secrets: initial updates

.sops.yaml

@@ -1,8 +1,8 @@
 # Example:
 keys:
-  - &sre $SOPS_AGE_PUBKEY1
-  - &group1-bp-a-1 $SOPS_AGE_PUBKEY2
-  - &group1-faucet-a-1 $SOPS_AGE_PUBKEY3
+  - &sre age1a38xzsfp4nq3vg60xjhjcxswxd0n5l4sdav0uu60tr6g32vww3ks8y9d4m
+  # - &group1-bp-a-1 $SOPS_AGE_PUBKEY2
+  # - &group1-faucet-a-1 $SOPS_AGE_PUBKEY3
 creation_rules:
   # -------------------------------------------------------
   # General environment secrets are admin only
@@ -24,13 +24,13 @@ creation_rules:
     key_groups:
     - age:
       - *sre
-      - *group1-faucet-a-1
+  #   - *group1-faucet-a-1
 
   - path_regex: secrets/groups/group1/deploy/.*$
     key_groups:
     - age:
       - *sre
-      - *group1-bp-a-1
+  #   - *group1-bp-a-1
 
   # -------------------------------------------------------
   # Workbench pool onboarding -- modify during creation

secrets/github-token.enc

@@ -1,7 +1,22 @@
-# To enable auth-keys-hub ssh functionality:
-#   * update the following with a github auth token with org:read permissions
-#   * remove these comments
-#   * encrypt this file with sops as a binary type using KMS
-#
-# Expect this file to generate a pre-push error until it is either encrypted or deleted
-$TOKEN
+{
+	"data": "ENC[AES256_GCM,data:9tnrFSV4oQMvM/ReM9dSmsIffIzkCKLTNtsINvaVZ65JljTJJ3+Xu2s=,iv:OuNaeoWhi5HQNWK9bQC1WXZ1b/2cHSLL0ynzhHasp7c=,tag:bjZ5wSIBBriEQmugljfzYw==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:471112995006:alias/kmsKey",
+				"created_at": "2024-04-24T22:12:27Z",
+				"enc": "AQICAHgqT8/BmOtvT2cTwZqY/fywMfqSAhm7Go7IgSs2LkRTwgE9HlVkkwUm4bSAFMo7WURYAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMDSxNatQHOOT0oNrnAgEQgDsbqsbun8dn4bUmIHUrd/z8KDs+y9svAWKmoelFA6F2u8a4uE0o4CPmopzM9MHG1SNGtdnJgcsrqV1MWg==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-04-24T22:12:28Z",
+		"mac": "ENC[AES256_GCM,data:xj0wRPsCpPxQANMaSYJX3Dk9S/7zk1BNGF2Mo+H5a+ZsjvqJZfAiec96zhYPDBBSo6vCI8nQVjSPU7oRI25NU7iOzQblneh7RJ+Y5Kl1c5SS5TDcEt/FOhSW4gYiGw0FX3lEksXg+33a640XJDLzDpnMNi4MXkVScOAju57pcl0=,iv:CJoATdLzFuh/opD47Oi3hFPrSDIqJ6bL2++urJ/6Q3k=,tag:sFRmrLeBG1q8RXgj99r2Tg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/monitoring/grafana-agent-metrics-password.enc

@@ -1,9 +1,22 @@
-# To enable nixos grafana-agent monitoring functionality:
-#   * update the following with a grafana agent metrics password
-#   * remove these comments
-#   * encrypt this file with sops as a binary type using KMS
-#
-# Expect this file to generate a pre-push error until it is either encrypted or deleted
-
-# Mimir remote write endpoint token
-$PASSWORD
+{
+	"data": "ENC[AES256_GCM,data:F2H/mFqGDWQ2vXB2voUEMrjYi3jv/0n4qu3iPCDkktEVh+hNNU5TcaW5AfG4k1gyzxR07teFoQ5pTbsUr8g2Jqs=,iv:K1D6u+bvaDlpygAeG7eHChkV5wxS51CSWWu4mfqLIfQ=,tag:TL048C4PQIJxOWJPphSb7w==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:471112995006:alias/kmsKey",
+				"created_at": "2024-04-24T22:19:04Z",
+				"enc": "AQICAHgqT8/BmOtvT2cTwZqY/fywMfqSAhm7Go7IgSs2LkRTwgFqhipbZvF/LmFIMXvpqhU1AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMheb3RsiZLdwC0TqjAgEQgDsqxPISfbr0fk75kT7kwSBeMxuLn7LC7/+WVbKs93OfYxm99Twe7Xja3omIxxet8DL/dRAoH6ItGKwUog==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-04-24T22:19:05Z",
+		"mac": "ENC[AES256_GCM,data:1jUSYUeE2+61EI0XsyO4gMYnXtZqWdGopoiFMv+hJCge1IF2HDssOmXBbuhvbWpgLEq/1+EQE6E3vKAVKrhf6c7VfHq/idUMuCf5VywKl1/Ll+iMiwnTvomqkLvKrg/fIGb/W5bK2VyDIdCmCKNPV8qvRCnjaVyaCRqtHDDBrxE=,iv:b6dkwzR/0JJj0EyfFc/qFzuULGyZXVsGKC5jdnrKBKY=,tag:BSsfQlWEJEpzzQ7+vAX/iA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/monitoring/grafana-agent-metrics-url.enc

