From dc079778669968429b475c0e7ce020951fe769da Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Mon, 29 Jun 2020 22:14:45 +0100
Subject: [PATCH] chore(ops): Clean up old GCP infrastructure files

This removes almost all of the GCP-infrastructure leftovers from my
previous setup.

The DNS configuration is retained, but moves to my user folder
instead.

Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/782
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
Reviewed-by: isomer <isomer@tvl.fyi>
---
 README.md                                     |   2 -
 bin/__dispatch.sh                             |   4 -
 bin/kms_pass                                  |   1 -
 ci-builds.nix                                 |   1 -
 default.nix                                   |   7 --
 ops/infra/.skip-subtree                       |   2 -
 ops/infra/gcp/.gitignore                      |   3 -
 ops/infra/gcp/default.tf                      | 116 ------------------
 ops/infra/kubernetes/cgit/config.yaml         |  80 ------------
 ops/infra/kubernetes/gemma/config.lisp        |  19 ---
 ops/infra/kubernetes/https-cert/cert.yaml     |   8 --
 ops/infra/kubernetes/https-lb/ingress.yaml    |  43 -------
 ops/infra/kubernetes/nginx/nginx.conf         |  59 ---------
 ops/infra/kubernetes/nginx/nginx.yaml         |  60 ---------
 ops/infra/kubernetes/nixery/config.yaml       |  67 ----------
 ops/infra/kubernetes/nixery/id_nixery.pub     |   1 -
 ops/infra/kubernetes/nixery/known_hosts       |   3 -
 ops/infra/kubernetes/nixery/secrets.yaml      |  18 ---
 ops/infra/kubernetes/nixery/ssh_config        |   4 -
 ops/infra/kubernetes/primary-cluster.yaml     |  38 ------
 ops/infra/kubernetes/website/config.yaml      |  37 ------
 ops/kms_pass.nix                              |  61 ---------
 ops/secrets/.skip-subtree                     |   1 -
 ops/secrets/gcsr-tazjin-password              | Bin 186 -> 0 bytes
 ops/secrets/gmaps-api-key                     | Bin 121 -> 0 bytes
 ops/secrets/nixery-gcs-json                   | Bin 2416 -> 0 bytes
 ops/secrets/nixery-gcs-pem                    | Bin 3214 -> 0 bytes
 ops/secrets/nixery-ssh-private                | Bin 1906 -> 0 bytes
 ops/secrets/sr.ht-token                       | Bin 114 -> 0 bytes
 overrides/kontemplate/default.nix             |  13 --
 .../dns => users/tazjin/cloud-dns}/import     |   0
 .../tazjin/cloud-dns}/kontemplate-works       |   0
 .../dns => users/tazjin/cloud-dns}/oslo-pub   |   0
 .../tazjin/cloud-dns}/root-tazj-in            |   0
 34 files changed, 648 deletions(-)
 delete mode 120000 bin/kms_pass
 delete mode 100644 ops/infra/.skip-subtree
 delete mode 100644 ops/infra/gcp/.gitignore
 delete mode 100644 ops/infra/gcp/default.tf
 delete mode 100644 ops/infra/kubernetes/cgit/config.yaml
 delete mode 100644 ops/infra/kubernetes/gemma/config.lisp
 delete mode 100644 ops/infra/kubernetes/https-cert/cert.yaml
 delete mode 100644 ops/infra/kubernetes/https-lb/ingress.yaml
 delete mode 100644 ops/infra/kubernetes/nginx/nginx.conf
 delete mode 100644 ops/infra/kubernetes/nginx/nginx.yaml
 delete mode 100644 ops/infra/kubernetes/nixery/config.yaml
 delete mode 100644 ops/infra/kubernetes/nixery/id_nixery.pub
 delete mode 100644 ops/infra/kubernetes/nixery/known_hosts
 delete mode 100644 ops/infra/kubernetes/nixery/secrets.yaml
 delete mode 100644 ops/infra/kubernetes/nixery/ssh_config
 delete mode 100644 ops/infra/kubernetes/primary-cluster.yaml
 delete mode 100644 ops/infra/kubernetes/website/config.yaml
 delete mode 100644 ops/kms_pass.nix
 delete mode 100644 ops/secrets/.skip-subtree
 delete mode 100644 ops/secrets/gcsr-tazjin-password
 delete mode 100644 ops/secrets/gmaps-api-key
 delete mode 100644 ops/secrets/nixery-gcs-json
 delete mode 100644 ops/secrets/nixery-gcs-pem
 delete mode 100644 ops/secrets/nixery-ssh-private
 delete mode 100644 ops/secrets/sr.ht-token
 delete mode 100644 overrides/kontemplate/default.nix
 rename {ops/infra/dns => users/tazjin/cloud-dns}/import (100%)
 rename {ops/infra/dns => users/tazjin/cloud-dns}/kontemplate-works (100%)
 rename {ops/infra/dns => users/tazjin/cloud-dns}/oslo-pub (100%)
 rename {ops/infra/dns => users/tazjin/cloud-dns}/root-tazj-in (100%)

diff --git a/README.md b/README.md
index 0807fa276..b5ff0ae16 100644
--- a/README.md
+++ b/README.md
@@ -22,8 +22,6 @@ Twitter][].
 * `tools/cheddar` contains a source code and Markdown rendering tool
   that is integrated with my cgit instance to render files in various
   views
-* `ops/kms_pass.nix` is a tiny tool that emulates the user-interface of `pass`,
-  but actually uses Google Cloud KMS for secret decryption
 * `ops/kontemplate` contains my Kubernetes resource templating tool (with which
   the services in this repository are deployed!)
 * `ops/besadii` contains a tool that runs as the git
diff --git a/bin/__dispatch.sh b/bin/__dispatch.sh
index eddc20889..ad559fe96 100755
--- a/bin/__dispatch.sh
+++ b/bin/__dispatch.sh
@@ -19,10 +19,6 @@ case "${TARGET_TOOL}" in
   stern)
     attr="third_party.stern"
     ;;
-  kms_pass)
-    attr="ops.kms_pass"
-    TARGET_TOOL="pass"
-    ;;
   aoc2019)
     attr="fun.aoc2019.${1}"
     ;;
diff --git a/bin/kms_pass b/bin/kms_pass
deleted file mode 120000
index 8390ec9c9..000000000
--- a/bin/kms_pass
+++ /dev/null
@@ -1 +0,0 @@
-__dispatch.sh
\ No newline at end of file
diff --git a/ci-builds.nix b/ci-builds.nix
index 1e98e8a04..b36b29326 100644
--- a/ci-builds.nix
+++ b/ci-builds.nix
@@ -61,7 +61,6 @@ in lib.fix (self: {
     depot.ops."posix_mq.rs"
     besadii
     journaldriver
-    kms_pass
     kontemplate
     mq_cli
   ];
diff --git a/default.nix b/default.nix
index 8c7a35f99..9c54a7d47 100644
--- a/default.nix
+++ b/default.nix
@@ -24,13 +24,6 @@ let
     # Pass third_party as 'pkgs' (for compatibility with external
     # imports for certain subdirectories)
     pkgs = depot.third_party;
-
-    kms = {
-      project = "tazjins-infrastructure";
-      region = "europe-north1";
-      keyring = "tazjins-keys";
-      key = "kontemplate-key";
-    };
   };
 
   readTree' = import ./nix/readTree {};
diff --git a/ops/infra/.skip-subtree b/ops/infra/.skip-subtree
deleted file mode 100644
index cee24b757..000000000
--- a/ops/infra/.skip-subtree
+++ /dev/null
@@ -1,2 +0,0 @@
-Code under //ops/infra is mostly configuration for other tools, not
-Nix derivations to be built.
