From 6b3eed1fb50552189e945cc11b14d8588bcad1ef Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Thu, 17 Feb 2022 12:33:37 +0300
Subject: [PATCH] feat(ops/secrets): Add journaldriver key

This changes the structure of secrets.nix a bit to split between
secrets for whitby, and secrets for all TVL machines.

Change-Id: I791f0ce42a16b33051e24a7a6c5b153761ed9eb3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5300
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
---
 ops/secrets/journaldriver.age | Bin 0 -> 3014 bytes
 ops/secrets/secrets.nix       |  43 ++++++++++++++++++----------------
 2 files changed, 23 insertions(+), 20 deletions(-)
 create mode 100644 ops/secrets/journaldriver.age

diff --git a/ops/secrets/journaldriver.age b/ops/secrets/journaldriver.age
new file mode 100644
index 0000000000000000000000000000000000000000..e9c182b7af5fe2678bfc170c5013037539654e8b
GIT binary patch
literal 3014
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnNiI(GDOV^8(6%%w
zHTEeiPb*J%HVzB$_qXsjH8u@O%1kvjGSjxm^hhsssZ7tyGvIPD3Gj%lNVPC`OV^Lc
zaM3pnc65nINl$SPu*lFZDsqpEDo?k_i%fRT^F+7JxxmXQJy5|lqR2C#BG=5%#3@4G
z#KR@Tu(T*7K;Jw()yXo$Ezc{^sLI*IGT6Vw-IXiMxzfYfxyZ}AFx4QZvM?!I+p#>u
z+rqpwtz26_$2lO~sXQ|=Jkh7f)fL^g#0YQq<aC9|5a+;*5>v<0d@rvG<D`f{i^4=-
zLz8S@*P`&E+$4W*e^WOL=g1sC7f&wZa6^B8x1>VLV2k8ne{+v0CyNNDoB+>6|G>=b
zBIEQ5eQ(!fqm;-%&p>qBoFWQJasw6249zT^Omj-i6U{9w9L-HrO(Oz*i`^W}{Ht92
zL%bc`98L0zi}DN$T>`lZ^bI|#4D?gO{QdpQoU?<%f<4NO94$kgOWX{jDnrYXGD4C=
zjr}t!Dlu&H&vq~LNms}X$ux)xH?l~r3J<gl@X1d#PjZXMH>))Da}LV4OiK1hDvHo{
za>+7ub>vDZG%YnM$SCoOs!DOo@N`WK&QJ6zOUo_FtW31bN(v})G&86OFEy+vF#!3k
zu2MI>C^fM-mCMzzBE&r+AjzvF&n?|CHKV9B%c(Lb%hj(SrzF|a*nmq{S63l8$-pT%
zpunIiKd8bdryxD3vN*3STt6~IJIE|6%`)9vJ2AjCE66Fd)Pn2n;hH;^_OYdJCZ4r5
z;-2(DeUsyKi9O#JM1FmIQD67ris*Bt|4rryTK{<IzGX_Ke&=^P@r@QggP5)_TJ`j$
zK((RS<#?Tj-#bs;5WIRcEmP3({Le5k9W~MNV~vd`x{iOja?Ry)(Q=dRLhd(%ww;db
zzayV}f8%Y#M(z3%{l`;<wLbj1@$I}_K!Dn}li6M$Q~6mA^u-_Px~waDieuZ9eCE)M
zE4n}Z)bD0*+W55ebmNWYUH)4?I)!XXn%g6*Aic-=@19`Aw;sh|hvP2KxK&ZI@tmjd
z&({-A{}HZ;5nfukx76p$Mk}XuMb_tjn|n_EN;z}k@3!-Y{9l<FUo8?c<fxR-dfUJ&
zs5&8d-mM$ufnu#I{|9+XmY(aCO<cTu=5eKEYkKt^7Ze`}I*`Km;BfTyl!;lK4hH^L
z8#rb<X$SoftL-^zb!U%3b%Zs;nI)?g6>fi!TIE-;=*xjmsRvFwO?p&ay1g!<JhE#R
z-=?dvxhzKWPA4x+Q9ho=zNT!ARQ&ab_HWVeFHX5qdGkbz+?P0Ox!FDe8c&?tL{2}D
zsMs0zzrD8Pu-N;<yPKop=W2Vqzc}if`R#o5n-kYwd|Pzk=>L7L*9yMmu^rp|bYD!+
z)HUk88(IY}HyJ4MTISb>I@gQ8U*s8GEw}sM;oWN_cG+Bh`Z#4}b#_6{%GL*Sq)$Kg
z(Bf!)zgqqA{KrAZ8`8rzSjD{ep7elY(Q-Za=N;?3=7}@e>=k{)@wz*$)MWD8Kh1Z-
