feat(ops/secrets): Add tf-keycloak secrets file

This file can be sourced (somehow, depending on the user) while working with //ops/keycloak to get the relevant secrets. Change-Id: Ibb3051c4b019f64824964475451c1c3996db6421 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4708 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
2021-12-27 17:17:32 +03:00 · 2021-12-27 17:17:32 +03:00 · e616f978d0
commit e616f978d0
parent 4f030f085d
4 changed files with 33 additions and 1 deletions
--- a/bin/__dispatch.sh
+++ b/bin/__dispatch.sh
@ -11,7 +11,7 @@ TARGET_TOOL=$(basename "$0")

 case "${TARGET_TOOL}" in
  age)
-    attr="third_party.nixpkgs-age"
+    attr="third_party.nixpkgs.age"
    ;;
  age-keygen)
    attr="third_party.nixpkgs.age"
--- a/ops/keycloak/README.md
+++ b/ops/keycloak/README.md
@ -0,0 +1,18 @@
+Terraform for Keycloak
+======================
+
+This contains the Terraform configuration for deploying TVL's Keycloak
+instance (which lives at `auth.tvl.fyi`).
+
+Secrets are needed for applying this. The encrypted file
+`//ops/secrets/tf-keycloak.age` contains `export` calls which should
+be sourced, for example via `direnv`, by users with the appropriate
+credentials.
+
+An example `direnv` configuration used by tazjin is this:
+
+```
+# //ops/secrets/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-keycloak.age)
+```
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -30,4 +30,5 @@ in {
  "nix-cache-pub.age" = default;
  "owothia.age" = default;
  "panettone.age" = default;
+  "tf-keycloak.age" = default;
 }
--- a/ops/secrets/tf-keycloak.age
+++ b/ops/secrets/tf-keycloak.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 dcsaLw CRX6a8zfz3BaDYhwrBPXBgEn/o0WuS6UdvA55wYNTBc
+/5gTObQ8770g8kIxCQyQj8hOh+1dkOu5DW1sz33eiy8
+-> ssh-ed25519 CpJBgQ 1/oDGaLOKblznS/ciKQ0g7Jdfg1KtEKWugjE9o9n1jo
+A5wcsx6NXQpjKR8Y9jlM4JN34IUi3T4UuTIOtmOHwcs
+-> ssh-ed25519 aXKGcg pYkMVxIGv408998UFzNQZvCQqBNPOSx+fvMs9FGd2nc
+Ue1rNrARXo0/Fq0qazNo+5a4zc7JBLdEgrqUowOEOBg
+-> ssh-ed25519 OkGqLg iLVc9k937aMAyl82TFsmDeX46PSrjQ6QpEzU0BcrNHg
+NzZYEXjz4mwafayIIvGxcE0cLhhUZuzh5loyfIZzl+0
+-> `^*"*qb-grease r`; Fwf.0CJ+
+5qQRDetp1IFec1AkHd17faslyU+7OHDiTmwoSJGZZPWrdiY
+--- uguIPraC7NNVfyDIWoTVjiunofaRYY8xeLipwZuU0iQ
+fÑÜÒÚEÿ''èÉ†<C389>…˜%:·´»Ç'%ÖUî3aÌUÃ4‚æ.‡Étm.qW	*–ZÚÿiâp
ªÝz†g¤=v{éÌcX¾Æþo‡!-L÷i5	óL2	@A¾ÍAì