From bf06569cdc84d44b45b70e77651ca9e05395d63f Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 21:53:43 -0600 Subject: [PATCH 1/4] chore: add sops kms recipient --- .sops.yaml | 3 ++- secrets/secrets.yaml | 15 ++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 8967c45..44d4ef5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,3 +1,4 @@ --- creation_rules: - - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l + - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 + age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 032c68f..bdfa5f1 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -13,15 +13,20 @@ sops_age_key: ENC[AES256_GCM,data:xwyvLD5uu4Umd1rF8dEoBi1DPZ5ts2xROd4MYVxiGbHxPs ops_ssh_privkey: ENC[AES256_GCM,data:2Ig2T4oNJoqHfRjoFGDiTWWz6hiU4ZAuK71SGO5yz9BZwZ5XODiH0GRm2gRzasUc0IB9UtnEv1keG27dKKx8J0XPF3jCI9HxMaW91C04IQ0VZcgnyLJiixx9kyx4DWz3lI63fTQMrz9SnTGNQnYXWb75MRw3lFW33nlFb2xa1h0+8lrOFPduFS1+iodSrhETL0L4uA8SgkB3xz/Of85rXG8ZRnBzrscMKQz56MNqVEXJ1kVEZBgu7TlWovFCEWxrGEkIC5KSGIs57ZhGLzGYn4nopVzuNmaywgbKpWCPjQULBgQvuU6zUG3Ul9/p9nc5V7xCMUFeC0/TeeiYPVv2OfYSSLUNtz24J5u4oQ/D47AKWfRxN42eUA8zbMgJIYFY3czZ+PUseDXsBbF0r2J8C9AIrg8aV3uxLRZoCfPiFqKvZDJMDJaDx5t2cJtMdvtBSX9Vd9zObzR5P5kcb1cEhQfXWTgNsPuzhbRyLNCLdf59sp0C/pUiLdFpQDm72sLwgunNzlvi1yoidbIvX9QCdCqGQp8KOmxT1/djlpR17nX0DGEf4a6NAy+CMlcG8p9U,iv:fDQ8XQRUJDvoHvJzs+wZwMH6ePGx2Q1Wh6qmqgTTC80=,tag:9F2eO49JX0hgRnGxVNo7jg==,type:str] hero_known_hosts: ENC[AES256_GCM,data:7/TRHASfMqpQ7JvigV42DFjBz+XJpyKlhyi8T9Ex3+G5uYL0DkWSPwbkhoHRZPKxugHbtG6jGd3PF86lfsXV0AdKCj3W4xXsUYaP3l9SluuMCIIPAlNbvrsB6u/4v38yqWnILxSS5Hj87Ju8PnENje5ArDmP8oXKZqosVdAuFCDFycmjwqjIgzq9yLQGP9koGmlWorAZ94/PBN8Y5oF9eBc8g1kij+aFN38kLFB6vpN858xzzbUG0N7iheCLyOwyXYauegqmPHu6uaEEDLJ0B15CyF7RcKqZUiIXZWKMYAJabHBNGPL6pyH4ybB8kdXIG9xN48MNe+E2lWJKYu6t3x7TTpnaZ1ulA5jYgWyYplUmSoOs9YOZoOJ9/Xgq91wAFrgywKmog8ph1Sjg5hZaovQsl4difKElFPHnkVC+LWK1nX0CwHfpo1FIzxJeiTcm1VQ9r9jet2jnMoQep0yqaCKxZYo5sXW2m+jG7ppXW/qxyaeWclPnOho18QKkJSpU3ffAH6mEHgGYFVjdrRV5/24TY+yU0s4JfHhJ2hdY95ZH+xbzUaiE8RF/GaS8VtrEgZZrIlQJoMZk+fGv2Y7k0em9OZX8k9jjmEqVpjwlH0WMjectLcvYGeZosuv1VXk+wEv2/Q4YYmt/ylxjO8xsDSTV4B/SsP2guzUcCbXV1TnEbumvqxOLJ2yOXgwvH574zC3Qh0ztiELj/7yEp18u8jJFqXt9BSVkgv3CRwlZkXD9Gyzz+dhegrSm/dVGNXm0rKBiqzjvtcvjafqJcl7NOa2t3AwfTEIubtb21Rb29MZW48zmRf5RRtmapEFcf3xM1pCYG2NpJquCLe3iidCZ6mVFcOSV2gc1olMiuu1j7Z2zp92A0pxHvFuiftlugXQEmwLksdWHIBnrFVZId4Jaw0XlMTutWwU98YDmEw4ynyR