feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/secrets/alertmanager-irc-relay-environment.age
+++ b/ops/secrets/alertmanager-irc-relay-environment.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung MFR57YIw4IZk4ZGFyCDV/gr+iso4XLL40MmESBr8NQI
+6iyYl9pMtA309N3wQ5N7jA+rUN3DAcXq++dS5RFfaZc
+-> X25519 q2U7kDMrPfI1a4XyJV2IJ+gxIiRX/xNIs9cgKNs2Ym4
+2E6TQubnQ4QmJt5t8PNiN3bQHtM9WR+QapVljYnOkEw
+-> ssh-ed25519 C2zWnA ppTx3QL3a1xHqcYnfJkW5u0NtpCMPwL52lkLXYRB6is
+8Vyz/NgMYICueDaGDVQ962atmeI7JvTweMXjQoQLm8s
+-> ssh-ed25519 LzO4tw 2Z3IkWkmDSuGWtcuYEEiGVBB8olZMI6f5Ut14bZqgW8
+lRZExatm6jOLprlpSioWALwMHRurll48QNIXn7GwN7o
+--- oXp6GuozUs9gwzmGng/e0rDlerNKZJIi49ss+ZMAXRE
+,MÝ
+<EFBFBD>‰ï¤¾Ê†Ê5¸ì‹ëÔ[ëÉ3kËŸ€HÏþ-æ—ãßûfå.vów€0†€R_e„Dk±-
--- a/ops/secrets/buildkite-agent-token.age
+++ b/ops/secrets/buildkite-agent-token.age
@ -1,20 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 OkGqLg WT+iZEFDR8xC1ypj5lLjCc8Q8a3E/LSE29a8SyGpGwg
-1bwMz/pZPhrIpSXoWTda0ehVg9uHUA5LXu9ZOAp+jmE
-> ssh-ed25519 xR+E/Q 4LfYYJalhmJVWa3Edzy57LOeJAEKWazCNkhTlJisEVc
-Ab4PDdOHafkTcjRIzTs/hG92ueSF762TSIqsLTfM0oA
-> ssh-ed25519 dcsaLw RZyn6l7iV4BWo5SX/8qf54un21EMAfypdLUAfPpmdnE
-f15CElv+PEWR6C3O8V2qbBe+RFgm/sfhwwSWgbYK14Q
-> ssh-ed25519 zcCuhA 6eKqLkucV2KO9SEAFa4Lprq/+Hawi4EDkcZ83ktIbB8
-cJUyoe+e528ycKpmZbXb43QCixWudUCoVQYIFcy7UvM
-> ssh-ed25519 1SxhRA XSaYWJCKyuT0G8DOTEVBfRUp8SGJuMfCkwZcwG2BC3U
-x95KAtE1txHaE/DiAL1SRGKt/aoaGpCyyCdqDF1v3vY
-> ssh-ed25519 ch/9tw csU+Xmy01gzEtIeF8YubJWpdCLPUefnS25TqnAO3+C4
-tuDdDnwq35mdYFnZ0PTeGf/+wAbfrJKOpdtZvO2QX+c
-> ssh-ed25519 CpJBgQ hQzuceRkrMcq8anAXFDfEzpx50K+eP5vSy4bgmGMC28
-AfQORHySKKic2mkNTx8n/prxR8lbv6md28VV+Yjl0do
-> ssh-ed25519 aXKGcg kTkolPXSztb9g9xhpC/hDMwvbnsdkU36Mp/Zxk55QXc
-7LeNOwPwyCgHGV6pedl6XqXiKwsAVCjvfEMuChnwUN4
--- zbFSUb7Js+C+da2a14MNu/TZhpw7psLfD9EfK+awlEQ
-¦åDËÿ˜Rœ—@ˆDñƒOxå‡æ™[Vxß
-$²‹lC°Ù.°ŒWìœ]<y™½5¬ò‘C0~f
+-> ssh-ed25519 +qVung ZFmXZSq+DvoNCgZHoqGmc0oVoxotWOnSNgIWrv5GLVw
+x2lbZWRxOorYSlThNalW8F06vixFjB4cxvRoHbIMENU
+-> X25519 80hLko4Ont8T66KbHpegXfIcnbp8yNjS1cojiG7mvDY
+IbJYd0v8HdLhW+BziRD01Fmo94cDGR+0icvroonLlmo
+-> ssh-ed25519 C2zWnA XWgQLVQhfXI0H85TDhWur6AMeN5n60rHIbjF2T4N0Eo
+kzyRRjCPW9cLi37l+2E1kNbr5dzTUHgMH5oaFwoNqS0
+-> ssh-ed25519 3T2Xig O5spWbLSVZyYNhd45L+voflabSnO4mq/8pWjpvO9kng
+92q0DaERvVViCfEN3nW1lcXdQ1vbWndLfX6CW1ysoVs
+--- LiNoXoSE5LMHeQAXBWkn6hSEdEI94id7pm8UzLDN6Lo
