whitby: Get rid of /etc/secrets

Opened by tazjin at 2021-12-09T15·05+00

This folder is the hellhole in which all our manually deployed secrets live with random permissions.

We now have agenix (cl/4075, example use in cl/4245) and should be moving all secrets into this setup.

Right now I'm the only human with access to these secrets so that's also scary. The other wheel-bearers (lukegb, grfn, sterni) should add their relevant SSH keys to //ops/secrets/secrets.nix

  1. is this closeable now?

    grfn at 2022-01-13T22·54+00

  2. No, there's a remaining thing with the SSH host keys used in the initrd image (for disk unlocking).

    Which, by the way, is a process we have literally never tested :p

    tazjin at 2022-01-16T11·38+00