diff --git a/ops/infra/gcp/.gitignore b/ops/infra/gcp/.gitignore
deleted file mode 100644
index 96c7538dd..000000000
--- a/ops/infra/gcp/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-.terraform
-*.tfstate
-*.tfstate.backup
diff --git a/ops/infra/gcp/default.tf b/ops/infra/gcp/default.tf
deleted file mode 100644
index d2e31090b..000000000
--- a/ops/infra/gcp/default.tf
+++ /dev/null
@@ -1,116 +0,0 @@
-# Terraform configuration for the GCP project 'tazjins-infrastructure'
-
-provider "google" {
-  project = "tazjins-infrastructure"
-  region  = "europe-north1"
-  version = "~> 2.20"
-}
-
-# Configure a storage bucket in which to keep Terraform state and
-# other data, such as Nixery's layers.
-resource "google_storage_bucket" "tazjins-data" {
-  name     = "tazjins-data"
-  location = "EU"
-}
-
-terraform {
-  backend "gcs" {
-    bucket = "tazjins-data"
-    prefix = "terraform"
-  }
-}
-
-# Configure enabled APIs
-resource "google_project_services" "primary" {
-  project = "tazjins-infrastructure"
-  services = [
-    "bigquery-json.googleapis.com",
-    "bigquerystorage.googleapis.com",
-    "cloudapis.googleapis.com",
-    "cloudbuild.googleapis.com",
-    "clouddebugger.googleapis.com",
-    "cloudfunctions.googleapis.com",
-    "cloudkms.googleapis.com",
-    "cloudtrace.googleapis.com",
-    "compute.googleapis.com",
-    "container.googleapis.com",
-    "containerregistry.googleapis.com",
-    "datastore.googleapis.com",
-    "distance-matrix-backend.googleapis.com",
-    "dns.googleapis.com",
-    "gmail.googleapis.com",
-    "iam.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "logging.googleapis.com",
-    "monitoring.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "run.googleapis.com",
-    "secretmanager.googleapis.com",
-    "servicemanagement.googleapis.com",
-    "serviceusage.googleapis.com",
-    "sourcerepo.googleapis.com",
-    "sql-component.googleapis.com",
-    "storage-api.googleapis.com",
-    "storage-component.googleapis.com",
-  ]
-}
-
-
-# Configure the main Kubernetes cluster in which services are deployed
-resource "google_container_cluster" "primary" {
-  name     = "tazjin-cluster"
-  location = "europe-north1"
-
-  remove_default_node_pool = true
-  initial_node_count       = 1
-}
-
-resource "google_container_node_pool" "primary_nodes" {
-  name       = "primary-nodes"
-  location   = "europe-north1"
-  cluster    = google_container_cluster.primary.name
-  node_count = 1
-
-  node_config {
-    preemptible  = true
-    machine_type = "n1-standard-2"
-
-    oauth_scopes = [
-      "storage-rw",
-      "logging-write",
-      "monitoring",
-      "https://www.googleapis.com/auth/source.read_only",
-    ]
-  }
-}
-
-# Configure a service account for which GCS URL signing keys can be created.
-resource "google_service_account" "nixery" {
-  account_id   = "nixery"
-  display_name = "Nixery service account"
-}
-
-# Configure Cloud KMS for secret encryption
-resource "google_kms_key_ring" "tazjins_keys" {
-  name     = "tazjins-keys"
-  location = "europe-north1"
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-resource "google_kms_crypto_key" "kontemplate_key" {
-  name     = "kontemplate-key"
-  key_ring = google_kms_key_ring.tazjins_keys.id
-
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
-# Configure the git repository that contains everything.
-resource "google_sourcerepo_repository" "depot" {
-  name = "depot"
-}
diff --git a/ops/infra/kubernetes/cgit/config.yaml b/ops/infra/kubernetes/cgit/config.yaml
deleted file mode 100644
index 73392adaa..000000000
--- a/ops/infra/kubernetes/cgit/config.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gcsr-secrets
-type: Opaque
-data:
-  username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
-  # This credential is a GCSR 'gitcookie' token.
-  password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
-  # This credential is an OAuth token for builds.sr.ht
-  sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cgit
-  labels:
-    app: cgit
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: cgit
-  template:
-    metadata:
-      labels:
-        app: cgit
-    spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      containers:
-      - name: cgit
-        image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
-        command: [ "cgit-launch" ]
-        env:
-          - name: HOME
-            value: /git
-        volumeMounts:
-          - name: git-volume
-            mountPath: /git
-      - name: sync-gcsr
-        image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
-        command: [ "sync-gcsr" ]
-        env:
-          - name: SYNC_USER
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: username
-          - name: SYNC_PASS
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: password
-          - name: SRHT_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: gcsr-secrets
-                key: sourcehut
-        volumeMounts:
-          - name: git-volume
-            mountPath: /git
-      volumes:
-        - name: git-volume
-          emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: cgit
-spec:
-  selector:
-    app: cgit
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080
diff --git a/ops/infra/kubernetes/gemma/config.lisp b/ops/infra/kubernetes/gemma/config.lisp
deleted file mode 100644
index 517a658cf..000000000
--- a/ops/infra/kubernetes/gemma/config.lisp
+++ /dev/null
@@ -1,19 +0,0 @@
-(config :port 4242
-        :data-dir "/var/lib/gemma/")
-
-(deftask bathroom/wipe-mirror 7)
-(deftask bathroom/wipe-counter 7)
-
-;; Bedroom tasks
-(deftask bedroom/change-sheets 7)
-(deftask bedroom/vacuum 10)
-
-;; Kitchen tasks
-(deftask kitchen/normal-trash 3)
-(deftask kitchen/green-trash 5)
-(deftask kitchen/blue-trash 5)
-(deftask kitchen/wipe-counters 3)
-(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!")