+ŒÇê2dÄ=pÀ•£ÞOSâæ¥E8¡¬!§ëñsrZ	£:àOÄÖ•ŸcCs'Yˆ¦•ð
--- a/ops/secrets/buildkite-besadii-config.age
+++ b/ops/secrets/buildkite-besadii-config.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung 3fkpILP2v3cya4RR/kfpBWEDZtmo1jn5d6L3EgvVVFk
+6MsF0wGt/wfJTIgI0ahothPc2br3CplwRcoaDwLIkCQ
+-> X25519 n21xXX/pcmB/+3PG+wlMuq6gaNwuERCvQqxDMxhepGk
+VnbRBpA2zlIsrldqrJDYoSqivP69D5AVZ0xvo2w7dHQ
+-> ssh-ed25519 C2zWnA ixzmDD0Ilj76ukzutqTLDeTBIIvvPIFW89UUJEE4slU
+0IicUwhBo+9c+OxFge/UOYxRNfhzDt+Q2h+RagQnXfo
+-> ssh-ed25519 x3gRmg ni3Jasf1IV71UVgcTFbf/atIOddr2lolLjurLpiNG0s
+DA8WzuqXRMyY7gY62a7KNx04B54rV3g2tcNi2MiYmbA
+-> ssh-ed25519 3T2Xig cg5Ki93tWlaURC/KRqE32oExDnvfcvEIfKNIJC3dKyg
+ZfzJVZ2Bm6VVZUd6xOq77xbp5BWMcHdtAEB4LgdYIOg
+--- TjhYtdAV2Qit8SgQ1ktCQxN7nbq96EcEdjAdQ8nKcu4
+‡¾ïâáOÄï7_8ûjå¬‚ÅLëõ‰8Êœöçû§vÙõåÙ0Êd <64><&=âÍ-™Ä”J^;”\h–lmÈå×„»lÌøùìDú«aQ¯(5§¸Ç2Ã~Xã@qØs7ÇÊ ä-yU‚«vkðÛqÕ‡¦Íÿ÷'Eqc<11>R`GÍUï‰–ÂZ
Ð&mb'ˆ#
Ò´ÄÑ<C384>’¶ü¼²Òƒ$7kÃ¦Ÿ Å§¸£Ø®æÅyë›º¡Èy/"÷·  ,Ýö{‡c°Ö9çó\4ÜD[së¾<C3AB>å£êÍ0áù^bîTÔ‡ô a;©õgž4¯Pýå:‡ZÁ?úÆ2'6jœ[£ àG›klMƒ<k‡1ûn ã1n[9—$GX˜ê^dhîÛBR¬0–(fêµF®lî•›ó_/Fù¦÷ý§ê˜4Â…ÊI>Ø<>&Rµ¨KLÉŽo¼/Ž087ôP-«yŸþžðHí¼(ò”šFjÈÆ¶jµŸ
--- a/ops/secrets/buildkite-graphql-token.age
+++ b/ops/secrets/buildkite-graphql-token.age
@ -1,19 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 OkGqLg p2b6PpJcKcBQS6nUBtN33TTY/WhSkZyX11Qfr0uyji0
-YxLBGMuR4TYQkpyTZt/rjfNglqGCAPW6VqcSGDwUZJ4
-> ssh-ed25519 xR+E/Q 0rbUBI7F1Me6kkeeB5v7JLLXTvg4PlUiuVbo0LOlSg8
-9Np5qNztl7mQvM4r22icdmJsHisF2pnjmrefJ1FBKyc
-> ssh-ed25519 dcsaLw 3rf1PBUTKxMNdAwq5nfknBH5gtA/s1iOOc6p+U/0x0A
-tO4pzdD+z+6Npm9l3gVgLO71VJmiVSGq3FGaaWfSNzk
-> ssh-ed25519 zcCuhA Ad5xMaTCB8pcxy/X31vKsNhC3uCex/2+ykQ/1BdPMRE
-ENXTFjlPqNRARONR6lfRdpQdYxH7Pnu28JOBNN3eM2Q
-> ssh-ed25519 1SxhRA UCsz/7KohWfkOBK66YafcU93GLCrihY29Pnzdy4TID8
-RUvL9DqAc8a9okBKlnADYyNpyABbuHXinn+Uit2OKy4
-> ssh-ed25519 ch/9tw 6y9zzfdWun5WV5IQsWHSnEI6VhWvwWMuBfQRHvnnxg0
-FPIxsRo6cUYZ4jK03Lbj1kLkrEZsIa32p2IczSZTQvI
-> ssh-ed25519 CpJBgQ zEsWfAt2HUk3wHtnFzF0D4aKy4isM4AQLEdbkWh++j4
-3m50cqrB2FlkZy3dKT9UcCaeOlXsOyz+v2p0PD8n9hw
-> ssh-ed25519 aXKGcg +KQkCsVWzXl6Ed6KIv3jGU4UlQnKmgS2A47esh245ms
-fmrn4wUggVtnU0xLyVYqNcnScd/ZdECYVylrRID399s
--- S0uHuiqWz9M3xubQTE4OU39h74ENmRBD4p896amTuFU
-•³ë½L	È  bd&Ôú½êãK‡Þ+0¶7ô»"õ“\z‚	è. ôöY¥llŒ 
p~á¼«pLCEg÷²ÕI
+-> ssh-ed25519 +qVung MkmafLpQl6prK08B32McpcLtwx72k0bQ01oVtATnFgQ
+7E8fi0BHzulXux6xPLP+hw6ugSOuZXPrWHGNxpf4IcM