4aocYgFRP8auu3u29fnVb0XgsRVwGuTeOpwcLPXZH2tczfZhxFyyiWuqE6IbpCLymHc5yiiw8REJOK2WQDg7r/fkrVMnQEhbyUsL9Ne9/uayjrdiI7iPOHRh+WIDqAP3X+1Dj7k7qffdPl2ADJmv1qBLLi++AefUkGi6BnLEWFWrYJSdekBTRct6eZuDMlpUZMnG58pxUcr0V+Ihg9LNpl00ZZbU7RdOK1UkjOhCj8xWKje7Rrm9RKcBKr7iEktfIU7V/d22TR5Lk+DiloKHxQMTrfnkM88CuiaJfl1ZOLF4oofeNDxw/auHgrf6acC1qmJUG8B/4ix5xYn0P5UxyPJTmdm4PDJ/3vFPlE66Bj7w2Oi4RIM8QTjllk9dy2RAR7ZNXVW4m8Kg5,iv:Ukxelc0oU9HY73FMP4twk9ZH8eVjaYybB7fMt6hOcC8=,tag:dfH5LhKoGcZ88n3A3nnJDw==,type:str] sops: + kms: + - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 + created_at: "2026-06-19T03:45:01Z" + enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AEd0YPsdj5+eREDZTzi8wVSAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM3T9gGogZwHJ0eSEkAgEQgDvq+fp4vQMzCrjnY8TTTlzW0DgpUqn6BqHh4liXzzQsRYKiXZj7pWdKiwOeZHYs9K/dLQxpzIK5dW80HQ== + aws_profile: "" age: - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek45TWc4UktDM2ZEcnBo - RXI0cjRVeEcwODkxUEJiemEybElwUjVIYVdzCm9QeEl0QzVuSU5nWldmOStiVTlV - UFd3Vk9zRElOQlViTG1iZ0VMMjNpTmcKLS0tICtFUFUxcjRNeDBQMThrRUl3RmVV - R05MZlJDY1JnVjBlb01Hdm10d3k3VXMKpYhy+H82z9yBAREn2O0cUQp+m9laXyAx - 5Hn86bDGLP4LxsVKbQS/77Weg0HI26WsKkTwOR8DB72TFia1SzQNqQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SUhxOEw2SlM3bC9JZ3Z1 + cTkyWmhYamxCZnhBYzNWcnE4ZUt6Sm9RQ3prClJPOHlQZnFYcnJpaStVWXB3QWc0 + aWxsekZmYVpxL1Q4cG1xK0o1eWZuSjgKLS0tIGY1UjNjUkdlZWUxWnE1RURXMzFZ + aEVXbEFyRnZ3VUhIRHhDaGNheDR3MDgKYDnaz7iV7jOjnkxE5cl6J9dUkSJm1Vy9 + V44drkv8d2Ta6dVaKFD34v+k5QNn8J3Xj77FiZNyFWWMeV71Acu0kw== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-04-29T22:35:54Z" mac: ENC[AES256_GCM,data:/psr3jetNh7hC0qcXJB+PMlUEHgpLBHa8rmYlzV2NBB5IsbeiWYNWCYp62oownV8QBfRMl72Pp1HdF/4eo9Kjhy2CQ2HsMREpx9OVjlfk/oreFqquqBQLC+5lQV30QIKjc9uwMZAukZdNzOLRsuIQjHyDQHLTaT4Nkx5wpIo4Cc=,iv:A+vVP8eyj/sKb+AZvAfYguLe6QMidOLYRZd9D0Sw1Ew=,tag:piKeKZW9D/h4leszVkupkA==,type:str] From e40f6e262afda9d9f90d59978fa77322f16af637 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:01:12 -0600 Subject: [PATCH 2/4] ci: allow github oidc for sops kms --- .github/workflows/opentofu.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml index f338fe7..f268604 100644 --- a/.github/workflows/opentofu.yml +++ b/.github/workflows/opentofu.