-
-;; Entire place
-(deftask clean-windows 60)
diff --git a/ops/infra/kubernetes/https-cert/cert.yaml b/ops/infra/kubernetes/https-cert/cert.yaml
deleted file mode 100644
index c7a85275a..000000000
--- a/ops/infra/kubernetes/https-cert/cert.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-apiVersion: networking.gke.io/v1beta1
-kind: ManagedCertificate
-metadata:
-  name: {{ .domain | replace "." "-" }}
-spec:
-  domains:
-    - {{ .domain }}
diff --git a/ops/infra/kubernetes/https-lb/ingress.yaml b/ops/infra/kubernetes/https-lb/ingress.yaml
deleted file mode 100644
index 930affec7..000000000
--- a/ops/infra/kubernetes/https-lb/ingress.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-# This resource configures the HTTPS load balancer that is used as the
-# entrypoint to all HTTPS services running in the cluster.
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: https-ingress
-  annotations:
-    networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub
-spec:
-  rules:
-    # Route website to, well, the website ...
-    - host: tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: website
-              servicePort: 8080
-    # Same for www.* (the redirect is handled by the website nginx)
-    - host: www.tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: website
-              servicePort: 8080
-    # Route git.tazj.in to the cgit pods
-    - host: git.tazj.in
-      http:
-        paths:
-          - path: /*
-            backend:
-              serviceName: nginx
-              servicePort: 6756
-    # Route oslo.pub to the nginx instance which serves redirects
-    - host: oslo.pub
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: nginx
-              servicePort: 6756
diff --git a/ops/infra/kubernetes/nginx/nginx.conf b/ops/infra/kubernetes/nginx/nginx.conf
deleted file mode 100644
index 918aa6067..000000000
--- a/ops/infra/kubernetes/nginx/nginx.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-daemon off;
-worker_processes  1;
-error_log stderr;
-pid /run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    log_format json_combined escape=json
-    '{'
-        '"time_local":"$time_local",'
-        '"remote_addr":"$remote_addr",'
-        '"remote_user":"$remote_user",'
-        '"request":"$request",'
-        '"status": "$status",'
-        '"body_bytes_sent":"$body_bytes_sent",'
-        '"request_time":"$request_time",'
-        '"http_referrer":"$http_referer",'
-        '"http_user_agent":"$http_user_agent"'
-        '}';
-
-    access_log /dev/stdout json_combined;
-
-    sendfile        on;
-    keepalive_timeout  65;
-
-    server {
-        listen 80 default_server;
-        location / {
-            return 200 "ok";
-        }
-    }
-
-    server {
-        listen       80;
-        server_name  oslo.pub;
-
-        location / {
-            return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
-        }
-    }
-
-    server {
-        listen       80;
-        server_name  git.tazj.in;
-
-        # Static assets must always hit the root.
-        location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
-           proxy_pass http://cgit;
-        }
-
-        # Everything else hits the depot directly.
-        location / {
-            proxy_pass http://cgit/cgit.cgi/depot/;
-        }
-    }
-}
diff --git a/ops/infra/kubernetes/nginx/nginx.yaml b/ops/infra/kubernetes/nginx/nginx.yaml
deleted file mode 100644
index 61678a85b..000000000
--- a/ops/infra/kubernetes/nginx/nginx.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# Deploy an nginx instance which serves ... redirects.
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nginx-conf
-data:
-  nginx.conf: {{ insertFile "nginx.conf" | toJson }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels:
-    app: nginx
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-        config: {{ insertFile "nginx.conf" | sha1sum }}
-    spec:
-      containers:
-        - name: nginx
-          image: nixery.local/shell/third_party.nginx:{{ .version }}
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              cd /run
-              echo 'nogroup:x:30000:nobody' >> /etc/group
-              echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd
-              exec nginx -c /etc/nginx/nginx.conf
-          volumeMounts:
-            - name: nginx-conf
-              mountPath: /etc/nginx
-            - name: nginx-rundir
-              mountPath: /run
-      volumes:
-        - name: nginx-conf
-          configMap:
-            name: nginx-conf
-        - name: nginx-rundir
-          emptyDir: {}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx
-spec:
-  type: NodePort
-  selector:
-    app: nginx
-  ports:
-    - protocol: TCP
-      port: 6756
-      targetPort: 80
diff --git a/ops/infra/kubernetes/nixery/config.yaml b/ops/infra/kubernetes/nixery/config.yaml
deleted file mode 100644
index 0775e79b5..000000000
--- a/ops/infra/kubernetes/nixery/config.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-# Deploys an instance of Nixery into the cluster.
-#
-# The service via which Nixery is exposed has a private DNS entry
-# pointing to it, which makes it possible to resolve `nixery.local`
-# in-cluster without things getting nasty.
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nixery
-  namespace: kube-public
-  labels:
-    app: nixery
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nixery
-  template:
-    metadata:
-      labels:
-        app: nixery
-    spec:
-      containers:
-      - name: nixery
-        image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
-        volumeMounts:
-          - name: nixery-secrets
-            mountPath: /var/nixery
-        env:
-          - name: BUCKET
-            value: {{ .bucket}}
-          - name: PORT
-            value: "{{ .port }}"
-          - name: GOOGLE_APPLICATION_CREDENTIALS
-            value: /var/nixery/gcs-key.json
-          - name: GCS_SIGNING_KEY
-            value: /var/nixery/gcs-key.pem
-          - name: GCS_SIGNING_ACCOUNT
-            value: {{ .account }}
-          - name: GIT_SSH_COMMAND
-            value: 'ssh -F /var/nixery/ssh_config'
-          - name: NIXERY_PKGS_REPO
-            value: {{ .repo }}
-          - name: NIX_POPULARITY_URL
-            value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}'
-      volumes:
-        - name: nixery-secrets
-          secret:
-            secretName: nixery-secrets
-            defaultMode: 256
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: nixery
-  namespace: kube-public
-  annotations:
-    cloud.google.com/load-balancer-type: "Internal"
-spec:
-  selector:
-    app: nixery
-  type: LoadBalancer
-  ports:
-  - protocol: TCP
-    port: 80
-    targetPort: 8080
diff --git a/ops/infra/kubernetes/nixery/id_nixery.pub b/ops/infra/kubernetes/nixery/id_nixery.pub
deleted file mode 100644
index dc3fd617d..000000000
--- a/ops/infra/kubernetes/nixery/id_nixery.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
diff --git a/ops/infra/kubernetes/nixery/known_hosts b/ops/infra/kubernetes/nixery/known_hosts
deleted file mode 100644
index 7faf21f69..000000000
--- a/ops/infra/kubernetes/nixery/known_hosts
+++ /dev/null
@@ -1,3 +0,0 @@
-github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
diff --git a/ops/infra/kubernetes/nixery/secrets.yaml b/ops/infra/kubernetes/nixery/secrets.yaml
deleted file mode 100644
index d9a674d2c..000000000
--- a/ops/infra/kubernetes/nixery/secrets.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# The secrets below are encrypted using keys stored in Cloud KMS and
-# templated in by kontemplate when deploying.