+-> X25519 q7N6ltSbhrdmFFOttgg2KB5AQ7fsrXlogMNM+eYf/ng
+KNiuCAjTK6/c8f2EIXolNC6nx8UycYTy4/L2ovnEi9E
+-> ssh-ed25519 C2zWnA U7793cywgqfxK+oeBawtbLazIjap/5v9MKfIDHzAsQ4
+1kQphItEbxQbIN9kbvcypgDh6Glzbvaz9CSSv3Flhq0
+-> ssh-ed25519 3T2Xig HEo6B3qYzxQlKosmFaIpjV917tNaoZaphDDH4e9enD4
+7FD4U32n7mUzBGNvx/kjeFbzxR4ntixqiQoethtQPm8
+--- Jae1QioQwGwCJzOvRdlvMUVRCj9g4lt7YiR0AZxkAU4
+þþ[½w?ò <20>§g©_,áÚU?V‹.Â€†º-I<ô!ÀEÉâŒù?™uÄë¡(+¬f»Àc!°U»Ç ßÿ2ãÀµœQr
--- a/ops/secrets/buildkite-ssh-private-key.age
+++ b/ops/secrets/buildkite-ssh-private-key.age
--- a/ops/secrets/forgejo-oauth-secret.age
+++ b/ops/secrets/forgejo-oauth-secret.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung 8iqOuW6HDFzo0OdoyM0E0hSIl/Ow0e5/PV7z0hkzCgU
+DYyC80e9XV/a91NBgkD+mOQfc4TCKJrMjL7z+/DAeWM
+-> X25519 C6/8kewhvSzFZG7ElpgVz8Pji3sKIpnvjH9PJWXZ0mM
+znSY1QbscbPqlEcATRyeJBUwwLyXWyT7i/CQu/XJg2s
+-> ssh-ed25519 C2zWnA Z2/nUTlz/ryC2CHeVuhmry9eIV2Oe8lH0hTpeyJfD1c
+GsE3eELzxivFKYfw2MXC/jJhdP6tooGVqUCfUjVSfzM
+-> ssh-ed25519 uZGziw EwZG9bpYuh8610nNV/9iP7v3c9WE82sijCvNbtoNTRM
+7yO2Bblf1fbGIuwfa3hF7T+xUmrEAtueDGTPtGkv1mE
+--- aZjZHNae86WtaWj/KYnLH12DsryG8WPsxLEBULJj1+A
+üÌuáõ †²Î#ýe–AÂÝÿ¥¾p<C2BE>é†^ñïfÌá««%líj-ráqö‹q¬ÞXÉ^Ì;&äÎh¨Ð+Pë7
--- a/ops/secrets/gerrit-oauth-secret.age
+++ b/ops/secrets/gerrit-oauth-secret.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung CNWkmpktIsB/XR4m20Zhhqb54CkxizUW8EU/UdYZ9DI
+Xt7Rjr9MzceUIvRqkszaBsrrYtgj9mVCYeKZmgw6Fm8
+-> X25519 UhegFmsgtO0412BIIyUhWKsokIuIVdzprxUzJQ4AWBA
+mzaUhweKSBbtSNlsoLOOQPUiYg7lubiZAjBaPApyMtg
+-> ssh-ed25519 C2zWnA qGtHvxEIG70n6DBaPIomDwZ61/UvUHk10SblLCaaL2A
+xFkJfWcpCE9+YwpQR5HE8KA7kEZy6UL5X78hFWvC5mI
+-> ssh-ed25519 x3gRmg 4BBGKNHHg7JBUeZ2bfeIQq5tSZBHP40ukJCX3yOLjgk
+JPVfhyh2G9XC4vt66Sv9Mu1dtJjuxadnASLo2aaLf8k
+--- Ttka8+om8tOvGOGDQu/xm0q1jLUdtmYLuKkDKB7u0ok
+9øp …ÊŠÔÐàö<C3A0>dŒú?Vº?eBÂ^%r3ñíWÔ|”Wf™àÀJäÐ’4ö»‡pœ¿¦ÿÖOb³n›·gÄdÊA
--- a/ops/secrets/gerrit-replication-key.age
+++ b/ops/secrets/gerrit-replication-key.age
--- a/ops/secrets/grafana-agent-password.age
+++ b/ops/secrets/grafana-agent-password.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung M6L0Lr7nf8C2Bvq3yK9BpDkbFShdYa8xJJNJfw6fSEM
+j/s8WqJlEySvUr52noQi8yclurRNWl8E/jKKpBiapyY
+-> X25519 pbd5f6XiLXiFQ6uV4P071j2Q6qCQzrK3aF3ln3C532k
+HvrV8RvjysTn8eSMqGVKwhCxjTEnvdm7hmde4hyCLRI
+-> ssh-ed25519 C2zWnA myuJkAJcbRLYNZJJk6UCu+lp5DjmesusJdpE2FbjNA4
