4Fz745ywXFCOQZn2cMBW0
+TycVcUZjR2TDv5DPC54+RwoU6Fj4QpRUJj1j0HM/JCE
+-> ssh-ed25519 CpJBgQ CbwZO5LmSxd0HRYkf+lV+ymFcXSn/49GAPHG4l1I7gw
+xSmab5+BnAZF/B0n32xX1qZPdHgfoEMGIuZqlpnISjc
+-> ssh-ed25519 aXKGcg Tr+odf9p1RBrQK1guR6ToeN4wG1KLA3jwiPIkgyEjws
+TaeCnjiRp8VZoMS5qs+OfVbBc6zudayD693h/eGvVOo
+-> ssh-ed25519 OkGqLg Dmnsqz6PKzMd6w4t+l6+EWuia+stPwSEtu00KVuAojo
+rZ/i1WJhrCM/ZQTAroRRSjzUVJw2UJlPUe1uHYqSscw
+-> w!^Z-grease i86O2 i0.Rch
+/zsRadAGYzAY6F/J5m6lMjmojkN7NbY3TbfQbA
+--- /rQgwuY9SVGLKeUzY5P6c+sGQ1I1aw5cQxmO46QKDSQ
+��(`���U ����,��c��|ґP�畠�9�@&	��gMߒ
+CH�3ik���3#|���g��M���A���g�A��nZ��Y��t�����2����K2ޘ�Y�
\ No newline at end of file
diff --git a/ops/secrets/tf-buildkite.age b/ops/secrets/tf-buildkite.age
new file mode 100644
index 000000000000..0cf6066fa604
--- /dev/null
+++ b/ops/secrets/tf-buildkite.age
Binary files differdiff --git a/ops/secrets/tf-glesys.age b/ops/secrets/tf-glesys.age
new file mode 100644
index 000000000000..4e50454b6214
--- /dev/null
+++ b/ops/secrets/tf-glesys.age
Binary files differdiff --git a/ops/secrets/tf-keycloak.age b/ops/secrets/tf-keycloak.age
new file mode 100644
index 000000000000..237b9377bd79
--- /dev/null
+++ b/ops/secrets/tf-keycloak.age
Binary files differdiff --git a/ops/secrets/tvl-alerts-bot-telegram-token.age b/ops/secrets/tvl-alerts-bot-telegram-token.age
new file mode 100644
index 000000000000..e897fedc03f5
--- /dev/null
+++ b/ops/secrets/tvl-alerts-bot-telegram-token.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw JGXCnhez0LnlUV8eOitxizmxw/gV+1taBRhNvwvVcms
+qsRTOpifnoc0eorFjd4UlP7O3hkRR3KjDUcImASK0jY
+-> ssh-ed25519 zcCuhA KUcyaHcmuqCGtJBzvc2UK17gRrjzuzIxll+TS9Q4nWs
+CAJ19ClA9Tqj1fcYySq+K9gdZe6Uv0toZLnhlovr3tM
+-> ssh-ed25519 CpJBgQ OAE+u9JuC6KoefjCOTj4NkQElZRe6/EEIAGBN/XelnU
+M9MHlKxbEBJ+gACo2FiYqmm1cAoYW31+nP16qnVZ7Zw
+-> ssh-ed25519 aXKGcg Ll6v6v5HpUIEuOzjpVsPMmPQMnNkmyB4fz/YwNXfCHU
+MmFQy2WkKn5SM0bhe4NNe/lMnneKoOF+Ufq0t0QjNbw
+-> ssh-ed25519 OkGqLg PS6KLwat1z2BSQ9sIKDaryVU39EJR+iiAaKSP/KSPk0
+qUQP2f4MFk83zQ9edlSNC8jwpJvmp2xhOysd8rnYzW4
+-> >NI-grease @mOcHT z|%,s- mw^c *
+zu0M2pS6v3zehnLg
+--- jltBYy9brAtpkEIqPoGmIVe3s5XnWtpa9EmuXlAf91c
+�t�dX2-�"��#�1��n'��\��'{Dlw;Pִ�@�����{��B	!y�+�x��
��W���B:wt�qph
\ No newline at end of file