-#
-# Not all of the values are actually secret (see the matching)
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: nixery-secrets
-  namespace: kube-public
-type: Opaque
-data:
-  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
-  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
-  id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
-  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
-  known_hosts: {{ insertFile "known_hosts" | b64enc }}
-  ssh_config: {{ insertFile "ssh_config" | b64enc }}
diff --git a/ops/infra/kubernetes/nixery/ssh_config b/ops/infra/kubernetes/nixery/ssh_config
deleted file mode 100644
index 78afbb0b0..000000000
--- a/ops/infra/kubernetes/nixery/ssh_config
+++ /dev/null
@@ -1,4 +0,0 @@
-Match host *
-      User tazjin@google.com
-      IdentityFile /var/nixery/id_nixery
-      UserKnownHostsFile /var/nixery/known_hosts
diff --git a/ops/infra/kubernetes/primary-cluster.yaml b/ops/infra/kubernetes/primary-cluster.yaml
deleted file mode 100644
index 3d601b80c..000000000
--- a/ops/infra/kubernetes/primary-cluster.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-# Kontemplate configuration for the primary GKE cluster in the project
-# 'tazjins-infrastructure'.
----
-context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster
-include:
-  # SSL certificates (provisioned by Google)
-  - name: tazj-in-cert
-    path: https-cert
-    values:
-      domain: tazj.in
-  - name: www-tazj-in-cert
-    path: https-cert
-    values:
-      domain: www.tazj.in
-  - name: git-tazj-in-cert
-    path: https-cert
-    values:
-      domain: git.tazj.in
-  - name: oslo-pub-cert
-    path: https-cert
-    values:
-      domain: oslo.pub
-
-  # Services
-  - name: nixery
-    values:
-      port: 8080
-      version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg
-      bucket: tazjins-data
-      account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
-      repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot
-      popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json'
-  - name: website
-  - name: cgit
-  - name: https-lb
-  - name: nginx
-    values:
-      version: a349d5e9145ae9a6c89f62ec631f01fb180de546
diff --git a/ops/infra/kubernetes/website/config.yaml b/ops/infra/kubernetes/website/config.yaml
deleted file mode 100644
index 02de735b0..000000000
--- a/ops/infra/kubernetes/website/config.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: website
-  labels:
-    app: website
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: website
-  template:
-    metadata:
-      labels:
-        app: website
-    spec:
-      containers:
-      - name: website
-        image: nixery.local/shell/web.homepage:{{ gitHEAD }}
-        env:
-          - name: CONTAINER_SETUP
-            value: "true"
-        command: [ "homepage" ]
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: website
-spec:
-  type: NodePort
-  selector:
-    app: website
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 8080
diff --git a/ops/kms_pass.nix b/ops/kms_pass.nix
deleted file mode 100644
index 2399559b4..000000000
--- a/ops/kms_pass.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-# This tool mimics a subset of the interface of 'pass', but uses
-# Google Cloud KMS for encryption.
-#
-# It is intended to be compatible with how 'kontemplate' invokes
-# 'pass.'
-#
-# Only the 'show' and 'insert' commands are supported.
-
-{ depot, kms, ... }:
-
-let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
-in (writeShellScriptBin "pass" ''
-  set -eo pipefail
-
-  CMD="$1"
-  readonly SECRET=$2
-  readonly SECRETS_DIR=${./secrets}
-  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
-
-  function secret_check {
-    if [[ -z $SECRET ]]; then
-      echo 'Secret must be specified'
-      exit 1
-    fi
-  }
-
-  if [[ -z $CMD ]]; then
-    CMD="ls"
-  fi
-
-  case "$CMD" in
-    ls)
-       ${tree}/bin/tree $SECRETS_DIR
-       ;;
-    show)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms decrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      ;;
-    insert)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms encrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      echo "Inserted secret '$SECRET'"
-      ;;
-    *)
-      echo "Usage: pass show/insert <secret>"
-      exit 1
-      ;;
-  esac
-'') // { meta.enableCI = true; }
diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
deleted file mode 100644
index 25dba2a34..000000000
--- a/ops/secrets/.skip-subtree
+++ /dev/null
@@ -1 +0,0 @@
-No Nix derivations under //ops/secrets
diff --git a/ops/secrets/gcsr-tazjin-password b/ops/secrets/gcsr-tazjin-password
deleted file mode 100644
index 5893de13156097b581b2828506d37e2a37fa8d1b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 186
zcmd;5VYnFl=9|AoDC^z{ftI05<mcXMsBW&<Bi?^_+Wa4R6XPO9CQKKa$jH#v|J>xu
zY~SM#YuY}rm*}37=eyUm;k?@c2Gu^}3C?qDcOS87_$#|>dEUQb$F9$dulOIm7jq||
z*nP&iFPodc)E+<e%J!?`U-xH!KDh37-B(lSc}H@pOHatV>50e9wHfb*@ZA#sz`4pY
v@WGdROWEdRsFb|Pu)O`WUNu1Xf2ZkDo!1&0Hq{qM9=BO>(p*wWIP^FG1vFjr

diff --git a/ops/secrets/gmaps-api-key b/ops/secrets/gmaps-api-key
deleted file mode 100644
index 6a4522646081398658723970a2921e7d1ab8437e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 121
zcmd;5VYnFl=38<`8*8}WrfH9?9@XzJvE)&Be&2iF>(00!ZHcRq-Tp#>3~l|-P2wNQ
z3p>{QnziZQG@bb>b8pSu{fe7YZ~L8v8%}-<badKbm!FwsP;&J#gQ(rKe4jkQMP3&!
e)aJK}O#YC&wrO(IG<WCtb}zQNmws=<E&~96CpmWj

diff --git a/ops/secrets/nixery-gcs-json b/ops/secrets/nixery-gcs-json
deleted file mode 100644
index b8b5445116856fe6dfc4db28d080a6ae4be42e72..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2416
zcmd;5VYnFl=38ozvXT4Qiprkn?-QQqcdhjCX-^8cm@)CX;hx9eB3}s|7h-7Ze{PcJ
z_cTk;#z&mZF(Enfx{{Qx_WOdXM+IFzZTmVy)UAK_3-`X|<?%%lT0Q@Sz8UI#$o=2s
zDO1A7t@gccx^GC|lgwGGbjp@B@1NHoUKY5jaN=^8(C4e`+YYYw)GFV|7G6<5m3fY`
zfXnftjY0XPBA<KeUv6d-_gl<sx$9?9%NPFVyf-c#`Ip+qV7`013uj}R@Z|X7<24C?