+6YgIR3q7+27SQxHlKDJLLcESge21IaZcXXw0pkz0hSg
+-> ssh-ed25519 x3gRmg 2uQHWIxs9okVv+kSJaLXeTibUIsVzuFkLjluClzINQQ
+q1tCF2imWqStdjDsiUkmbl2jPYza4Gtht1IUw75uzpg
+-> ssh-ed25519 uZGziw Da2diR7zKn6aBbpJdqlTDow7wuICg0uS8hpvDr6bxSs
+mX/4Z66pX+kpA1Uw9pGxzdlEOdRmFrzaMIdCQH04XMg
+-> ssh-ed25519 3T2Xig yHEKJv/U07xcpAwCHlDTVKLcCIs8/eJ4fpm6ul9mb2M
+aHVfdIQcBlAoWuGJGqTfZUB/tROk1ZHlle/1BqDySGA
+-> ssh-ed25519 LzO4tw b46U8tzzshDbSAUlUVRoVMPd0mUHDgoEPhCH12Ew73Q
+EnlrYB+Hf47svM4Ha3BQVRIYGI+XaWUKLzbRvAa3M2I
+--- p5jfa1L6lRIgt/Twyi3EaFAWiUVrDLo051N2a61qkUw
+Øz'Ùy–#Ûá€Þ^&¶+7:®ÖÇgÀÑÂwtìyó4ŽjÆHZï]‘ÏÞGä|áÝFÞ2Ø¨ÊJ
--- a/ops/secrets/grafana-oauth-secret.age
+++ b/ops/secrets/grafana-oauth-secret.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung Jv9hZHfNQeWjgop6+YbfmYHCgRByjfyXmTvxoA9vZ2U
+lzwj3VNiFkjNgix5k7HLhqC9tt+poR+EilsEKBHQVaU
+-> X25519 f0zBSraN1uTvZNfybRJpDhDiXnohF5XDBZe1GCnGmhc
+2kNv3oO5flAxp8ESSXYu968tTBLEzg2K1YJP3KJlL0
+-> ssh-ed25519 C2zWnA 8jygqU5lD8UrybSLuE1gw0VM8YMwT2nqFkcykelZFUo
+7YJH6vUi1FSpIBZ9L5lchw0OPjokC8QTJZ+fRBNUQgE
+-> ssh-ed25519 uZGziw LkSTjIdlHXZCeVwiBatnbKZgmgYIJ2kzpXd4Kq2lpCA
+3GcixBxUmcwXGWhUB8lgGbrLtg+j3QTeCWtVL9i/t8w
+--- F2fzakv5un2T3gOOGi8aDqaFW666P765JkeBNuxDRTI
+Ï¨cã•ñZV÷Ð“
+÷Ú®`<60>ñìÃºáÇú-'È¢€+DMß=s\KUÚóbªÕù~T°C)cµHàãZm
--- a/ops/secrets/keycloak-db-password.age
+++ b/ops/secrets/keycloak-db-password.age
--- a/ops/secrets/keycloak-db.age
+++ b/ops/secrets/keycloak-db.age
@ -1,19 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 OkGqLg 85hbcQ9r29CC95B1CXO+uftm7ywhTeWCpklX4hOc2gU
-7EO8O5/eg1noB8nbl9XL+m8WAvLp6QnA25CiTsp5jfY
-> ssh-ed25519 xR+E/Q Hefp9fWCq9sWdgyKp3gNEO1p9yWFK4sYX8xMxkyy9G4
-JXofip2LGkJFDBb+6DegoFGDPjk8FGF+AqaAy5FPqwk
-> ssh-ed25519 dcsaLw IUoPTD1SfnY/wXXFcIc6h47fea6ukWAurUmfqwTQOAs
-G/YeKUk8IQXBQ1q8338HxUg2vXqmh8LOIHSX4Qn1CFo
-> ssh-ed25519 zcCuhA 2LrAbe+Jpsg6gFzbnx3ppDesbQSWqzHs2uOv9szb80U
-idJNMv6Lf0k2NsfOcm7it8LwPYxjdq7+LS7PUzQ89Qg
-> ssh-ed25519 1SxhRA idcz/kk9WyIA4I2NwzzPiMX0AmXkV3FTHxoE12n2eWQ
-e+4am77QT0fDv9Xgci4L+VsgFyKT4ZHjB0FWe76hV3g
-> ssh-ed25519 ch/9tw RNZWeD7W18wpcpBksipmib6vhHmaCP5iQeK4uLHU604
-bH/PJprw6+jEktmPnS3OrGMtJ/XHYVZQoQRdReLkLYM
-> ssh-ed25519 CpJBgQ w9gTapqMBoJl+C4sWIGIDCZpemRCEu1iDUUWFt2rW0A
-1nYU4UiHYT9vPASYHwunK2Td+acAmjzRpFpLioNneJc
-> ssh-ed25519 aXKGcg evsnA8cq5xz+0GdKT7cBZWckBpX+w05yLOOaOL4+0BM
-LigkUyewAl+O0KBKuykbwKzFTCY5n6lnCcarl2Vu0NE
