From 3c881774822afc59396b690c5b3e2ff52c600c7f Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 21:53:41 -0600
Subject: [PATCH 1/4] chore: add sops kms recipient

---
 .sops.yaml           |  3 ++-
 secrets/secrets.yaml | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 8967c45..44d4ef5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,3 +1,4 @@
 ---
 creation_rules:
-  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+  - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
+    age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index afa3d22..5574bcb 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -21,15 +21,20 @@ www_aws_secret_access_key: ENC[AES256_GCM,data:x7YarHj9pKPiYHM04xkaU+fACjoOmM7ea
 cloudflare_zone_id: ENC[AES256_GCM,data:6RjS806r2iMX9dfWBJeLIG54jRu3DhylNP7QOmrOVWc=,iv:picCNDWPduEMzqcm3gh7oRaGEs+4n2E/P91EGC/3iDs=,tag:9G/KG68JLu/rxI+fLpQQ7Q==,type:str]
 cloudflare_api_token: ENC[AES256_GCM,data:z5WDjwxFZ7VaufG17WciwbbOVQlaZP+OSGOkRCTJQJAPxZCv8pHc6Q==,iv:jiUky+4sIka3Kkw4JcteY2eoj8uzSwsMAREamseJ/Vo=,tag:ChGagBsNZKUVka6rlcB/FQ==,type:str]
 sops:
+    kms:
+        - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
+          created_at: "2026-06-19T03:45:01Z"
+          enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AErFdf75oiKC0JXkX//szuqAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6huGgWZR3cLXqgdhAgEQgDtHIIGRYq2TX1iMnzkd/9OgUpjvyMFxgmEDaCa3pDXLS0Oj6oatRCWY8F2uCgc9JJdm2MWKOSJdOIt4hw==
+          aws_profile: ""
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDc2dHd2I0dGNHQ2NNMXZJ
-            OGd3QVVCc0VOaG1pZGdjWEkrRU13Rnlibm40CnFvbE0xVEFxemdnQ3ZRbFhob2lo
-            MVVGa3AzM2VabFI1MjVqNGFzMWczcm8KLS0tIEtWNmlFUUU4SytUdGttS1hXL3g1
-            YlFmOUhWbWlsd2ttYWRaYTk4T3dCbFUKzXuqXD6QH9orC7kCcSKNQhIyUNBtlITv
-            FIk3D7Niz2eNMyom5OobkRKVg33NpYdOusvchxqpJc0i4ydqyGkMzw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSmRCdG1kd3BsUVUzdkZH
+            L1ZmTFh4WVFXNS9MblJhTy9TaUtTZmRINWprCjFrRDdTclVESXNRK2d6MjFpcmw0
+            QTdKMHFMV09tNFhPUno5Z25jQWxCWFEKLS0tIE51NGFESVpwdE1qZHJsOG1ndlly
+            K0JHK1I2eWFJeWp2UEdBd3hzNTdyM28KR2ri5VcUtY2u1/buB5hnZ+NyCs5HKRAO
+            rwaoz5iStNUEAmEUM2PQmXn+iK8TQAeejqSqLb/ysD6efa8mB3krgw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-04-30T16:17:12Z"
     mac: ENC[AES256_GCM,data:kqtjOb9eAziiyyty+gToF+iadFJFnTKy8v8UftWHey868LNVL5Dq/TS8hmpYNLxzgFsu06uqHPmFNEIaeJQIPDL7ZwOdCKk6hf2tDx2BR1+EBEgGGoe9Hx7stuXGx0Vg+zhPv3/Z3yc+po46EtpuF+OyujOwWOBt2xbBEZL1yz4=,iv:A1h6EFCWD/1Oxzx7Lpt70yHKQWepiETnB9J+i8IE02g=,tag:7CBnxg3Dgp7tESpqLzeklQ==,type:str]

From ff15e63e84037a863f5459d228516796ab6f8d54 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 22:01:10 -0600
Subject: [PATCH 2/4] ci: allow github oidc for sops kms

---
 .github/workflows/opentofu.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index 91f72ff..80400d0 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   pull-requests: write
 
 jobs:

From 96729253a4a79c523bef9dfe160bae7732fab216 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 22:14:08 -0600
Subject: [PATCH 3/4] chore: stop distributing sops age key