zHZH5%;BUP+HqS|B{=AB`R^xf{lcz2}uDkJtT7}#BAIyELg;qWetBVT~dA;pbV%hfp
zeKqxb9PLhTSd^Z!&-j-r*{|t(KQEy^+u-NEgiQ@oIOXfll&qVxa)Y?|ho;_(kvY3g
z6zN~pnB;s_{!-s7P3Pu!`@GUFG)L*m?%cKgsvnbM{er2>&mUMdjrCu`+w{MFlQ~!U
zR7SA6?0?l{m1x$|;?(E&_f6~h|I58j@LX?XnEQYEtZbpghwjTVOtb9;-WOd>yz2gp
zpWR|g+DV;vvMm2*eOwftv+T>-y(jLP-?x45B)j@<)Zx4D@7{gOCSA|9oQbcFpS6C|
zSJByuygw~UwtktV^+fCC9m9o8%WRH5)K3@vW^=P%Hg>00d&LULuY#9X@8E67KWSlF
zTKPg*Rgra-c>lAD3kr7bTytl|CMO%V>MCBte@~Cjd&+rY%ere*mTmuXA%wT-x)66v
z{>^WF?Te-`tq_gAShV=|MPmWmwi$1t*B;qlc2fPdqrm!zWp~^ITIJP`=a^s2n|Dz|
zMNVl=bMns|#am_!cK^>Yh6`TK+FGPzTxRj(_xB2)y@LA=csS&=Y4ykbOyqbvXYtw`
z`$clz?-rl@SHvQCc|H3Hg;b#>f--Lf`VJJGtZ|*FwJp|4@7L@{LjJZgHOu-UJXz-7
zcUT=2DW}vkMQM(1a{a2u|JmZD;!dtPW^JA~ee<uMAFt%4D8+bNd|Y17e9_Q<A#>!5
z#TBm|llGcyZg{n7#q#Y68Y0o`yH8F&nz2eh&o`5!@x9o!gc?l|hd!aHiB2A~G=x<=
zyb`}E=$3vm^_lYga;edwzth$({kumpwIu%a;)w#A?My!{T+6p=PILc@rHeY!Eh7&b
zMfS^ZO<+5J_=Bqg%k98Dmp08_;AK9kC!)!m(fUrqI@uyoDXwqMYYy3kZA`3udh>Fq
z;FHH@9U7f;1A^4=Do8JN6aF{(sG~q$-Oo?c4wf5LZ#jD6<?6~gJ3369lJs2aQf+_U
zy0CQC*4?Y34&1c6_2vDNik<nwg~!&;E^CSQeN#C#^5UDX`E5y8R$nvbI?8KalOL)6
zBY)QIyc3t%&+zVI5;U+{xs^#+KK^v(-rZ4xHMtgig-P$Gu4flta)rTQqxqT5kKcOT
zxYV;gT;rql-)MG$s^G2Lq<_V3W0bx8K+Wsj{x1op*2&H9JO7m}yJivVA(|r6yZfrS
z{BxEg``)uM9q!_~eQ&vlb@Z*W!+*Rv<zhDfis*g8by?o$Sn8}(-!>@OpS<~N`-(RX
z4=u0O+<RI4BQ!YW`xh^<&@A6;@oIUOUS4wCmJlrVyL-`&-@6?JPll8VyNNvvEwZ#>
z**kmkRHvJcyYI1xR;8LBt^ekv5mj#T`392=&%XjLl}QYZ`VPfXIZ5V*{70`p_{I{}
zaMb8`_?t-@J_nY?vmJW$Kq;(e(kJErMqFoihBRDXeO5)!=;@bFrAvOz*SAnsUmrSQ
zTX4o^!>@m~Y%%??rQz=WM;FhrC7;ycmtN)JWd5V8>rIKj_nx#=g@(HiCVlALm~B(3
zQ>=eHVD|Id&#Y$&8~zWpVYz$s$S>U+66=1R^jE!dsPM`A&aE6>C!3d@Jg49}QD#eW
zH2cZ66EUW{E}O0RowPxtvD;KwZHJH5?#`IT<wt5he|cKV>GYdz%Hb&zO%gxa+gLY=
zUQm9wN>ud3u5HE<?_R|<Cr9P&3)`Lgc1lzGmlL~VRtUy&i9TI^f5*Ei-zUe1{W+^-
z=(@usLo77xT1sBb0w?8V1}x{4eiwaxG$VG&p0zHeHJn%OEDf8z&F`wY;NwYi%~w2(
zVVm~i#d+HR4d%L@=pKIan1pXvrmyk0f05X5Bp@OpScUhARqGb_7n{C3pONKVt;p7-
z@uO+ym;N%oH@a8mFns1$T4;Yvf$9JM^!_uFY_WAm1lISN$a45fK3e;3Rmf@oTTd?k
ze7dW@?!qRQsssOTKM;Ie?Go~!HM6MVvU_jhwB^%xXuizk<Sa2g(omuFB*iB9=5;6k
z55fOJk4}>e`@|3(^|bbIr^bUL#&;|Bcgi0zo6Z^O^;o&;=amCFA)N~|m$bj^2;{7~
zdhWu7S1)`F{hHKwcs}bs6y?pE;_r5|blvF}`&rUoM<|Oi@l0BM{AO9(fq%Y7Keo>f
z|Ihm)>gM$`6Im^I7Y3e~9sGyOEpxLG*Q&+*^VtHQ6)qDg;W)L6WqPg^qtcn})2H%H
z>itmpHR-dxcR-xzjqr@}9i0o#^WUDnDczwa<<+y7Gb?ZIVh%ido5^R7+C!!1CoDOh
zmDfJsdfUE8FKy-x&xg$J7wTMJZj%b$y3;f|Up{}e`28o}!kg~%3FO$u)*D_doc@>V
zyl?Q^qRqebwJVGsi>2)ReEabCBXbQ-UNLAanDasIf7F!d-h}7L0+$~M`0ma6)_wD}
z((377S3mFnTFtR;VoRz8LtXHl<`vD)8wyKyWlfE5wNShAY}VuY+S#f9mEtbAcFm2-
z*}t<SwC{@UmiFJ;K0jx4Gwss5H1+U#n^Qr$<!5&{XFDEMd%mn8fz3vq^#`xxlJsUb
zX+2NAGW$id_wRM6SZmt#AeXno@J~h?L)m-Vg8pN5Au9Qz6C*_zr|@~HpPlM?_h-8^
z^R}AjLQgiR8*AQRIb%IT_xLh<b=$@YhDQHgN4rGN*uCKUwrkUkCUXyqcK?LpMNRXb
zu35@>_fC`7&&!LtE^kY}x4i2e>to;Fv)23wxZHA$V|((Sn>nVZnYDgIbca1kR+iqq
zm_1%H`rh6xW>2;1Vt;<`mwi9!gl3*{<n#FSrLG2tXSV-3AKP$3aWS*=3W@AUKdHk<
zEk3e3-RLTjU;b{9fFSdU{|26goA&eM$8w&2bc*+>?+>X6sjj@t-wpSs)Z4aRnjP`9
zdA{udpLQ{`Gbb<2G4A57e4enLXSu=LC)#Is{L%gL_yfy@`ZNgvyIsCD`xd(~+w~X9
zZB&ruzIrh3Zq~xI8($9^w(-ZDTNa<T>gcQgv$u4|GiKy&<9=LpsmG(??S|%z#RZJY