--- KhA9LmsAYYPMrJrsJYZyEq04LvrMZkJaCL5Bt5ruYD0
-VÚOÜ{$®ÞÁ[ônÔýG7
/ÀgÔ0¾“ÊqCnˆé9ÝÃÙ(g¼ô<C2BC>¨®áb@¢
--- a/ops/secrets/metrics-push-htpasswd.age
+++ b/ops/secrets/metrics-push-htpasswd.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung sFiPxBiVIYJPK2dYZmzCJ4Xv6x0qPmAjBmegh3EN2RE
+oyQ7LKEKQK8R1fDFq5v9gLh4ZSYsRBKijz8jq638QKM
+-> X25519 MAlDEEtm8yz+mtLnsWTSw/iDMn9SsY20inGM4gwKsWc
+5l7cw0zHMOKXkYKxvFGNYGqMuLk8KQJKOCUnHNlQVaU
+-> ssh-ed25519 C2zWnA du7PyTSMnqJCQH/TXLh2uzhdjmnQbh6KxRJ5M5W9fxI
+GRaZU3cCe/wHNmnrMP5EeSf0Z3xtV/XRY41jc+fooUA
+-> ssh-ed25519 LzO4tw lQVDe2IUXkk30rn1C7LEnBAE92v1Tx/zTyiLT45DZHw
+HfynROGBmyICXVs0Gc+/yTlFazuz2WyCq80Y2ciNhwc
+--- 5ars0rPwU9G2blh2eOKmGt28AdawIPXAWuZrd79rKDw
+d<EFBFBD>{Ë‘ÛHøÒ^nožz”<<3C>CLý~îMˆ\EeN¯ï~µŸðW;"úÓYDpŽ7 tðˆ+ì-J¼ýã‰|q«¡Þ?/ß¹jFRX	õªØãÏbÁà¸¬jÂ,šuË'šë<C5A1>Ë¿ÓLE@¥æ
--- a/ops/secrets/mimir-environment.age
+++ b/ops/secrets/mimir-environment.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung P6nn2lXFAdzZmq9Uca1Y5V+yUuNe1NtTsb9v1GEpLTE
+iX//2OZXlnc5a8GDnFqc2AwvnE5F934YqrIHmasKXjI
+-> X25519 TTeB7TDM1XHpDU+5yn65j/wUKH1AA2qhv7FOWgxv3X4
+fS3BZ7dbToKruan7N8HW2YsHSCvy803Mdqc9VymonRE
+-> ssh-ed25519 C2zWnA YzTQJhSKUp9PsRjyY0NchhsdOCO29f1Gy6MyoxNJmmM
+Tr/K0YK+NrNvTuamgU3QANHMW4gFSzTX3fj3iJ27MNQ
+-> ssh-ed25519 LzO4tw 2Ea1tYhWtNV72FCqoZx7E4B0KhDxVBv88nhyFyBxkwk
+tYBPAYF4T40TIABaAZ79pCtJ9XGPRN4N7sDIlQreizg
+--- +0LKKglhNwUNcFTCFPXyjUSdao0xG6t18Z/2o/XIHj8
+(MLDîÖ=vümèø±j®óðIê4No@a5S¶“àéÑÑ×ùÑ+%
+ÐD±[¯>µÄg¤ºÌjMÍ´D5’(‚å&ie)‚æ`µ™¿>)äè¬wñqÑèowô:r³!å|¯øïz]ã{L‡°ëû
--- a/ops/secrets/mimir-webhook-url.age
+++ b/ops/secrets/mimir-webhook-url.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung GkyQbgnYLKVP5aStgR2xpTBWLQjRRrB0iZFh34bz6Ek
+5MkXZmVlI77MlI7Q4u7rJpXlOvy0lhSX0zMRlf5PnsE
+-> X25519 Ulq3EUtAo75G3++IwtcJ0HTV/WUJLxRD1CSlhDvBMjY
+YnYrw6Kgy9H9M3tS80wHr3aMDA4UJaZZqFVTFy5GL4k
+-> ssh-ed25519 C2zWnA V89wrBq9DMsnDc5OuO6Sd5Lah1r+QmVLjoQZE51ymzU
+On5m4AXJFBo5Egk66tqxViK2/C8/taLukADxwRpn7gU
+-> ssh-ed25519 LzO4tw 3rGT8uh5vI8uN1NrhSovG3KjVSLJBbxLrwz7vvOQVms
+DugUB6q10ckKY9MocAhrYiVwYrW5fhC7MgXnIdHbjfk
+--- h69fCsqmWgpINlubOaE0nq+pYwizAaMQjiuibM1hAXg
+Æ`ŠÈqÝ/ã¨†\,íài±â+HU|«»Áß–ã-æ!<21>ïŽ\ôõ
+Êéi„w¶ë˜'a˜P‚…‹
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@ -9,6 +9,7 @@ let
  inherit (depot.nix.yants)
    attrs
    any
+    either
    defun
    list
    path
@ -17,7 +18,8 @@ let
    struct
    ;