@@ -1,7 +1,22 @@
-# To enable nixos grafana-agent monitoring functionality:
-#   * update the following with a grafana agent metrics url
-#   * remove these comments
-#   * encrypt this file with sops as a binary type using KMS
-#
-# Expect this file to generate a pre-push error until it is either encrypted or deleted
-https://${BASE_MONITORING_FQDN}/mimir/api/v1/push
+{
+	"data": "ENC[AES256_GCM,data:39XP4ydAPk4pr1GIFKMRAD952lCqBlifhjmKKzmWAOZd2+C2rNQNdAj9OodlMS2WVIKH9VDTOwUunJsLuh2sUWM=,iv:oFZ4IwosVaebZ4zowpzaNTXQOXksBcPbmt45cgHye2A=,tag:SS5HyMXBD/YvDt6TqkdNPw==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:471112995006:alias/kmsKey",
+				"created_at": "2024-04-24T22:20:02Z",
+				"enc": "AQICAHgqT8/BmOtvT2cTwZqY/fywMfqSAhm7Go7IgSs2LkRTwgH9CRe5uJ5ItyLAa2cbAia3AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJLAwz68tEsZV4hESAgEQgDv9hPnlYWXnIdqlil0FwncctWsq9i6TcuqRonGUKLGFc7XmMostl4gHkbO8WDYPkCtsZK6W/GoljqqeNg==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-04-24T22:20:03Z",
+		"mac": "ENC[AES256_GCM,data:EnvJluD1hLsdNiKJpDMxs9TkneuGbifbWHqRhgpbRZN84DEgyGbp+pjrPT6jbFCi1rnjAcG/fEZZSrb/kcKCkYVKOH8RBh9M6A+turml55KLGR7TUcOK1+adSX6lVoacEpfQKFt+hPTNoHyXqJe6FRVnOxRF9u/yASgvy8BN3DA=,iv:cj4X6pstOsAZ1ULqPB8gpljDB3d7HS5AHVkDlf4MuHs=,tag:W8if+JYvxQehU2j2M5kyKg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/monitoring/grafana-agent-metrics-username.enc

@@ -1,7 +1,22 @@
-# To enable nixos grafana-agent monitoring functionality:
-#   * update the following with a grafana agent metrics username
-#   * remove these comments
-#   * encrypt this file with sops as a binary type using KMS
-#
-# Expect this file to generate a pre-push error until it is either encrypted or deleted
-$USERNAME
+{
+	"data": "ENC[AES256_GCM,data:hWnTZ5c3,iv:Hb+JfzuG9Hi7f+rsIqdwR2Z9/TYcICc5bUj9/rm9yGo=,tag:vF1ln9xbTDJXE20cc66ltQ==,type:str]",
+	"sops": {
+		"kms": [
+			{
+				"arn": "arn:aws:kms:eu-central-1:471112995006:alias/kmsKey",
+				"created_at": "2024-04-24T22:20:27Z",
+				"enc": "AQICAHgqT8/BmOtvT2cTwZqY/fywMfqSAhm7Go7IgSs2LkRTwgF98S2aIOSTfckoT8jJW/UjAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMY9e45cTSWFnmk/94AgEQgDvzS208d4sufMiyIDBvhYVEWboe/0WguNofEgf+qegGi5p9wab5au2GH8acOTRB7uF1l8zTXGLcqs2yJA==",
+				"aws_profile": ""
+			}
+		],
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-04-24T22:20:27Z",
+		"mac": "ENC[AES256_GCM,data:l+UHFglXtg2eKk3WbOVmOfS4HJHj9zO7lGOCv4VABpmXUHlzcd0YRDJQwB32CwJNpRgUdnjkD/JWZu5t21A3M/U0QWLaECdVAyulu+Ejp4eHLZj+JtZvuw/dBndmIdRt5NrgnOdwAVgPl8dt8ZkNmmb/l5MnWF3HETC23lHEcCI=,iv:15A/YZLkjXN27D6oVsCYeqiRJmR5JrIlg7gvkkFEkX0=,tag:xOyU2AujNEmB8eFjIxdCMg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