FM*%YHxv>BM

diff --git a/ops/secrets/nixery-gcs-pem b/ops/secrets/nixery-gcs-pem
deleted file mode 100644
index 798a1e5a66f823a90804a48a7252f798831cefbf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3214
zcmd;5VYnFl=3C)`t!rFWD&%kIKXBOo+(~$=qW@|Cev#8WOC9ewY%3RfD#6g!|J-Ej
zYPGlv^RwTqG1+$bzE7aU{3ni&?f<Fx|C;h|iLz2D!#U9zM;zYxtl0m0%Fo_26H3LN
zn`rm2Rh^k9a*KIVnOpR!&g^8B(_Fy|N?*);7CZllc+f|#TEP=_rG^%Dfzg5{*&myV
z8~b%C<r-%#5NIrzJnfyk^>;5p@mD^d;%gFH&zyR`aaY;$l_{zro|ZiOE^pTR^5785
zuKO9x$*g~PqYHDZk^+LvUa;OXoNpadm}kV2q<WFRJo`p|-=W#kYDP1&7hcs$uRitK
z#{Xc<{8m<dbxy70j_QS#iIPsgR|x;~oU({ldvo6YI`4S4y?^d`P0nUsDyI>rv|~@@
zc3G=cRq;Cn7H{NUyXKm~-NZsOdFjYb--Eq1^1VGBjpu5<n5<TBy}PUXWR+agyCxnE
z<CGr?C64#wTbJf#7F(8oFrRS3Vqbbu)8@9cY=K>O_TN8obE4t30*P?TeQudEjy^dw
zO^|QL;w-<6DGZmN=a=4?*YsMwAZ3wuP3-cF7nx!&_ey2lQ{k~F<#;~t9kalhZ@i0d
zOPZ#IPD;2?ts<Nlz1sUlhCQ3{(vNn0TfXmS=!%s3JK^un$NFo${%R(qD^D_S<~pW#
zOPAGfs?M?SP_tR5)Y#{oPImZpvAUdN0_&=%>SdO%7H?5pov=)7+cD>ECe~sj(;@@^
zrtPm{&b~D^;+}R@r0?vq>l4h1O@w&$+~dA@|D3qw)&I%L4ZV+-91)p+e&v$LM%m7;
zjeM4xKPJw}yQiP3>MXi!wdC}h(VQjg^tY^2*e3q2YBD3=9;ONB*#lQB;@;MOx_ySQ
z?ZKl@1j8?h+9$6#x6GvU&V)$u)sMa2L@%B4w|(`7Pw|4%!AH+J&Yh&Z;^@}``-R8n
zq~GoiI4K-$C8spqW0B2MA&YZQuk@-s5odoL?|xgw|8DOU-BmTZZvDMxCo-qrkLPCN
zX#aI%y&9v(|F3FQuLJK@>ZJZRDa<(3@lnol9pk@n+k+El?-c&_<WpqhnXl1JrJGZe
zl|Du1Ic8r|yY*`i^CI*5OOLuw`!VG|F?pQ$OzyB+g8ss+(;bsS*Du#wab(sXnHMQ4
z=N3<0A&@cq*1Kn`GORk{t$)sB^HX`I`{l;ZLu`*--L^MeeJaxG@$}|f(M@h`UYAuq
ztlzm{?}tx@Q>}|v<WH6=U3@IIbNTDEN6X&bJuAI*mb09q<@y`uhfhW?P-CnVD_g61
z$4=)r$J6jUZ&SHDfsQvf9ZVDLa7bN}&9iixgzY}BvtM_ciapleyEUTL&&$Cfqq<jl
zGIP#GhdL(S*-3n950A2h>#w@NwvBo7p^q+QR@$E1Wlwl6%D$zk9$P-6=TrQt#(DJ%
zjxe=xE!tSRBlJww`&1Rqjf}nWhht}Le8y(|F<DO7s?V@m;H*%$mS56_5XpaAo?cQn
z+#$ZFd-~NQRaUxj&4n{>y}EWqEo@o$2c-oYyp0R&Wal%oZ{MicU$~Ct(;9cb1zPc&
zb|3a#n66MO_uv-im6*a$Z~Kxb`t*FL3+m|I8=Cm}%D%VH8m6=6=E_d}U3l8(gsSvB
zCzU@9YmDV5zSh0rS^PUmpnU1-`N`rNTV)q0eC7Q5Jpc1W(|<lcH}!7d*l_ui{-#)i
zO)Klqy7au%zA;5+;wm1izo~7WQ&vj(7Y4LMP2oz;JG`1JC?=ybi>*m?O^eTpP`BVK
z*JcGW*d?dj<$a}Le%Srow^J8`)GBAT9PbLf^vmP>i_fQb3$KWOGs7l*^>54Wt^FNO
zZD-Yeb>~~&9vt5s5a2K=Vy1|2a>CZBl5=h@IIw?FQSfcu=Vx|Qx_+3x;iSrnB{q*1
zvf9ai7XFh`=21RxMn-Eh&ypz9N73q*wVZpVbscvuuzTK;kt$o-QZ#G(`BfP@H$znF
z-alr3Xk3?7D3b4JbZ70Q&l?YTWuN}2?8<Riuj%fNrE{zPdz5+S9X8bA*nMg3ayCiV
z&9}HSwpm?Fyv}DoN&8i=*Y;Z5me}CMW(!`%|Lf1<(sEn!q~Q>^V2n_E!p~i6Ci%=c
z`ThH`@DrT#G?qR1qGq@4eX8o)vRLQoyIF6!{=U{7x%BbvQsdv8CX@Z;t{pkCkzIR%
zLfu{K&BB2O3G1ZlWx{@aK6G#5o%s=_H(KYY$_0BUoqKv;=<&j<sU70Y3qx4>uHD&`
zc=&*ljODBxlaFD-`KLUXW`#1_>rL(`*gkh(&fVNx0r9?DpGxxGf2`YluKM!jGxIOR
zeVrfjq;>a|x^+^`%x!k}EEk=bE2v=hl~?^ve)8Ai>k54xXX3WFao9c1Kiy$c#9^sF
zxh*>Xd&U11o%<C_1W&~>I$KP6_sVj<{w2L{(YMb`lWY+#_h-KF{J!+&lTzwm&lL0Q
z+vk(T5fM?wJNsDC9S8qQxv$skd##{c6)iqlrg_24OxYsU5^lY9>-7wbW)|m*_dh>x
z;Q4S5|E@WP+HI%UK83A%ck%Uy18c?J2_3k#=Yi}&zM#L|;q{{1HTG=nh|k?^IJ@xi
zjClFQrX~sD*R*Bc%50YW`zrd}!<;wQCN(oG<+b=W=S%nH=Nnu$Fl`qM7T+*=ZN<FU
zes*ywF+o3{1AMl=SE4@oDma`vd~3P<-t!4cl_DO#XX<B0O#8<7`^y*ZU4PTQbIEkF
zZY~XB+B#2Lcy*Qj|0p@{S!J^dKYQ=z`M*EK<xc|tg$d#}^y?P!&5?ic?q*u+$_H=1
z{uUPzI(=97&HJSZy8>Gpn?je*5o4(AUQ?|S(VA1yVY$-uWb2KB=h^G08fX5xnVw?4