z_Bd8|Tnf(lnrQr)cb|tYfBv`Zz3=BTm9o0Ky#FrXB`v!4=4AB^rMo9|?Tp|v622{e
zO7xVb`CiuLe`ggeZENP<u)Im(-J6(4v1?wbscP}KheSqOu?Tp0ORf1U6}Ulg^6CHa
zQ`d3J8U{R(PW>9#Y+hV?WS0HBRbg>`i#em8mle&tvg3%o+f9SevjOYoXnoybdDqA@
zWbe_#erG~{o8Jw8Jo$sM%fcwe^R4o4`m?po&q(asw|n{&_Almkh2Psbe}CAmysch;
z_RhV6uB-ok>Z#m#z=vtef~l?31C}Z?T?z~pys(g4S!}%)!_s9eds{B<bqf4vw)J1{
znoE+)mTuji6!1WJonge{q{*e$rc(vJ*se>M<@sGy_?G7ORd3GSwYOLhSu+1f&ev7y
z94q`+#@^aq>-9;&Lw2G6uD)&#bEb0HIg-f|hvy}f)m{Ig`%}hv?)w?D@9p1_ac)ml
z@W<bB>}RJ$aCyDpJhsHQbv@(v?Uu@WPTBa~_|DBUw<_BHkq~#H)i1y2?yn8M9o76^
z$^ZSoiS~&N$60UPOg_N5Cw#V=`4p*FDJ(xWB=B6TIN~>F+M9)YVopaa2%Yr()l^n9
z>yuu4-$b$B5=betbJcjrFwbme^8tb4$?p?$`n4ABvi*?3vwlIgUvzU?QfR-#!vp?}
zp2nBg=hbG_y0<ty|NcbqA$QiKv!`xOvDaNNP4JWSl3QC-=TGEvJ9}i;PwQn**MHRQ
zmQA;xBX@d2fvu+G?zVrw4t749SAEH20^{TxGLg;|>9;uc$!*SiT|8&+VSTxCr=LkR
zbgp`JXpV1|{q>Igv?q~&cZogm?3GPmEj+NmR!;nC#E$-N^^@lY9?th-*;lQ7KP}+d
z|7_l!!k2%{?)NlZtQz$r;DXWAl9lCF%9|fAuu{IQR&nuec>3$}sWXpF@bTDKo@aLK
z?{6;Ew5naj_O^{b+b*rB6S#9FZ~I%ZL$kAYPEomhs7x;GX?rZw@#+uHp0cev9O(bx
zm9=^D;lh|LXD`o9I(~$U^S*UkF{kt9=k`|bl5TElz4cqJE+M!fF|_v0$_JZTI4cTW
z9^PtSJiqj<WoXY9E%S$*C;#r~nfhe%Ov%WL<|)!MmpnhTJ3hbg-5J4T-!E_XEm;58
zEB5=W|3R9Gzn=ZdR$AEBKUwWr;A!z!%3Y=z3ftejDbo3#d85#}TK}1rAG522`dQ9P
zH?plvKkuEk++>+C>wb%sg^u~D>FTFF`y;nSo4=V>vWP`t^TCauUN@cBex~fWnbWCk
zs<)ltMo*)($WYJ2j$8E-LPNY>vCsIk?DvwF`sW`0eRM^7|CgPUUsdlm;+`DV+gTpe
zc0~B}F~Kj}z8=e8{rUFOG_J4He(rdl@Hg_|M6)W>nO*z(H|$%Pbz;r&?VVDG7pk(`
zu4~*=lk%`cs?~G(y!R_uueAQw4nEmyyYB8X0bk?mGum&jZ2ffL(Axr?H$S9>^COn3
zU-k91HrAXs$H_0Lv$gF<MWCDcmu>D02J3r1B`%-%P<w%aqx7%TLyV%|s+Pt|{ZyW7
z@4r)Ob%bDl+zZB455Fq<{&;c!x_(($^W1l-c0R%N3z{YOuJwKBVE#9sJK2^wAWCJA
z@9Cz-&7wuB)?Y8bo?m;gqhaa%t#e-XJk)f4JhMV|%_=YdBOlk4PiMY*GHt1Hoz6b(
zV?57p2HnhGb*4N{^QCI{7ERZO^#>F$MF%a)JyUM#=n!N3Wo1#`9gd(GGWrG<QS#a|
zM1Ficq-$xfEb?CMg}d1k*2gB@U*0IKJgm)e>Ad@Tfz+<kr*!OQzWA0YqM(-H`{h^d
z%N3f=tiR&xHtor})YiuNWUeOPOu;iA-)+{*KF(`f{&~W!ntA)bC;ku@%-!xVZ^dK9
zsaKLu*yo>^y6eTq&5XO3?!GG)vgLv2rb+vS%NORnt6@)TIQLfA`lHLI{a605_b#bD
zzKOpq<IBE)2d_8pliq75kg0tBif7oOI;YarUhau$S*jBb@L&7>eE+BGMnQ$Mw;Z$+
z{cUpj?Bd|r!so7CZM3mdtGc)#&O}Jfd77M=+ME^_qo+<nOzYW}ot#&9f5x39hd&xV
z{!z<tM|#Sk*?dhpJ7e~wuzz_TY^k6dynPY-lF!bM{%bz<JIAMK-`2M!_}ZbM$xjT8
z9{hOMzw71pqXx?kYEHQt*ld5!_KI3_a_Vg<>yx+tFjc<0rFoHQvxh<`<0J!90pmM2
zQv8_|?wooP(P6W)>AU^!;JW6PoK)`CE%xVg4$b9u=2`vzL-L+N{<ijgeHrWizmONd
zzbN$5AHf|-;(vHH%Y2cZl&Hb}h3lBfojHPkzpmcd{h>+a^Q)wb9>qd3|Ng%B4s=|*
zw#=znaOK1;oQ}p4M&-8lK^1SNs6M;T@7Nb3$nk#yFCYJ|LroG!KI-$rMcgmHpBU%T
dc6s`DdvlW&?p7J{@!EkBPIDxy=UYx}005iidtU$m

