maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(ops): Clean up old GCP infrastructure files

Browse source 
This removes almost all of the GCP-infrastructure leftovers from my
previous setup.

The DNS configuration is retained, but moves to my user folder
instead.

Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/782
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
Reviewed-by: isomer <isomer@tvl.fyi>
This commit is contained in:
Vincent Ambo 2020-06-29 22:14:45 +01:00 committed by tazjin
parent d3f9cb0ec3
commit dc07977866
34 changed files with 0 additions and 648 deletions
Download patch file Download diff file Expand all files Collapse all files

2
ops/infra/.skip-subtree
View file

@ -1,2 +0,0 @@
Code under //ops/infra is mostly configuration for other tools, not
Nix derivations to be built.

11
ops/infra/dns/import
View file

@ -1,11 +0,0 @@
#!/bin/sh
set -ue
# Imports a zone file into a Google Cloud DNS zone of the same name
readonly ZONE="${1}"
gcloud dns record-sets import "${ZONE}" \
--project composite-watch-759 \
--zone-file-format \
--delete-all-existing \
--zone "${ZONE}"

15
ops/infra/dns/kontemplate-works
View file

@ -1,15 +0,0 @@
;; -*- mode: zone; -*-
;; Do not delete these
kontemplate.works. 21600 IN NS ns-cloud-d1.googledomains.com.
kontemplate.works. 21600 IN NS ns-cloud-d2.googledomains.com.
kontemplate.works. 21600 IN NS ns-cloud-d3.googledomains.com.
kontemplate.works. 21600 IN NS ns-cloud-d4.googledomains.com.
kontemplate.works. 21600 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 4 21600 3600 259200 300
;; Github site setup
kontemplate.works. 60 IN A 185.199.108.153
kontemplate.works. 60 IN A 185.199.109.153
kontemplate.works. 60 IN A 185.199.110.153
kontemplate.works. 60 IN A 185.199.111.153
www.kontemplate.works. 60 IN CNAME tazjin.github.io.

8
ops/infra/dns/oslo-pub
View file

@ -1,8 +0,0 @@
;; Do not delete these
oslo.pub. 21600 IN NS ns-cloud-c1.googledomains.com.
oslo.pub. 21600 IN NS ns-cloud-c2.googledomains.com.
oslo.pub. 21600 IN NS ns-cloud-c3.googledomains.com.
oslo.pub. 21600 IN NS ns-cloud-c4.googledomains.com.
oslo.pub. 21600 IN SOA ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 4 21600 3600 1209600 300
oslo.pub. 60 IN A 46.21.106.241

33
ops/infra/dns/root-tazj-in
View file

@ -1,33 +0,0 @@
;; -*- mode: zone; -*-
;; Do not delete these
tazj.in. 21600 IN NS ns-cloud-a1.googledomains.com.
tazj.in. 21600 IN NS ns-cloud-a2.googledomains.com.
tazj.in. 21600 IN NS ns-cloud-a3.googledomains.com.
tazj.in. 21600 IN NS ns-cloud-a4.googledomains.com.
tazj.in. 21600 IN SOA ns-cloud-a1.googledomains.com. cloud-dns-hostmaster.google.com. 123 21600 3600 1209600 300
;; Email setup
tazj.in. 300 IN MX 1 aspmx.l.google.com.
tazj.in. 300 IN MX 5 alt1.aspmx.l.google.com.
tazj.in. 300 IN MX 5 alt2.aspmx.l.google.com.
tazj.in. 300 IN MX 10 alt3.aspmx.l.google.com.
tazj.in. 300 IN MX 10 alt4.aspmx.l.google.com.
tazj.in. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
google._domainkey.tazj.in. 21600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9AphX/WJf8zVXQB5Jk0Ry1MI6ARa6vEyAoJtpjpt9Nbm7XU4qVWFRJm+L0VFd5EZ5YDPJTIZ90lJE3/B8vae2ipnoGbJbj8LaVSzzIPMbWmhPhX3fkLJFdkv7xRDMDn730iYXRlfkgv6GsqbS8vZt7mzxx4mpnePTI323yjRVkwRW8nGVbsmB25ZoG1/0985" "kg4mSYxzWeJ2ozCPFhT4sfMtZMXe/4QEkJz/zkod29KZfFJmLgEaf73WLdBX8kdwbhuh2PYXt/PwzUrRzF5ujVCsSaTZwdRVPErcf+yo4NvedelTjjs8rFVfoJiaDD1q2bQ3w0gDEBWPdC2VP7k9zwIDAQAB"
;; Site verifications
tazj.in. 3600 IN TXT "keybase-site-verification=gC4kzEmnLzY7F669PjN-pw2Cf__xHqcxQ08Gb-W9dhE"
tazj.in. 300 IN TXT "google-site-verification=d3_MI1OwD6q2OT42Vvh0I9w2u3Q5KFBu-PieNUE1Fig"
www.tazj.in. 3600 IN TXT "keybase-site-verification=ER8m_byyqAhzeIy9TyzkAU1H2p2yHtpvImuB_XrRF2U"
;; Blog "storage engine"
blog.tazj.in. 21600 IN NS ns-cloud-c1.googledomains.com.
blog.tazj.in. 21600 IN NS ns-cloud-c2.googledomains.com.
blog.tazj.in. 21600 IN NS ns-cloud-c3.googledomains.com.
blog.tazj.in. 21600 IN NS ns-cloud-c4.googledomains.com.
;; Webpage records setup
tazj.in. 300 IN A 34.98.120.189
www.tazj.in. 300 IN A 34.98.120.189
git.tazj.in. 300 IN A 34.98.120.189
files.tazj.in. 300 IN CNAME c.storage.googleapis.com.