  ssh-pubkey = restrict "SSH pubkey" (lib.hasPrefix "ssh-") string;
-  agenixSecret = struct "agenixSecret" { publicKeys = list ssh-pubkey; };
+  age-pubkey = restrict "age pubkey" (lib.hasPrefix "age") string;
+  agenixSecret = struct "agenixSecret" { publicKeys = list (either age-pubkey ssh-pubkey); };
 in

 defun [ path (attrs agenixSecret) (attrs any) ]
--- a/ops/secrets/restic-bucket-credentials.age
+++ b/ops/secrets/restic-bucket-credentials.age
--- a/ops/secrets/restic-repository-password.age
+++ b/ops/secrets/restic-repository-password.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung fEPHUIHGP1lq7BefcyrrBhsh2pIcfBYOp8JdA8gLlF8
+xfSkbL06XJnDWwMYbYbDb9aL1ZiMFADPJMsA9Yc8OGc
+-> X25519 7A8fombypOBpzi0kY9KEaXXUaK2/TqZxDdA7xdBZq3s
+O+zKJvjLihSHagyexDWPb7B6BYXWtqDG5jNe1Cy7elE
+-> ssh-ed25519 C2zWnA THArgNXfZTE7IEDSx5btgH2M26LEWf7xil0fpvyG/HU
+IEhcR42wwsfZBzFomZQjyX3aTxM72Mq/9lYJypH4fCI
+-> ssh-ed25519 x3gRmg LppryFQR0QVRXNudhnH1xagauUB3qJku3tGwnP7uwnM
+E4Np7eNxtUWgCgeNeKKRHRUw3e2n7UJiVRRM6Rq6M1M
+-> ssh-ed25519 uZGziw omZBRMsKsgRgvV18Kx1RKrrT79T5Ec6AJLLqyZ8NcDY
+xofz1/6hFIYy9cX5xh59EYN5yXnTnoeLpqoaqF91NWA
+-> ssh-ed25519 3T2Xig UK5jbvRneWnyiWXIr7LOUofglIcLixZ1Kk3azGtLaSA
+tTzIXc8Z3rxyudWGRifZXdva4ThElZryfWQk/jO7Cl4
+-> ssh-ed25519 LzO4tw plLskc3SFPm2sXhZMLAPTC6abHbe4JP5+/utI29SI1Y
+qpna8eExCro5pqImBFDCOC4A6tSxp788qZU3U1ugqb8
+--- qyCRIv4thNmOpjMx3QHMxFFT04kLyvUiGnt7Goj4ri0
+›<EFBFBD>Î¿$C[Fe&>G¶›}©Ÿ%V66²2À¯w2<77>)Ö¤°Í<C2B0>
¬%;XvØzœJôà¬šR¹_/j½(¹yEqD]›
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -1,67 +1,59 @@
 let
-  tazjin = [
-    # tverskoy
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
-
-    # zamalek
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBRXeb8EuecLHP0bW4zuebXp4KRnXgJTZfeVWXQ1n1R"
-
-    # khamovnik
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1ptE5HvGSXxSXo+aHBTKa5PBlAM1HqmpzWz0yAhHLj"
-
-    # arbat
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1Eai0p7eF7XML5wokqF4GlVZM+YXEORfs/GPGwEky7"
+  raito = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
  ];

-  aspen = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA "
+  edef = [
+    "age1n8vj5s4s9vyl8cq76q3mxaj5yxhmeuzh3puffp27j59e6vsj9frq34f90r"
  ];

-  sterni = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
+  flokli = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli"
  ];