zXO`4{7q`1rQ$C8GJoeONR(U69SB|B0-x4t{*Q;S)Go_--71Ymfu+TgqAp0Oc_qfeU
zrz;{GjK0gNeeS%O)4}n|zc+33lcm}7lPAC0sM&j`h?8Naa6`-!f!<<^Uj~lTYV%}I
zvR^yRB{Y#&wX@CFy*T0ii4{ppl@}c}xqJNm%f~n5m*(7mo;z3BtF$`&SM-nWi81?s
z>eL>K<J}UvFm>n2X)!rGfnIaHOs`&1IA>|I_rFebit@UISMw!z+voXjsn)%GT7d05
zHzV&c@4L~z)YrcWTk_*+;k4HVyE#OXJ{>t1uwt&s*1*P!>bbiTw?Fe~T2o_TC%Zqv
zMC7h#`?H0dxqP+Dral#MHkg0P<xN|4Ze0Ae*zjYmHdQ98R9w88L*96IXD`3W5cA5Z
z=DlLA>qXV~PyT;RPz>RD$hzJ0%Fg+Id(KaP8oOo-^VZMO@0@y;9hE%0i@EP>@RLKg
z0+(>N?|f#&f7ySt^~dnc_sKc>w>&K-C^t;G7I3;#X8GL|g@PYu2PR#**&fhnzodBA
zvu*#5@n;B}5?t&i{oAv+AxQPBZ-(akH`l+^WhNZ{b-nq_fufJP+MZ80@0jpnE^l6u
zG3(7Oo)=!ZK7IQ+)Ozs|wL46+v|Bd_%imbf(DyI&ZQ<D~tFAASRG#b77IyKwvQ6a&
zpU&ny<MsTqi;Ca=b_wnjRCh9yRC25{b3StNl1GII$INTi2WPH$_b=;jnA58a^|>yq
z5`wGN6fe1<^v}nxul~LLgC#weP50J5Shm}e;keiL%g--O-2P5>U(cp9$1X5!__pgr
zJu5@IR?EB^j){A748B}0TKV;eSHOLttk<t&8Z=WX)1!UD*E1grZP3e}6tU}HcF_IH
z7c1AKmvgmbCkIq5(G8BAs?Z#4zM;n1xMh3R9fc&X#eMT;a{supY(YTJ{jN#h^^Buq
z)++`W=6<#BUh-&l97k~4w5SE2=Q_L=&I~{OJ*3FtDtmCALxx{P<U)VNsh_X@6*!}}
z?fXrJC(%6TKeLOl?7O-A4|CYO-#?wY3+1m?^)Ll(era<`#$Vvq6<vqE3H@!0|A%Zd
zU)q*+iNnu=`JDL#zD=9G+xnI?|0tJz;=xjzw`96lb&8wEREeL5Cn-#--n(JT`yGK@
zZ~09OSBI{@{O9$jfRksgU#w=@qxIg)x%tziHHo>$q^>=`?Xa`^@2rPQIX-%rJLlIn
zPd}}hyrPRybpQ5ScBOh#Vn4)P+iJ7$Tk3>$y85<{N~%6PF>I&_;k<CU{?|$S^v_CL
zyB#-fsWN4<YKf?3<gBdzvmx(qdF@4y%N!YL-D_@o{STG*4!^SH_)3eC#G9{!Z%=&V
zS5#ul+u6o`yjH+=cjkoy4Qi|Z92Hz<zUF=Uwu5tLPN-K%G|@T}Qgr2M?5)`z>vg|}
zebuv^Hdk+>u#jhMcW2g|md9bU;^xlWb-GT<*5q=JKa+*E<zlzYxA`0gcX&OyboFo+
zv!(whKCNVnw|WxAE_@RNQu)7xNe4y8<~lpy+xz3f1*UXekE!?mmP@_Nv`aqz=#E08
NFWXtErv78~p8(-ZI6VLW

diff --git a/ops/secrets/nixery-ssh-private b/ops/secrets/nixery-ssh-private
deleted file mode 100644
index 5c4ff2023350ff5ac7f152dcb6ed1aa1e31525d8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1906
zcmd;5VYnFl=9_Y=lCt~x&2_g9cvUe5eVV^}PGj_^^QkIV_4de{A1M_&$;Z&v|J<ap
ztyQYPG4sPxi!;BxlPeM#9Rhk}mj>mW`ntr!<GRB4-g9~1uH8=iy6F3P$B%~l9bP@Y
z(l{gUK)Ab<(d~jYX&WT@UaU?2<#F0vcggZwQ8Og`9S=C@eNNRl>)p?~=Irfr@uAK?
zAHT1B6aDaUo2P79%)t-0nGYPB@Pf&In&ruL1;M*ibsoJ^Z03v<YvIf~yJ6{h{@?AF
zw)05v-_cn)Q!vYR?&P;e+Rc=>xz?8!^!$8M>v1!+P-uavg3iZTeOk4*8d#s|<TM;J
zV>@#GxR|luoA~7ZoQ|CLnhWDv>wk5qE>W4?&wp=~(b;bG|8t$<c3C`^NbFYIZ@p9E
z#@d-I*OVq7dGtd6cmIpBC2K@8&+;@#>dNI#tcl~9z5SMVYSpO^%N`n(EIuEU+<l_y
z6{~OL@s)}vuCiS5s}-2^<IjPNY+1M2XOk`nf9K5myk%90ILE@R)0N#CcfMen!0dYb
zezJwR<<lZDiI62v6y}->n4dq8`hH#CCzF@aePt&#yi_$_rFmSH{E^7c&k>-!c=nt-
zSDJ6Gjy!UuTcrA3y<;4c$=m(6R98s)s&R5Garnlp^?&2}pl3Vp33l}q8{TiUU6WMt
zZeQf7*n7YK%5bwLJj!z2`)uN=>3exSr>@YjXcv>^m|-Dvc!9Odt`o^;vOnw&G%9My
z3}m*c-EMRKy4t_1LD{np_4e3p`Kxn}f2Dq)viOV>TbnErpUxHVyu#D!&6TfyR#)$I
z(>=QjY*uG;zGd{iec~iOeZGFJUC++t`-3f$<HR2q#tEKw>valRxJOUgLP+-L_9hSM
z?JN<STfXy_C`|iX?r8qotL&!5@~wM3kA9i3&e`&Ij|S`E*p45$%hX=VTru9kdH>gu
zRmUs}cQv^F|E|(55LCSLbJV(h{12HY@!4ewALP^cSv!SIU3b^3<gIh<GDSP<{DSrL
zb!s0?6f88`(VM@vt}j#g)Q&l~^9%h~v7I%_QV_OyyYpfDf9>0^Q&J==V$GHauSwWA
z)%ynH$I|1!SFEpIW>YG1gq0^scXs^|$#>3eo|a5gwb&<JpYf7+4~xyqPucq-=auDm
zU%s((nj)K4#Wtm5D<97IxX$)k!^yB;bG3!{u!suGd+6LzIwf?DvUATjN$qW>73`7!