literal 0
HcmV?d00001

diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 2c08bb1ae..392abecde 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -12,28 +12,31 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
   ];
 
+  sanduny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOag0XhylaTVhmT6HB8EN2Fv5Ymrc4ZfypOXONUkykTX";
   whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
 
-  default.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
+  whitbyDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
+  allDefault.publicKeys = tazjin ++ grfn ++ sterni ++ [ sanduny whitby ];
 in
 {
-  "besadii.age" = default;
-  "buildkite-agent-token.age" = default;
-  "buildkite-graphql-token.age" = default;
-  "clbot-ssh.age" = default;
-  "clbot.age" = default;
-  "gerrit-queue.age" = default;
-  "gerrit-secrets.age" = default;
-  "grafana.age" = default;
-  "irccat.age" = default;
-  "keycloak-db.age" = default;
-  "nix-cache-priv.age" = default;
-  "nix-cache-pub.age" = default;
-  "oauth2_proxy.age" = default;
-  "owothia.age" = default;
-  "panettone.age" = default;
-  "smtprelay.age" = default;
-  "tf-glesys.age" = default;
-  "tf-keycloak.age" = default;
-  "tvl-alerts-bot-telegram-token.age" = default;
+  "besadii.age" = whitbyDefault;
+  "buildkite-agent-token.age" = whitbyDefault;
+  "buildkite-graphql-token.age" = whitbyDefault;
+  "clbot-ssh.age" = whitbyDefault;
+  "clbot.age" = whitbyDefault;
+  "gerrit-queue.age" = whitbyDefault;
+  "gerrit-secrets.age" = whitbyDefault;
+  "grafana.age" = whitbyDefault;
+  "irccat.age" = whitbyDefault;
+  "journaldriver.age" = allDefault;
+  "keycloak-db.age" = whitbyDefault;
+  "nix-cache-priv.age" = whitbyDefault;
+  "nix-cache-pub.age" = whitbyDefault;
+  "oauth2_proxy.age" = whitbyDefault;
+  "owothia.age" = whitbyDefault;
+  "panettone.age" = whitbyDefault;
+  "smtprelay.age" = whitbyDefault;
+  "tf-glesys.age" = whitbyDefault;
+  "tf-keycloak.age" = whitbyDefault;
+  "tvl-alerts-bot-telegram-token.age" = whitbyDefault;
 }