---
 .github/workflows/opentofu.yml |  2 --
 main.tf                        | 10 ----------
 secrets/secrets.yaml           |  5 ++---
 3 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index 80400d0..f7265bc 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -16,5 +16,3 @@ permissions:
 jobs:
   opentofu:
     uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
-    secrets:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
diff --git a/main.tf b/main.tf
index 45c7958..48479bf 100644
--- a/main.tf
+++ b/main.tf
@@ -93,16 +93,6 @@ locals {
         "tfroot-github"
       ]
     }
-    "sops_age_key" = {
-      name  = "SOPS_AGE_KEY"
-      value = data.sops_file.secret_vars.data["sops_age_key"]
-      repositories = [
-        "tfroot-aws",
-        "tfroot-cloudflare",
-        "tfroot-github",
-        "tfroot-libvirt"
-      ]
-    }
     "ssh_private_key" = {
       name  = "SSH_PRIVATE_KEY"
       value = data.sops_file.secret_vars.data["ssh_private_key"]
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 5574bcb..85a2bfc 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -13,7 +13,6 @@ onion_aws_region: ENC[AES256_GCM,data:kP66iQ2k6vXO,iv:5f+KdsYfkv+SPW0ra9w270TlSk
 onion_s3_bucket: ENC[AES256_GCM,data:KmfWCcoufDnZiv/KpRMeYyg1HLqbFA==,iv:5bIEcMZHl2ijTsOnd/CNk8Sqh9jrvA7ZGL4Ugx2psqs=,tag:uSXOUfk9FgIgOvB+CuT+Ug==,type:str]
 onion_aws_access_key_id: ENC[AES256_GCM,data:aP4lIpJvjUUn4tDabVG/XN5MCCw=,iv:Qt56iiwYHWSt7LmJhBGk1s8SZyeBchnUswOPkIgnMcE=,tag:+WKU5gy6xiBGebFL4qcQ8A==,type:str]
 onion_aws_secret_access_key: ENC[AES256_GCM,data:VyTmQP0ePPwub0ii3jhpeBlXCw9jJcO1n1UWElzIoQ/hKzRxYB6fuA==,iv:aVtTdR6xVgHw9GNiidvVpENgVEex/NVAauCBr5Di+c8=,tag:XyjxwZhNnTBdq1wiVlNXEA==,type:str]
-sops_age_key: ENC[AES256_GCM,data:kK8zWix/ixpRHbkIO+7H9njNjNvyywJf47qzyUnZ1gGIDrXvsbucfsVkXQ8KCJNFaMFtV2Q8za74zHoDvaIHGMIrqO/lZEU3Mkk=,iv:ZrS0+rzlhF7c3yTP6p95cvGgiCcIKCFmR3ciNZF08a8=,tag:R7mToFSZynMeDppDrHoCcg==,type:str]
 www_aws_region: ENC[AES256_GCM,data:zNlYVEdfWSt7,iv:1EuJEcGCehdNXefjdxbsf+EIQAAriahlsLvSFX1juuQ=,tag:rKXSez3x63hQOW5dxfuORQ==,type:str]
 www_s3_bucket: ENC[AES256_GCM,data:IAv46XzbFFYnQnwvwxR6CA==,iv:1VrY1BHtSH0h1GZ33A0dB86yEuWBa7iYyYBoMPfSBEU=,tag:FASm43yXO3G0ZPG4q2TeWg==,type:str]
 www_aws_access_key_id: ENC[AES256_GCM,data:jb1vtp/sjpYE+9/ZxIhnpezUCzM=,iv:u5wB2bmFVl9KD+ULvCauWzUJ0FoF7H6ENByKPirdgiY=,tag:5KtO4jnXEff8oG/woPa6qA==,type:str]
@@ -36,7 +35,7 @@ sops:
             K0JHK1I2eWFJeWp2UEdBd3hzNTdyM28KR2ri5VcUtY2u1/buB5hnZ+NyCs5HKRAO
             rwaoz5iStNUEAmEUM2PQmXn+iK8TQAeejqSqLb/ysD6efa8mB3krgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T16:17:12Z"
-    mac: ENC[AES256_GCM,data:kqtjOb9eAziiyyty+gToF+iadFJFnTKy8v8UftWHey868LNVL5Dq/TS8hmpYNLxzgFsu06uqHPmFNEIaeJQIPDL7ZwOdCKk6hf2tDx2BR1+EBEgGGoe9Hx7stuXGx0Vg+zhPv3/Z3yc+po46EtpuF+OyujOwWOBt2xbBEZL1yz4=,iv:A1h6EFCWD/1Oxzx7Lpt70yHKQWepiETnB9J+i8IE02g=,tag:7CBnxg3Dgp7tESpqLzeklQ==,type:str]
+    lastmodified: "2026-06-19T04:13:08Z"
+    mac: ENC[AES256_GCM,data:l0RC91HKiFmaYRNLv07KJXwjAXm9HMvUUFCZmFMrJ1SoKn1ICoP+Lj64bIUCcKdnB5nrNNcyYvjgyhWssu0/wn5qMUH+9ZyWVDPhYj8GBGT7ZGuwbjNef8WV+WwyO8Qw4FDg6kesJeemuEwOHhXyaKOtZNb+kdWllFvjfsasZXs=,iv:kxf3aqVIJeZbUvzOtY6Uq4YpCkkStctezgy+91PpTJc=,tag:ScaLQ9zqj+Xuc5eCu+hxRQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2