-  flokli = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli";
+  gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+RCLAExaM5EC70UsCPMtDT1Cfa80Ux/vex95fLk9S4 root@gerrit01";
+  public01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzB7bqXWcv+sVokySvj1d74zRlVLSNqBw7/OY3c7QYd root@public01";
+  build01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEteVaeN/FEAY8yyGWdAbv6+X6yv2m8+4F5qZEAhxW9f root@build01";
+  meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj2csTShq5PsmB/T0596TASyf7VImD4592HEqaYHgKh root@meta01";

-  sanduny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOag0XhylaTVhmT6HB8EN2Fv5Ymrc4ZfypOXONUkykTX";
-  nevsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQe7M+G8Id3ZD7j+I07TCUV1o12q1vpsOXHRlcPSEfa";
-  bugry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqG6sITyJ/UsQ/RtYqmmMvTT4r4sppadoQIz5SvA+5J";
+  superadmins = raito ++ edef ++ flokli;

-  admins = tazjin ++ aspen ++ sterni;
-  allHosts = [ sanduny nevsky bugry ];
-  for = hosts: {
-    publicKeys = hosts ++ admins;
-  };
+  allDefault.publicKeys = superadmins ++ [ gerrit01 public01 build01 meta01 ];
+  terraform.publicKeys = superadmins;
+  gerrit01Default.publicKeys = superadmins ++ [ gerrit01 ];
+  public01Default.publicKeys = superadmins ++ [ public01 ];
+  build01Default.publicKeys = superadmins ++ [ build01 ];
+  meta01Default.publicKeys = superadmins ++ [ meta01 ];
+  ciDefault.publicKeys = superadmins ++ [ gerrit01 build01 ];
 in
 {
-  "besadii.age" = for [ nevsky ];
-  "buildkite-agent-token.age" = for [ nevsky ];
-  "buildkite-graphql-token.age" = for [ nevsky ];
-  "buildkite-ssh-private-key.age" = for [ nevsky ];
-  "clbot-ssh.age" = for [ nevsky ];
-  "clbot.age" = for [ nevsky ];
-  "depot-inbox-imap.age" = for [ sanduny ];
-  "depot-replica-key.age" = for [ nevsky ];
-  "gerrit-autosubmit.age" = for [ nevsky ];
-  "gerrit-secrets.age" = for [ nevsky ];
-  "grafana.age" = for [ nevsky ];
-  "irccat.age" = for [ nevsky ];
-  "journaldriver.age" = for allHosts;
-  "keycloak-db.age" = for [ nevsky ];
-  "nix-cache-priv.age" = for [ nevsky ];
-  "nix-cache-pub.age" = for [ nevsky ];
-  "owothia.age" = for [ nevsky ];
-  "panettone.age" = for [ nevsky ];
-  "restic-bugry.age" = for [ bugry ];
-  "restic-nevsky.age" = for [ nevsky ];
-  "restic-sanduny.age" = for [ sanduny ];
-  "smtprelay.age" = for [ nevsky ];