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + id-token: write pull-requests: write jobs: From 1578a2dadd13920db31fc0daaad19b28becab020 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:18:38 -0600 Subject: [PATCH 3/4] chore: remove sops age recipient --- .sops.yaml | 1 - secrets/secrets.yaml | 14 ++------------ 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 44d4ef5..99901db 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,3 @@ --- creation_rules: - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index bdfa5f1..293dc28 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -15,19 +15,9 @@ hero_known_hosts: ENC[AES256_GCM,data:7/TRHASfMqpQ7JvigV42DFjBz+XJpyKlhyi8T9Ex3+ sops: kms: - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 - created_at: "2026-06-19T03:45:01Z" - enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AEd0YPsdj5+eREDZTzi8wVSAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM3T9gGogZwHJ0eSEkAgEQgDvq+fp4vQMzCrjnY8TTTlzW0DgpUqn6BqHh4liXzzQsRYKiXZj7pWdKiwOeZHYs9K/dLQxpzIK5dW80HQ== + created_at: "2026-06-19T04:16:52Z" + enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AHuCPDF9cTWw01EAFzQPbMSAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMpfP6oxunT8dbD4PXAgEQgDvVvVjfsN8aZbEcGS6saMUCX6R7pXnpiqadOQwL6CRbpmzsjMenjTyoef62vrdIPJbQWApOHt4mLq95yw== aws_profile: "" - age: - - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SUhxOEw2SlM3bC9JZ3Z1 - cTkyWmhYamxCZnhBYzNWcnE4ZUt6Sm9RQ3prClJPOHlQZnFYcnJpaStVWXB3QWc0 - aWxsekZmYVpxL1Q4cG1xK0o1eWZuSjgKLS0tIGY1UjNjUkdlZWUxWnE1RURXMzFZ - aEVXbEFyRnZ3VUhIRHhDaGNheDR3MDgKYDnaz7iV7jOjnkxE5cl6J9dUkSJm1Vy9 - V44drkv8d2Ta6dVaKFD34v+k5QNn8J3Xj77FiZNyFWWMeV71Acu0kw== - -----END AGE ENCRYPTED FILE----- lastmodified: "2026-04-29T22:35:54Z" mac: ENC[AES256_GCM,data:/psr3jetNh7hC0qcXJB+PMlUEHgpLBHa8rmYlzV2NBB5IsbeiWYNWCYp62oownV8QBfRMl72Pp1HdF/4eo9Kjhy2CQ2HsMREpx9OVjlfk/oreFqquqBQLC+5lQV30QIKjc9uwMZAukZdNzOLRsuIQjHyDQHLTaT4Nkx5wpIo4Cc=,iv:A+vVP8eyj/sKb+AZvAfYguLe6QMidOLYRZd9D0Sw1Ew=,tag:piKeKZW9D/h4leszVkupkA==,type:str] unencrypted_suffix: _unencrypted From 3283b5cf095bdb3d1b766819259268463781b65e Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:28:48 -0600 Subject: [PATCH 4/4] ci: stop passing sops age key --- .github/workflows/opentofu.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml index f268604..a109767 100644 --- a/.github/workflows/opentofu.yml +++ b/.github/workflows/opentofu.yml @@ -22,6 +22,5 @@ jobs: runs-on: arc-tf setup-ssh: true secrets: - SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}