From 2d0ae0b1434a5e48503716d48f6906891595dfc1 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 22:18:36 -0600
Subject: [PATCH 4/4] chore: remove sops age recipient

---
 .sops.yaml           |  1 -
 secrets/secrets.yaml | 14 ++------------
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 44d4ef5..99901db 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,3 @@
 ---
 creation_rules:
   - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
-    age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 85a2bfc..b471f3c 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -22,19 +22,9 @@ cloudflare_api_token: ENC[AES256_GCM,data:z5WDjwxFZ7VaufG17WciwbbOVQlaZP+OSGOkRC
 sops:
     kms:
         - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
-          created_at: "2026-06-19T03:45:01Z"
-          enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AErFdf75oiKC0JXkX//szuqAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6huGgWZR3cLXqgdhAgEQgDtHIIGRYq2TX1iMnzkd/9OgUpjvyMFxgmEDaCa3pDXLS0Oj6oatRCWY8F2uCgc9JJdm2MWKOSJdOIt4hw==
+          created_at: "2026-06-19T04:16:52Z"
+          enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AF/kg94UKFDzajWL4wI8KwkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmVOJEF56prSE5mcxAgEQgDt27+5rh3R0yvgpohI7YEEeZqxAJQiRdIomE22ohFcv2WGRfPXvbh43PlSwUAekZwmkLMM440d0Pu8zcA==
           aws_profile: ""
-    age:
-        - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSmRCdG1kd3BsUVUzdkZH
-            L1ZmTFh4WVFXNS9MblJhTy9TaUtTZmRINWprCjFrRDdTclVESXNRK2d6MjFpcmw0
-            QTdKMHFMV09tNFhPUno5Z25jQWxCWFEKLS0tIE51NGFESVpwdE1qZHJsOG1ndlly
-            K0JHK1I2eWFJeWp2UEdBd3hzNTdyM28KR2ri5VcUtY2u1/buB5hnZ+NyCs5HKRAO
-            rwaoz5iStNUEAmEUM2PQmXn+iK8TQAeejqSqLb/ysD6efa8mB3krgw==
-            -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-06-19T04:13:08Z"
     mac: ENC[AES256_GCM,data:l0RC91HKiFmaYRNLv07KJXwjAXm9HMvUUFCZmFMrJ1SoKn1ICoP+Lj64bIUCcKdnB5nrNNcyYvjgyhWssu0/wn5qMUH+9ZyWVDPhYj8GBGT7ZGuwbjNef8WV+WwyO8Qw4FDg6kesJeemuEwOHhXyaKOtZNb+kdWllFvjfsasZXs=,iv:kxf3aqVIJeZbUvzOtY6Uq4YpCkkStctezgy+91PpTJc=,tag:ScaLQ9zqj+Xuc5eCu+hxRQ==,type:str]
     unencrypted_suffix: _unencrypted