3
ops/infra/gcp/.gitignore vendored
View file

@ -1,3 +0,0 @@
.terraform
*.tfstate
*.tfstate.backup

116
ops/infra/gcp/default.tf
View file

@ -1,116 +0,0 @@
# Terraform configuration for the GCP project 'tazjins-infrastructure'
provider "google" {
project = "tazjins-infrastructure"
region = "europe-north1"
version = "~> 2.20"
}
# Configure a storage bucket in which to keep Terraform state and
# other data, such as Nixery's layers.
resource "google_storage_bucket" "tazjins-data" {
name = "tazjins-data"
location = "EU"
}
terraform {
backend "gcs" {
bucket = "tazjins-data"
prefix = "terraform"
}
}
# Configure enabled APIs
resource "google_project_services" "primary" {
project = "tazjins-infrastructure"
services = [
"bigquery-json.googleapis.com",
"bigquerystorage.googleapis.com",
"cloudapis.googleapis.com",
"cloudbuild.googleapis.com",
"clouddebugger.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudkms.googleapis.com",
"cloudtrace.googleapis.com",
"compute.googleapis.com",
"container.googleapis.com",
"containerregistry.googleapis.com",
"datastore.googleapis.com",
"distance-matrix-backend.googleapis.com",
"dns.googleapis.com",
"gmail.googleapis.com",
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"oslogin.googleapis.com",
"pubsub.googleapis.com",
"run.googleapis.com",
"secretmanager.googleapis.com",
"servicemanagement.googleapis.com",
"serviceusage.googleapis.com",
"sourcerepo.googleapis.com",
"sql-component.googleapis.com",
"storage-api.googleapis.com",
"storage-component.googleapis.com",
]
}
# Configure the main Kubernetes cluster in which services are deployed
resource "google_container_cluster" "primary" {
name = "tazjin-cluster"
location = "europe-north1"
remove_default_node_pool = true
initial_node_count = 1
}
resource "google_container_node_pool" "primary_nodes" {
name = "primary-nodes"
location = "europe-north1"
cluster = google_container_cluster.primary.name
node_count = 1
node_config {
preemptible = true
machine_type = "n1-standard-2"
oauth_scopes = [
"storage-rw",
"logging-write",
"monitoring",
"https://www.googleapis.com/auth/source.read_only",
]
}
}
# Configure a service account for which GCS URL signing keys can be created.
resource "google_service_account" "nixery" {
account_id = "nixery"
display_name = "Nixery service account"
}
# Configure Cloud KMS for secret encryption
resource "google_kms_key_ring" "tazjins_keys" {
name = "tazjins-keys"
location = "europe-north1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "kontemplate_key" {
name = "kontemplate-key"
key_ring = google_kms_key_ring.tazjins_keys.id
lifecycle {
prevent_destroy = true
}
}
# Configure the git repository that contains everything.
resource "google_sourcerepo_repository" "depot" {
name = "depot"
}

80
ops/infra/kubernetes/cgit/config.yaml
View file

@ -1,80 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: gcsr-secrets
type: Opaque
data:
username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
# This credential is a GCSR 'gitcookie' token.
password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
# This credential is an OAuth token for builds.sr.ht
sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cgit
labels:
app: cgit
spec:
replicas: 1
selector:
matchLabels:
app: cgit
template:
metadata:
labels:
app: cgit
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: cgit
image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
command: [ "cgit-launch" ]
env:
- name: HOME
value: /git
volumeMounts:
- name: git-volume
mountPath: /git
- name: sync-gcsr
image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
command: [ "sync-gcsr" ]
env:
- name: SYNC_USER
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: username
- name: SYNC_PASS
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: password
- name: SRHT_TOKEN
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: sourcehut
volumeMounts:
- name: git-volume
mountPath: /git
volumes:
- name: git-volume
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: cgit
spec:
selector:
app: cgit
ports:
- protocol: TCP
port: 80
targetPort: 8080