-  "teleirc.age" = for [ nevsky ];
-  "tf-buildkite.age" = for [ /* humans only */ ];
-  "tf-glesys.age" = for [ /* humans only */ ];
-  "tf-keycloak.age" = for [ flokli ];
-  "tvl-alerts-bot-telegram-token.age" = for [ nevsky ];
-  "wg-bugry.age" = for [ bugry ];
-  "wg-nevsky.age" = for [ nevsky ];
-  "yc-restic.age" = for [ nevsky sanduny bugry ];
+  "grafana-agent-password.age" = allDefault;
+
+  "restic-repository-password.age" = allDefault;
+  "restic-bucket-credentials.age" = allDefault;
+
+  "keycloak-db-password.age" = public01Default;
+  "gerrit-oauth-secret.age" = gerrit01Default;
+  "gerrit-replication-key.age" = gerrit01Default;
+  "gerrit-autosubmit.age" = gerrit01Default;
+
+  "forgejo-oauth-secret.age" = public01Default;
+  "grafana-oauth-secret.age" = public01Default;
+
+  "buildkite-agent-token.age" = build01Default;
+  "buildkite-ssh-private-key.age" = build01Default;
+  "buildkite-besadii-config.age" = ciDefault;
+  "buildkite-graphql-token.age" = build01Default;
+
+  "metrics-push-htpasswd.age" = meta01Default;
+  "alertmanager-irc-relay-environment.age" = meta01Default;
+  "mimir-environment.age" = meta01Default;
+  "mimir-webhook-url.age" = meta01Default;
+  "loki-environment.age" = meta01Default;
+
+  "tf-dns.age" = terraform;
+  "tf-keycloak.age" = terraform;
+  "tf-hcloud.age" = terraform;
+  "tf-hetzner-s3.age" = terraform;
+  "tf-buildkite.age" = terraform;
 }
--- a/ops/secrets/tf-buildkite.age
+++ b/ops/secrets/tf-buildkite.age
--- a/ops/secrets/tf-dns.age
+++ b/ops/secrets/tf-dns.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung bfXcCFJcGZMG7wn8/9WXcZNZ5GlinAZWMAcC1NhQ1Fk
+NNw4bHM7t3UFYapqdSwfY5y+2vAVUsEtP42KUYRO5QI
+-> X25519 wNi7DKA0ego6INa6mKuqy3JDfj3bt6EAz5wdcBIuwF4
+mnTNxiy4NXCBb6L8SKbFSfyBaVt9q2bq33DxHh7RhaI
+-> ssh-ed25519 C2zWnA JsfydhJKmS72cyDYruJiq0AXStdZRfTeluZg7iSbS10
+kUrGkroP+sGLvHZKtOOsZg+PO18VjdEqgcIUlPiQbp4
+--- KHJEkrcyHBIUPQaLKydcvd3uxue+2hDkJK4zze4BRYc
+&=áÏÂ·ö+êÈné€ßo€â}¶mæ¶örÖP¸	<@¦À¶ÿU‘ÒÍ. ‰øóU5¼1ÒDŒze»Ø …‘u<E28098>Þ%…Uö¯ÿ7“J<E2809C>‹ë\”÷h4vn»‰:§¶’n–·Ú€Ü©ÑêqºQ§ƒùÛ&¸í¥K÷•Ãxm¾—‚ÚÝ-È`åó,Æ|ÚÐ§!ö¦ã:¢ÉløPl”é6ï+¥ÁxîFu$’‚¬X·>kG:üÒ<C3BC> ½!›é¸=‰¸”ò±²Åz,\k	¬s&w;¥<>aOÛ¯ÌVçjÅg-«ÜÞ
--- a/ops/secrets/tf-hcloud.age
+++ b/ops/secrets/tf-hcloud.age
--- a/ops/secrets/tf-hetzner-s3.age
+++ b/ops/secrets/tf-hetzner-s3.age
--- a/ops/secrets/tf-keycloak.age
+++ b/ops/secrets/tf-keycloak.age