secrets/tf/grafana.tfvars

@@ -1,39 +1,20 @@
-# To enable grafana iog monitoring secrets usage:
-#   * update the following with the appropriate grafana secrets
-#   * remove these comments
-#   * encrypt this file with sops as a binary type using an age sre/admin secret key
-#
-# Expect this file to generate a pre-push error until it is either encrypted or deleted
-
-# Obtainable from deadmanssnitch.com
-deadmanssnitch_api_url = "UPDATE_ME"
-
-# An admin permissions mimir API key
-mimir_api_key = "UPDATE_ME"
-
-# The alertmanager rules endpoint
-mimir_alertmanager_ruler_uri = "https://${BASE_MONITORING_FQDN}/mimir/prometheus"
-
-# The alertmanager endpoint
-mimir_alertmanager_alertmanager_uri = "https://${BASE_MONITORING_FQDN}/mimir"
-
-# The alertmanager admin username
-mimir_alertmanager_username = "UPDATE_ME"
-
-# The prometheus ruler endpoint
-mimir_prometheus_ruler_uri = "https://${BASE_MONITORING_FQDN}/mimir/prometheus"
-
-# The prometheus alertmanager endpoint
-mimir_prometheus_alertmanager_uri = "https:/${BASE_MONITORING_FQDN}/mimir/alertmanager"
-
-# The mimir admin username
-mimir_prometheus_username = "UPDATE_ME"
-
-# Obtainable from the pagerduty web UI under the prometheus service integration
-pagerduty_api_key = "UPDATE_ME"
-
-# An admin permissions grafana service account token, created at grafana UI > Administration > Service accounts
-grafana_token = "UPDATE_ME"
-
-# The base monitoring URL
-grafana_url = "https://${BASE_MONITORING_FQDN}"
+{
+	"data": "ENC[AES256_GCM,data:Jwn5cfimEAU4TC1WgFS4jpwrjzWjLH8qPvUDLPbhVE4ETASKw9Zskk6WuABnrHNPuX50W9rntNme2QCrscUrFEvoHgS1xCAr+BjD9gOD9gTKlqR24TThS+wjDr4XaIcfEvHT08FHG/cKhzSUynENWqizjETHG/61acGzDJIco1cRhBV/b6WBhHsnWL0KAkEz4KluUQ9BVKjcdDq11d3g3MzEu/a9vq4oe28ePNbaVa+8ft/NP40015vuaNutNeiwc1Cy7zgvMZXleF5dT5HwsFJbe5j9fD4NTFD1YKEI41jkmJSKTc1VXh4UJRkEi3N0V7KqLk5WkCtMp7p6yL3SFPXnPj7d0uL+OVTxyvy8gcXLkPFajxg+L3PLi6ET2aFB3eB1+8c6h+wAr55/HGLtsXnWLA2eaeJKqdLPj7jLgurO8mQuT0uHroC3975YFhtgNWL5Zq/WIrBp/C274MRlQemLKcCT2VWb+cQaHbr+LDSW9HL4zOn6nRxhUiq9toQW8SV1g3EVRG10kDFEdPWdRQJC0wTwwGnRBC5vW7mLmoCIJlHNtCuniajT3bwvwNvmahqkZ7HKZbDDmZTwA7WPZEbEuFo5UX3Vf/LY8WqaCT0SbEOCq1Fx+J1/BnSmT0Gbxn/FepwnncA+HwHSY31OAcndqARoFjaDYHcp5fiU9rH0HQmjYbgZHQqj+qqe9yfHhUAtzhDFqrktrcjZSfMA/pmXddv6dpiTTgELfT3zSsLVqa3fOQLb3vbHG7VL68qeEWaDleep53J1UbgCpRfVqIp8sGkfPYllMQTNI/tZotNbROTQFP2y1KPM+IzRjKlXYvhYSruBAdGiaZYZeGzCr87XJDycP4PNxYsXAQu/ZZb6UivCX2t97n/IHqRC1F6PRUh7hqHeKBgua50b+5GqfpgTxB50cZ2trJU4I+4TXmsZYLvd7jxLEH+n+zIlyBnpHEZ3/uaWK1fF6C63WJhJ+A/Z/rHsuK3iz7b/I3UUPN+j8uX+3PJWC3hL,iv:BRsfjZVtRHYNsLpBHH28Kgj7A8N3Dz2gVPZ0RSUqiZ4=,tag:d+U38A4pZCqsvvZSVifnpQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1a38xzsfp4nq3vg60xjhjcxswxd0n5l4sdav0uu60tr6g32vww3ks8y9d4m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUlZDZHczQTFUK0RxY1Zw\nRWI0SVRPVG4raWxqMHBIdWZFcGs3TGhQRm5BCnBOdkgwVFhlMDk4bVBxWjhaaDRu\nbU5qckpBb3hHWDRvUG9Ram11VXY2NUUKLS0tIHhMRTlRQWE0OUNSTE5pMGpPQThP\nVWdmajRqdGl0Mit1b2g4b3MzVm5pVHcKwusXDTbSn4rCY/w1KtoEqtICrALKIGeb\ntK23dgx1JLCTuUJqvka0lY6teWOrII+oUKa1QWffaShIjI7/mrqdUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-24T22:33:29Z",
+		"mac": "ENC[AES256_GCM,data:kY3vQg1ppc3mbTW6Z5UXNjo6KFU+OLCvFwSrxtUeQC03N4SbN6VqOTpbgSiR0hXW6vcVZqsGKMFyYBVHFKGcHnHlVYUAoPe93fDfEUoN02fL8dwgmFXoLgezPgEyNfgILa0XUJufUqGivhojE/GDIiDJZ+kUsgYRBm/SO/JvcAk=,iv:WhxFjs3er8muYxiZxplvcPb6QDZrlfc/u2MCuTWbHbE=,tag:Ed291ChWmy+QfBRF+1yaPw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}