19
ops/infra/kubernetes/gemma/config.lisp
View file

@ -1,19 +0,0 @@
(config :port 4242
:data-dir "/var/lib/gemma/")
(deftask bathroom/wipe-mirror 7)
(deftask bathroom/wipe-counter 7)
;; Bedroom tasks
(deftask bedroom/change-sheets 7)
(deftask bedroom/vacuum 10)
;; Kitchen tasks
(deftask kitchen/normal-trash 3)
(deftask kitchen/green-trash 5)
(deftask kitchen/blue-trash 5)
(deftask kitchen/wipe-counters 3)
(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!")
;; Entire place
(deftask clean-windows 60)

8
ops/infra/kubernetes/https-cert/cert.yaml
View file

@ -1,8 +0,0 @@
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: {{ .domain | replace "." "-" }}
spec:
domains:
- {{ .domain }}

43
ops/infra/kubernetes/https-lb/ingress.yaml
View file

@ -1,43 +0,0 @@
# This resource configures the HTTPS load balancer that is used as the
# entrypoint to all HTTPS services running in the cluster.
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-ingress
annotations:
networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub
spec:
rules:
# Route website to, well, the website ...
- host: tazj.in
http:
paths:
- path: /*
backend:
serviceName: website
servicePort: 8080
# Same for www.* (the redirect is handled by the website nginx)
- host: www.tazj.in
http:
paths:
- path: /*
backend:
serviceName: website
servicePort: 8080
# Route git.tazj.in to the cgit pods
- host: git.tazj.in
http:
paths:
- path: /*
backend:
serviceName: nginx
servicePort: 6756
# Route oslo.pub to the nginx instance which serves redirects
- host: oslo.pub
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 6756

59
ops/infra/kubernetes/nginx/nginx.conf
View file

@ -1,59 +0,0 @@
daemon off;
worker_processes 1;
error_log stderr;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /dev/stdout json_combined;
sendfile on;
keepalive_timeout 65;
server {
listen 80 default_server;
location / {
return 200 "ok";
}
}
server {
listen 80;
server_name oslo.pub;
location / {
return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
}
}
server {
listen 80;
server_name git.tazj.in;
# Static assets must always hit the root.
location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
proxy_pass http://cgit;
}
# Everything else hits the depot directly.
location / {
proxy_pass http://cgit/cgit.cgi/depot/;
}
}
}

60
ops/infra/kubernetes/nginx/nginx.yaml
View file

@ -1,60 +0,0 @@
# Deploy an nginx instance which serves ... redirects.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: {{ insertFile "nginx.conf" | toJson }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
config: {{ insertFile "nginx.conf" | sha1sum }}
spec:
containers:
- name: nginx
image: nixery.local/shell/third_party.nginx:{{ .version }}
command: ["/bin/bash", "-c"]
args:
- |
cd /run
echo 'nogroup:x:30000:nobody' >> /etc/group
echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd
exec nginx -c /etc/nginx/nginx.conf
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx
- name: nginx-rundir
mountPath: /run
volumes:
- name: nginx-conf
configMap:
name: nginx-conf
- name: nginx-rundir
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 6756
targetPort: 80

67
ops/infra/kubernetes/nixery/config.yaml
View file

@ -1,67 +0,0 @@
# Deploys an instance of Nixery into the cluster.
#
# The service via which Nixery is exposed has a private DNS entry
# pointing to it, which makes it possible to resolve `nixery.local`
# in-cluster without things getting nasty.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nixery
namespace: kube-public
labels:
app: nixery
spec:
replicas: 1
selector:
matchLabels:
app: nixery
template:
metadata:
labels:
app: nixery
spec:
containers:
- name: nixery
image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
volumeMounts:
- name: nixery-secrets
mountPath: /var/nixery
env:
- name: BUCKET
value: {{ .bucket}}
- name: PORT
value: "{{ .port }}"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/nixery/gcs-key.json
- name: GCS_SIGNING_KEY
value: /var/nixery/gcs-key.pem
- name: GCS_SIGNING_ACCOUNT
value: {{ .account }}
- name: GIT_SSH_COMMAND
value: 'ssh -F /var/nixery/ssh_config'
- name: NIXERY_PKGS_REPO
value: {{ .repo }}
- name: NIX_POPULARITY_URL
value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}'
volumes:
- name: nixery-secrets
secret:
secretName: nixery-secrets
defaultMode: 256
---
apiVersion: v1
kind: Service
metadata:
name: nixery
namespace: kube-public
annotations:
cloud.google.com/load-balancer-type: "Internal"
spec:
selector:
app: nixery
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 8080