zUx?guWM~LBiJqimp=`ZI*kjhs*|o+y%75l`cx{#q*Is%x)#Jnk-UUx?vrbqmG_7CC
z-u(QkvbU0YDVNTy6Y+Vp<@F*1c1b_JolNImZaC}pvQ%yU)RK8?4=q&ODAJTU_t%-l
z+1h&S4Qcb+_Lt0=p}ey6SoLE8-;i0Rho4`V;ybIIgJ0-&x3CTSnS}0|b6%VNl?C6D
z%-QyBg1B&uK|T8hRbxY8M(L>)tkuG7n;r@n3Y>lBvWl^;YNOk_=`)Y%@m*UVq7%Mk
z<BJ<t#HW1md(^#s_tL-H!rUtAi-Sw-KVGu3u<hFO-*G$p?2w3j1&8^Xv*eo31W%FN
zzLJBD$<ZVIZuZKMg0vG75>9pJC!2a-Wr<quG}-Z4oni30sm8~j=y-J|dR*qNFaIrl
z<^Rv`tUfhsQ?1q4_e;)<>pgPC<&Q#FeiB<mZ1}pIry-yIl=&<Qiae;a?Y^Rpah|$D
z_Mh5?M{0A$mhSg&zWk^}sCj`?-<HFdQd2Z5x6O}f{L`>*`n6A;O_Iwks*PL14^D~`
zW}lUI?o?p*`wf{Hh4=QlD$mmsc*pd6%It4fO=j4pC#<U1@-s8selL6Z-sxL2R~t|K
z_G3=&O3?}X&J}<DD3O#gxyH}!u)vMG^OCn@oK1YN{pjRlJErYWv`_Elo}qDb&QA8_
z+j>)W$|xQTKV0(7;>q2F!W{9Kb^eAA^EBn}a!EL_P0W!zx<ew&a{AGwJC<d}Zh7={
zz3$f^x0`%i|F12)ve0qk;pd{8`Zuo33D;d$(xbJ4>BHJLb>Epd9VSdGZRy@S*HLTZ
z&IwKTpH^R7W&H4TLj0=44ojsEpQQG%UCLKn(Dvf5SV83-k;h@TJ1)QS|98*&O5XpN
z;2CeeTvvU;cuKEnQz+ZF4UQk~3I6%|<F4|P#GqHD%lWPbC+>+nnYBB@<5;i$mq`sX
z4Oz`YD^6|FR}~JpSL1p1cJBAWtKTfo6#2_$JqYJ1-!E}p>_VBMDA)I2uZ@rHiepMH
zjI#e`C-Yz~`@NVAoM9D4-RyP!ej;5=CZC^gKjNq{PydUCs<p$N-e`vVJ97jd+`AYp
z5O^}}LVNHw@46#hy=uWS2|;?Zb+*JeA2gN>eYZyJwS<}jt7+~GE*VAr8SJk*`Hwp8
z-q*B~%V3$`xBD9&y*_#3a!gLkTK35seLrVQ#k2nDUGUc7Oz4!;>9cx+oQ_VgY6@mD
zQ7fta6UzAT{q!lv_0paS9`0G`Zhs>B<3!ftCXWiXnssjeHhIV2?4Bf>*X}giFtA~s
ziHFNkV@8?GPseJP=8CMZ-OhjLT$f~i*bQOVrytY|CBBLOI;nO${%H@>`t;v-_Q?Gc
nzH|OaU&yL`d-@9QKFAF6iBY>}mGJrUg06=l57kP4FO&fQ_b{jp

diff --git a/ops/secrets/sr.ht-token b/ops/secrets/sr.ht-token
deleted file mode 100644
index 53eb0d16b0e1301e7f3af239e34b22e434b8bc98..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 114
zcmd;5VYnFl=G$kD%vT@G{{C!g7V~(YeK;#g)5+@gEzgD3GbRQ9-6bUC#n9IO+@$(j
z{*~pIUP<-l#FicXIzKKr<LSgO{@h53d1q#ZUUex6V30WYA?EcF!RLMKKlyY+w<^7A
XUHhzJi*Mb6`wg4#@>V=qtGf~aHQ75Z

diff --git a/overrides/kontemplate/default.nix b/overrides/kontemplate/default.nix
deleted file mode 100644
index 6147d1f46..000000000
--- a/overrides/kontemplate/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ depot, ... }:
-
-with depot;
-
-third_party.writeShellScriptBin "kontemplate" ''
-  export PATH="${ops.kms_pass}/bin:$PATH"
-
-  if [[ -z $1 ]]; then
-    exec ${ops.kontemplate}/bin/kontemplate
-  fi
-
-  exec ${ops.kontemplate}/bin/kontemplate $1 ${./../..}/ops/infra/kubernetes/primary-cluster.yaml ''${@:2}
-''
diff --git a/ops/infra/dns/import b/users/tazjin/cloud-dns/import
similarity index 100%
rename from ops/infra/dns/import
rename to users/tazjin/cloud-dns/import
diff --git a/ops/infra/dns/kontemplate-works b/users/tazjin/cloud-dns/kontemplate-works
similarity index 100%
rename from ops/infra/dns/kontemplate-works
rename to users/tazjin/cloud-dns/kontemplate-works
diff --git a/ops/infra/dns/oslo-pub b/users/tazjin/cloud-dns/oslo-pub
similarity index 100%
rename from ops/infra/dns/oslo-pub
rename to users/tazjin/cloud-dns/oslo-pub
diff --git a/ops/infra/dns/root-tazj-in b/users/tazjin/cloud-dns/root-tazj-in
similarity index 100%
rename from ops/infra/dns/root-tazj-in
rename to users/tazjin/cloud-dns/root-tazj-in