1
ops/infra/kubernetes/nixery/id_nixery.pub
View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery

3
ops/infra/kubernetes/nixery/known_hosts
View file

@ -1,3 +0,0 @@
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=

18
ops/infra/kubernetes/nixery/secrets.yaml
View file

@ -1,18 +0,0 @@
# The secrets below are encrypted using keys stored in Cloud KMS and
# templated in by kontemplate when deploying.
#
# Not all of the values are actually secret (see the matching)
---
apiVersion: v1
kind: Secret
metadata:
name: nixery-secrets
namespace: kube-public
type: Opaque
data:
gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
known_hosts: {{ insertFile "known_hosts" | b64enc }}
ssh_config: {{ insertFile "ssh_config" | b64enc }}

4
ops/infra/kubernetes/nixery/ssh_config
View file

@ -1,4 +0,0 @@
Match host *
User tazjin@google.com
IdentityFile /var/nixery/id_nixery
UserKnownHostsFile /var/nixery/known_hosts

38
ops/infra/kubernetes/primary-cluster.yaml
View file

@ -1,38 +0,0 @@
# Kontemplate configuration for the primary GKE cluster in the project
# 'tazjins-infrastructure'.
---
context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster
include:
# SSL certificates (provisioned by Google)
- name: tazj-in-cert
path: https-cert
values:
domain: tazj.in
- name: www-tazj-in-cert
path: https-cert
values:
domain: www.tazj.in
- name: git-tazj-in-cert
path: https-cert
values:
domain: git.tazj.in
- name: oslo-pub-cert
path: https-cert
values:
domain: oslo.pub
# Services
- name: nixery
values:
port: 8080
version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg
bucket: tazjins-data
account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot
popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json'
- name: website
- name: cgit
- name: https-lb
- name: nginx
values:
version: a349d5e9145ae9a6c89f62ec631f01fb180de546

37
ops/infra/kubernetes/website/config.yaml
View file

@ -1,37 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: website
labels:
app: website
spec:
replicas: 3
selector:
matchLabels:
app: website
template:
metadata:
labels:
app: website
spec:
containers:
- name: website
image: nixery.local/shell/web.homepage:{{ gitHEAD }}
env:
- name: CONTAINER_SETUP
value: "true"
command: [ "homepage" ]
---
apiVersion: v1
kind: Service
metadata:
name: website
spec:
type: NodePort
selector:
app: website
ports:
- protocol: TCP
port: 8080
targetPort: 8080

61
ops/kms_pass.nix
View file

@ -1,61 +0,0 @@
# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.
{ depot, kms, ... }:
let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
in (writeShellScriptBin "pass" ''
set -eo pipefail
CMD="$1"
readonly SECRET=$2
readonly SECRETS_DIR=${./secrets}
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
function secret_check {
if [[ -z $SECRET ]]; then
echo 'Secret must be specified'
exit 1
fi
}
if [[ -z $CMD ]]; then
CMD="ls"
fi
case "$CMD" in
ls)
${tree}/bin/tree $SECRETS_DIR
;;
show)
secret_check
${google-cloud-sdk}/bin/gcloud kms decrypt \
--project ${kms.project} \
--location ${kms.region} \
--keyring ${kms.keyring} \
--key ${kms.key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
;;
insert)
secret_check
${google-cloud-sdk}/bin/gcloud kms encrypt \
--project ${kms.project} \
--location ${kms.region} \
--keyring ${kms.keyring} \
--key ${kms.key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
echo "Inserted secret '$SECRET'"
;;
*)
echo "Usage: pass show/insert <secret>"
exit 1
;;
esac
'') // { meta.enableCI = true; }

1
ops/secrets/.skip-subtree
View file

@ -1 +0,0 @@
No Nix derivations under //ops/secrets

BIN
ops/secrets/gcsr-tazjin-password
View file

Binary file not shown.

BIN
ops/secrets/gmaps-api-key
View file

Binary file not shown.

BIN
ops/secrets/nixery-gcs-json
View file

Binary file not shown.

BIN
ops/secrets/nixery-gcs-pem
View file

Binary file not shown.

BIN
ops/secrets/nixery-ssh-private
View file

Binary file not shown.

BIN
ops/secrets/sr.ht-token
View file

Binary file not shown.